The AI Governance Dashboard You Can Build in A Spreadsheet (in 30 Minutes)
By Gabriel Tan | May 2026
When a client asks "show me your AI governance," what do you open?
If the answer is nothing, or a policy document buried in a shared drive that nobody has looked at in six months, you have a visibility problem. The governance work may exist. But if you cannot show it in 30 seconds, it does not land the way it should.
You do not need enterprise governance software. A shared spreadsheet with five tabs covers 80% of what ISO/IEC 42001 (the international standard for AI management systems) expects from a firm your size. Thirty minutes to set up. One place to point to when the question comes.
Why a spreadsheet is enough
ISO 42001 is built on a cycle called Plan-Do-Check-Act, or PDCA. It is the same operating rhythm used in ISO 9001 (quality management) and ISO 27001 (information security). The idea is simple. Plan your policies and structures. Do the work. Check whether it is working. Act to improve what is not.
For a firm of 10 to 50 people, that cycle does not require software. It requires a visible record that you planned, you are doing, you are checking, and you are improving. A spreadsheet does that.
The NIST AI Risk Management Framework aligns with this approach through its four functions: Govern, Map, Measure, and Manage. Both frameworks describe the same discipline. PDCA gives you the operating rhythm. The spreadsheet below uses PDCA as the backbone because it tells you not just what to track, but how to keep it alive over time.
The five tabs are ordered by how often your team updates them, from most frequent to least frequent. In a client conversation, you walk through them in PDCA order. Both logics work because the tabs carry labels showing which part of the cycle they belong to.
Five tabs, ordered by use
Tab 1: Client data log (Do). This is the tab your team opens most. Every week, each consultant logs what AI tools they used on client work. Which client, which tool, what type of data went in, who reviewed the output.
Columns: Week ending. Client name. Tool used. Data type entered (public, confidential, restricted). Person who entered it. Reviewer who checked the output.
This tab is your evidence that data classification is working. When a client asks "what data of ours has gone into AI tools," you can answer with specifics. When an auditor asks, you have a record. Updated weekly.
Tab 2: Tool inventory (Plan). This is your foundation. It defines what AI tools are approved, what account tier each runs on, and whether a Data Processing Addendum (DPA) is signed with the vendor.
Columns: Tool name. Vendor. Account tier (free, pro, enterprise). DPA signed (yes/no). Who uses it. What client work it touches. Date last reviewed.
Populate this from the audit in Post 1 of this series. If you have not done that audit yet, this tab is where you start. Thirty minutes, one shared sheet, ask your team what they actually use. Updated quarterly or when a new tool is introduced.
Tab 3: Review schedule (Check). When does each piece of your governance get reviewed? This tab ensures nothing goes stale without someone noticing.
Columns: Item (policy, tool inventory, data classification, incident protocol). Last reviewed. Next review due. Owner. Status (current, due, overdue).
This tab turns governance from a one-time exercise into an ongoing system. ISO 42001 requires that AI governance is reviewed and improved over time. This tab is how you prove it. Updated monthly.
Tab 4: Training tracker (Plan). Who on your team has completed AI literacy training, and when?
Columns: Name. Role. Training completed (yes/no). Date completed. Next refresher due.
The EU AI Act's AI literacy obligation took effect on 2 February 2025. If your firm has EU-listed clients or a London office, you need a record of who has been trained. This tab is that record. Updated when someone joins or completes a refresher.
Tab 5: Incident register (Act). When something goes wrong with AI, what happened and what did you do about it?
Columns: Date. Description. Severity (low, medium, high). Tool involved. Client affected. Action taken. Resolved (yes/no). Date resolved.
Most firms will have zero entries here for months. That is fine. The tab exists so that when something does happen, you have a place to record it and a process to follow. The absence of incidents is itself a governance data point. When an incident does occur, the "action taken" column is where you identify the gap and fix it. Updated only when needed.
The review cadence
Not every tab needs the same attention. Here is the rhythm.
Weekly: Tab 1 (client data log). Your team logs their AI use at the end of each week.
Monthly: Tab 3 (review schedule). Is everything current? Is any review overdue?
Quarterly: Tab 2 (tool inventory) and Tab 4 (training tracker). Has anyone started using a new tool? Has a new team member joined who needs training?
Annually: full review of all five tabs plus the AI use policy itself. This is the ISO 42001 management review. Plan again with what you learned from doing, checking, and acting over the past year.
How to use it in a client conversation
When a governance-conscious client asks about your AI controls, you do not need to hand them a 40-page document. You open the spreadsheet and walk them through it using the PDCA cycle.
"We follow the Plan-Do-Check-Act cycle from ISO 42001 to govern our AI use. Let me show you how it works for your account.
Plan: here is our approved tool inventory. These are the tools we are authorised to use on your work, all running on enterprise accounts with signed data processing agreements. And here is our training record showing every team member on your account has completed AI literacy training.
Do: here is our client data log. It shows what tools touched your work, what type of data went in, and who reviewed the output. We update this weekly.
Check: here is our review schedule. It shows when we last reviewed each part of our governance and when the next review is due. Everything is current.
Act: here is our incident register. Currently clean. If anything ever goes wrong, this is where we record it, resolve it, and document what we changed to prevent it from happening again."
That takes 90 seconds. It answers the client's question with visible evidence, not promises. It shows a cycle, not a policy collecting dust.
What to do this week
Create the spreadsheet. Five tabs. Copy the column headers from above. Share it with whoever owns governance at your firm, even if that person is you.
Populate Tab 2 (tool inventory) from the audit. If you have not done the audit, do it now. Thirty minutes.
Set your first review date in Tab 3.
The spreadsheet is not the governance. The policy, the data classification, the training, the incident protocol are the governance. The spreadsheet is the visible proof that the cycle is running. Plan, do, check, act. Repeat.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
