Free Ethical AI Toolkit — ManchesterHumans

AI Ethics Assistant Prompt

Upload this page to your LLM, then copy and paste this prompt. The AI will read all 10 document templates from the file and walk you through filling them in.

You are an AI Ethics & Compliance Officer working for the user's organisation. Your role is to walk them through setting up responsible, ethical AI governance from scratch — or auditing what they already have.

The user has uploaded an HTML file (the ManchesterHumans Ethical AI Toolkit) containing 10 compliance document templates. You MUST read and reference the actual templates from that file when helping the user. Each template contains specific fields, tables, and checklists — use those exact structures when generating filled-in documents.

PERSONALITY:
- Warm, practical, and direct. British English.
- No jargon unless you explain it. No waffle.
- Think of yourself as a helpful colleague, not a regulator.
- Be encouraging — ethical AI is achievable, not overwhelming.

YOUR TOOLKIT — 10 DOCUMENTS (from the uploaded file):
You will help the user create or review these 10 documents. Reference them by name. Use the exact template structure from the uploaded HTML file when generating filled-in versions.

1. AI POLICY — The organisation's overarching AI governance policy. Covers purpose, scope, principles, roles, accountability, and review cycle.

2. AI REGISTER — An inventory of every AI system in use. Logs name, purpose, data inputs, risk level, owner, deployment status, and review date.

3. RISK REGISTER — AI-specific risk assessment. Each risk has an ID, description, likelihood (1-5), impact (1-5), risk score, mitigations, owner, and review date.

4. USE CASE WORKSHEET — Per-project evaluation completed before deploying any AI system. Covers business need, data sources, affected stakeholders, fairness checks, human oversight plan, and sign-off.

5. BIAS AUDIT CHECKLIST — Step-by-step checklist for identifying and mitigating bias in training data, model outputs, and deployment context.

6. MODEL CARD — Documentation for each AI model: capabilities, limitations, training data, intended use, out-of-scope use, ethical considerations, and performance metrics.

7. IMPACT ASSESSMENT — Evaluates social, economic, and environmental impact before deployment. Covers affected groups, potential harms, benefits, and mitigation plans.

8. TRANSPARENCY PROTOCOL — How to communicate AI usage to users, regulators, and communities. Covers disclosure requirements, plain-language explanations, and opt-out mechanisms.

9. DATA GOVERNANCE PLAYBOOK — Data collection, consent, anonymisation, retention, access controls, and GDPR/regulatory alignment.

10. AI INCIDENT RESPONSE PLAN — What to do when AI goes wrong. Covers detection, escalation, containment, communication, root cause analysis, and prevention.

WORKFLOW:
1. Start by asking what the user's organisation does, roughly how many people work there, and whether they currently use any AI systems.
2. Based on their answer, assess their current maturity level (Starting Out / In Progress / Advanced) and tell them.
3. Walk through each document ONE AT A TIME. For each:
a. Explain what it is and why they need it (2-3 sentences)
b. Ask the specific questions needed to fill it in
c. When you have enough info, generate the completed document in a clean, copy-pasteable format
d. Ask if they want to revise anything before moving on
4. After all documents, provide a summary of:
- Their overall compliance posture
- Top 3 priority actions
- Recommended review schedule
5. Offer to deep-dive into any specific area they're concerned about.

RULES:
- Always ask ONE question at a time. Never overwhelm with multiple questions.
- If the user seems unsure, give them sensible defaults they can adopt (e.g., "Most organisations your size review quarterly — shall we go with that?")
- Flag genuine risks clearly but without being alarmist.
- If something is legally specific (GDPR fines, sector regulations), note that they should verify with legal counsel.
- Generate documents in clean markdown format with tables where appropriate.
- The user can skip any document — that's fine, note it and move on.
- If they already have a document, offer to review it rather than creating from scratch.

IMPORTANT CONTEXT:
- This toolkit is provided free by ManchesterHumans (manchesterhumans.com)
- It's designed to be practical and actionable, not theoretical
- It aligns with the EU AI Act, UK AI governance framework, and GDPR
- For complex enterprise needs, recommend contacting [email protected]

Start by introducing yourself warmly, explaining what you'll help them do, and asking your first question.

Browse the Document Templates

Download the file, upload it to your LLM alongside the prompt above, and it will use the templates to generate your documents.

10 Compliance Documents

Each template is ready to use. Copy it, fill in the blanks, and you're compliant. No sign-up. No paywall.

1. AI Policy Organisation-wide governance 2. AI Register Inventory of AI systems 3. Risk Register AI-specific risk assessment 4. Use Case Worksheet Per-project evaluation 5. Bias Audit Checklist Identify & mitigate bias 6. Model Card Template Document your models 7. Impact Assessment Social & environmental impact 8. Transparency Protocol Communicate AI usage 9. Data Governance Playbook Data handling & GDPR 10. Incident Response Plan When AI goes wrong

1. AI Policy

Required

Your organisation's overarching AI governance policy. This is the foundation document — everything else builds on it. Required by the EU AI Act and recommended by the UK's AI governance framework.

AI POLICY — [Organisation Name]

Version: [1.0] | Effective Date: [DD/MM/YYYY] | Review Date: [DD/MM/YYYY] | Owner: [Name, Role]

1. Purpose

This policy establishes the principles, governance structure, and accountability framework for the development, procurement, and deployment of Artificial Intelligence systems at [Organisation Name].

2. Scope

This policy applies to all AI and automated decision-making systems used by [Organisation Name], including but not limited to: machine learning models, large language models, robotic process automation, recommendation engines, and any system that makes or assists decisions affecting individuals or operations.

3. Principles

Fairness: AI systems must not discriminate on the basis of protected characteristics.
Transparency: Users and affected parties must be informed when AI is used in decisions that affect them.
Accountability: Every AI system must have a named human owner responsible for its behaviour.
Safety: AI systems must be tested for harmful outputs before deployment.
Privacy: AI systems must comply with data protection legislation (GDPR/UK GDPR).
Human Oversight: High-risk decisions must include meaningful human review.

4. Roles & Responsibilities

Role	Responsibility	Named Individual
AI Governance Lead	Owns this policy, chairs review meetings, escalation point	[Name]
System Owner	Responsible for each AI system's compliance and performance	[Per system]
Data Protection Officer	Ensures AI data processing complies with GDPR	[Name]
Senior Leadership	Approves high-risk AI deployments, allocates resources	[Name/Team]

5. Risk Classification

Risk Level	Description	Approval Required
Low	Internal tools, no decisions affecting individuals	System Owner
Medium	Customer-facing, assists decisions but human makes final call	AI Governance Lead
High	Autonomous decisions affecting individuals' rights, safety, or finances	Senior Leadership + DPO

6. Procurement & Development

All new AI systems (built or bought) must complete a Use Case Worksheet and Impact Assessment before deployment. Third-party AI vendors must demonstrate compliance with this policy's principles.

7. Monitoring & Review

This policy is reviewed [quarterly / biannually / annually]. The AI Register is reviewed monthly. Incident reports trigger immediate review of relevant sections.

8. Breach & Non-Compliance

Non-compliance with this policy should be reported to [AI Governance Lead / reporting channel]. Breaches will be investigated and may result in system suspension, disciplinary action, or regulatory notification as appropriate.

Approved by: [Name, Title] | Date: [DD/MM/YYYY]

2. AI Register

Required

A living inventory of every AI system your organisation uses. This is how you track what you've got, who owns it, and whether it's been reviewed. Essential for EU AI Act compliance.

AI REGISTER — [Organisation Name]

Last Updated: [DD/MM/YYYY] | Maintained by: [Name, Role]

ID	System Name	Purpose	Type	Data Inputs	Risk Level	Owner	Status	Last Reviewed
AI-001	[e.g. Customer Chatbot]	[e.g. Handle tier-1 support queries]	[LLM / ML / RPA]	[Customer messages, order history]	[Low / Medium / High]	[Name]	[Active / Pilot / Retired]	[DD/MM/YYYY]
AI-002	[System name]	[Purpose]	[Type]	[Data]	[Risk]	[Owner]	[Status]	[Date]
AI-003	[System name]	[Purpose]	[Type]	[Data]	[Risk]	[Owner]	[Status]	[Date]

Notes

Add a new row for every AI system — including third-party tools (e.g. Grammarly, GitHub Copilot, ChatGPT subscriptions)
Review this register monthly and after any new AI deployment
Risk levels: Low = internal only, no individual impact; Medium = customer-facing or assists decisions; High = autonomous decisions affecting rights/safety/finances
Every "High" system requires an Impact Assessment and Model Card

3. Risk Register

Required

AI-specific risk assessment. Each risk is scored by likelihood and impact, with named mitigations and owners. Feeds into your broader organisational risk management.

AI RISK REGISTER — [Organisation Name]

Last Updated: [DD/MM/YYYY] | Owner: [Name, Role]

Risk ID	AI System	Risk Description	Likelihood (1-5)	Impact (1-5)	Score	Mitigations	Owner	Review Date
R-001	[AI-001]	[e.g. Chatbot provides incorrect medical advice]	[3]	[5]	[15]	[Disclaimer, human escalation trigger, topic blocklist]	[Name]	[Date]
R-002	[AI-001]	[e.g. Biased responses to certain demographics]	[2]	[4]	[8]	[Quarterly bias audit, diverse test sets]	[Name]	[Date]
R-003	[System]	[Risk]	[L]	[I]	[S]	[Mitigations]	[Owner]	[Date]

Risk Scoring Matrix

	Impact 1	Impact 2	Impact 3	Impact 4	Impact 5
Likelihood 5	5	10	15	20	25
Likelihood 4	4	8	12	16	20
Likelihood 3	3	6	9	12	15
Likelihood 2	2	4	6	8	10
Likelihood 1	1	2	3	4	5

Green (1-6): Accept & monitor | Amber (7-14): Mitigate & review quarterly | Red (15-25): Urgent action required, escalate to senior leadership

4. Use Case Worksheet

Per Project

Complete this before deploying any AI system. It forces you to think through the business need, data implications, fairness considerations, and human oversight plan.

AI USE CASE WORKSHEET

System Name: [Name] | Date: [DD/MM/YYYY] | Author: [Name, Role]

1. Business Need

[What problem does this AI solve? Why can't it be solved without AI? What's the expected benefit?]

2. System Description

Question	Answer
What type of AI is this?	[LLM / ML classifier / recommendation engine / RPA / other]
Is it built in-house or third-party?	[In-house / Vendor name / Open source]
What decisions does it make or assist?	[Describe]
Who are the end users?	[Staff / Customers / Public]

3. Data

Question	Answer
What data does it use as input?	[Describe data sources]
Does it process personal data?	[Yes / No — if yes, complete DPIA]
Is a lawful basis for processing established?	[Consent / Legitimate interest / Contract / etc.]
Where is data stored and processed?	[UK / EU / US / other]

4. Fairness & Bias

Check	Status
Could this system affect different groups differently?	[Yes / No — if yes, describe]
Has the training data been checked for demographic bias?	[Yes / No / N/A]
Has the system been tested with diverse inputs?	[Yes / No]
Is there a plan for ongoing bias monitoring?	[Describe]

5. Human Oversight

Question	Answer
Is there a human in the loop for decisions?	[Always / For edge cases / Never]
Can a human override the AI's output?	[Yes / No]
Who is the named human responsible?	[Name, Role]
What's the escalation process?	[Describe]

6. Risk Assessment

Risk Level: [Low / Medium / High]

Justification: [Why this risk level?]

Added to Risk Register? [Yes / No — must be Yes for Medium/High]

7. Approval

Role	Name	Approved?	Date
System Owner	[Name]	[Yes/No]	[Date]
AI Governance Lead	[Name]	[Yes/No]	[Date]
DPO (if personal data)	[Name]	[Yes/No]	[Date]

5. Bias Audit Checklist

Checklist

A step-by-step checklist for identifying and mitigating bias. Run this before deployment and at regular intervals after. Covers training data, model outputs, and deployment context.

BIAS AUDIT CHECKLIST

System: [AI System Name] | Auditor: [Name] | Date: [DD/MM/YYYY]

A. Training Data

#	Check	Status
A1	Data sources documented and reviewed	[ ]
A2	Demographic representation analysed	[ ]
A3	Under-represented groups identified	[ ]
A4	Historical bias in source data assessed	[ ]
A5	Data labelling process reviewed for bias	[ ]
A6	Synthetic data or re-sampling used if needed	[ ]

B. Model Outputs

#	Check	Status
B1	Outputs tested across demographic groups	[ ]
B2	Performance metrics disaggregated by group	[ ]
B3	Error rates compared across groups	[ ]
B4	Edge cases and adversarial inputs tested	[ ]
B5	Confidence thresholds reviewed	[ ]

C. Deployment Context

#	Check	Status
C1	Affected populations identified	[ ]
C2	Feedback mechanism exists for affected users	[ ]
C3	Human override available for contested decisions	[ ]
C4	Monitoring plan for post-deployment bias drift	[ ]
C5	Re-audit schedule established	[ ]

Audit Outcome

Result: [Pass / Pass with conditions / Fail]

Required Actions: [List any actions needed before deployment or continued operation]

Next Audit Date: [DD/MM/YYYY]

6. Model Card Template

Per Model

Documents each AI model's capabilities, limitations, intended use, and ethical considerations. Based on the Model Cards for Model Reporting framework (Mitchell et al., 2019).

MODEL CARD — [Model Name]

Version: [v1.0] | Date: [DD/MM/YYYY] | Owner: [Name]

Overview

Field	Details
Model Type	[LLM / Classifier / Regressor / etc.]
Architecture	[e.g. Transformer, GPT-4, Fine-tuned BERT]
Provider	[In-house / OpenAI / Anthropic / etc.]
Training Data	[Describe sources, size, date range]
Fine-tuning Data	[If applicable — describe custom training data]

Intended Use

[What is this model meant to do? What tasks? What users?]

Out-of-Scope Use

[What should this model NOT be used for? List explicitly.]

Limitations

[e.g. May hallucinate facts not in training data]
[e.g. Performance degrades on languages other than English]
[e.g. Not suitable for medical diagnosis]

Performance Metrics

Metric	Value	Evaluated On
[Accuracy / F1 / BLEU / etc.]	[Value]	[Dataset]
[Metric]	[Value]	[Dataset]

Ethical Considerations

Bias risks: [Known biases in the model or training data]
Sensitive use cases: [Any uses that could cause harm]
Mitigations applied: [Guardrails, filters, content policies]

7. Impact Assessment Framework

Per System

Evaluates the social, economic, and environmental impact of an AI system before deployment. Required for High-risk systems under the EU AI Act.

AI IMPACT ASSESSMENT — [System Name]

Assessor: [Name] | Date: [DD/MM/YYYY]

1. Affected Groups

Group	How Affected	Severity
[e.g. Customers]	[Describe impact]	[Low / Medium / High]
[e.g. Employees]	[Describe impact]	[Low / Medium / High]
[e.g. Vulnerable populations]	[Describe impact]	[Low / Medium / High]

2. Potential Benefits

[e.g. Faster response times for customer queries]
[e.g. Reduced cost enabling lower prices]
[e.g. 24/7 availability]

3. Potential Harms

Harm	Who's Affected	Likelihood	Severity	Mitigation
[e.g. Incorrect advice]	[Users]	[Medium]	[High]	[Human review, disclaimers]
[e.g. Job displacement]	[Staff]	[Low]	[Medium]	[Retraining programme]

4. Environmental Impact

Factor	Assessment
Energy consumption of training/inference	[Estimate or "uses third-party API"]
Data centre location & energy source	[If known]
Net environmental effect	[Positive / Neutral / Negative]

5. Overall Assessment

Proceed with deployment? [Yes / Yes with conditions / No]

Conditions: [List any required actions]

Review date: [DD/MM/YYYY]

8. Transparency Protocol

Required

How you communicate AI usage to users, regulators, and communities. Covers disclosure requirements, plain-language explanations, and opt-out mechanisms.

TRANSPARENCY PROTOCOL — [Organisation Name]

Version: [1.0] | Date: [DD/MM/YYYY]

1. Disclosure Requirements

Scenario	Disclosure Required	Method
AI generates content shown to users	Yes	[e.g. "This response was generated with AI assistance" label]
AI assists human decision-making	Yes	[e.g. "An AI system flagged this for review" note]
AI makes fully automated decisions	Yes (GDPR Art. 22)	[e.g. Notification + right to request human review]
AI used in internal processes only	To staff	[e.g. Internal AI register accessible to all staff]

2. Plain-Language Explanations

For each AI system, maintain a plain-language explanation accessible to non-technical users:

What it does: [One sentence describing the system in plain English]
What data it uses: [What information does it look at?]
How it affects you: [What decisions does it influence?]
Who's responsible: [Named contact for questions]
How to challenge a decision: [Process for requesting human review]

3. Opt-Out Mechanisms

AI System	Opt-Out Available?	How to Opt Out	Alternative Provided
[System name]	[Yes / No / Partial]	[Method]	[What happens instead]

4. Regulatory Communication

Regulatory bodies notified: [ICO / sector regulator / none required]

AI Act registration: [Required / Not required / Completed]

Public AI usage statement: [URL or "to be published"]

9. Data Governance Playbook

Required

How you collect, store, process, and protect data used by AI systems. Aligned with GDPR/UK GDPR. Covers consent, anonymisation, retention, and access controls.

DATA GOVERNANCE PLAYBOOK — [Organisation Name]

Version: [1.0] | DPO: [Name] | Date: [DD/MM/YYYY]

1. Data Collection

Principle	Implementation
Purpose limitation	[Data collected only for specified, explicit purposes]
Data minimisation	[Only collect what's necessary for the stated purpose]
Lawful basis	[Document lawful basis for each data processing activity]

2. Consent Management

[ ] Consent is freely given, specific, informed, and unambiguous
[ ] Consent can be withdrawn as easily as it was given
[ ] Consent records are maintained with timestamps
[ ] Children's data has age-appropriate consent mechanisms
[ ] Re-consent obtained when purpose changes

3. Anonymisation & Pseudonymisation

Technique	Used For	Implementation
Pseudonymisation	[e.g. Customer records in training data]	[Method used]
Anonymisation	[e.g. Analytics aggregation]	[Method used]
Differential privacy	[e.g. Model training]	[Method used]

4. Retention & Deletion

Data Type	Retention Period	Deletion Method	Responsible
[e.g. Training data]	[e.g. 2 years]	[Secure deletion]	[Name]
[e.g. User queries]	[e.g. 30 days]	[Auto-purge]	[Name]

5. Access Controls

[ ] Role-based access controls for all AI training data
[ ] Access logged and auditable
[ ] Third-party data processors have Data Processing Agreements
[ ] Cross-border data transfers have appropriate safeguards
[ ] Regular access reviews conducted [quarterly]

6. Data Subject Rights

Process for handling: Access requests (SAR) | Rectification | Erasure | Portability | Objection to automated processing

Response time target: [Within 30 days per GDPR]

Contact: [DPO email / privacy portal URL]

10. AI Incident Response Plan

Required

When AI goes wrong, you need a plan. This covers detection, escalation, containment, communication, root cause analysis, and prevention. Don't wait for an incident to write this.

AI INCIDENT RESPONSE PLAN — [Organisation Name]

Version: [1.0] | Owner: [Name] | Date: [DD/MM/YYYY]

1. What Counts as an AI Incident?

AI system produces harmful, discriminatory, or dangerous output
AI system makes a decision that materially harms an individual
Data breach involving AI training data or outputs
AI system behaves unpredictably or outside expected parameters
Reputational damage caused by AI system output
Regulatory complaint related to AI usage

2. Severity Levels

Level	Description	Response Time	Escalation
Low	Minor error, no external impact, easily corrected	24 hours	System Owner
Medium	User-facing error, potential reputational impact, limited harm	4 hours	AI Governance Lead
High	Significant harm to individuals, regulatory breach, data breach	1 hour	Senior Leadership + DPO + Legal
Critical	Ongoing harm, safety risk, regulatory investigation	Immediate	CEO + Legal + Regulator

3. Response Steps

DETECT: How was the incident identified? [Monitoring alert / User report / Internal review / Media]
CONTAIN: Immediately limit further harm. Options:
- Disable the AI system
- Switch to human-only processing
- Add guardrails/filters
- Restrict access
ASSESS: Determine severity, scope, and affected parties
COMMUNICATE:
- Internal stakeholders: [Who needs to know? Via what channel?]
- Affected individuals: [Within what timeframe?]
- Regulators: [ICO within 72 hours if data breach per GDPR]
- Public/media: [If applicable — via comms team]
INVESTIGATE: Root cause analysis — why did this happen?
REMEDIATE: Fix the root cause, not just the symptom
REVIEW: Update Risk Register, AI Policy, and relevant documents
PREVENT: What changes prevent this from happening again?

4. Contact List

Role	Name	Contact
AI Governance Lead	[Name]	[Phone / Email]
Data Protection Officer	[Name]	[Phone / Email]
Senior Leadership	[Name]	[Phone / Email]
Legal	[Name]	[Phone / Email]
Communications	[Name]	[Phone / Email]
ICO (if data breach)	Information Commissioner's Office	0303 123 1113 / ico.org.uk

5. Incident Log

Date	System	Severity	Description	Actions Taken	Status
[Date]	[System]	[Level]	[What happened]	[What was done]	[Open/Closed]

6. Testing

This plan should be tested via tabletop exercise [annually / biannually]. Last test: [Date]. Next test: [Date].

That's the full toolkit.

Copy the AI Assistant prompt to get started, or grab individual templates above.

Copy the AI Assistant Prompt Back to ManchesterHumans