# RAG Source Audit Template

Use this before uploading documents into a personal, team, or customer-facing RAG system.

| Source | Owner | Audience | Data sensitivity | Current? | Authority | Include? | Notes |
| --- | --- | --- | --- | --- | --- | --- | --- |
| `example-policy.pdf` | Operations | Internal | Confidential | Yes | Official | Yes | Add review date to filename. |

## Sensitivity

- Public: safe for public use.
- Internal: company-only, no personal data.
- Confidential: customer, contract, financial, HR, product, or strategy data.
- Regulated: legal, medical, payment, government, or special-category personal data.

## Include Only If

- The tool and account are approved for the source sensitivity.
- The document is current enough for the use case.
- The document is authoritative or clearly marked as opinion/background.
- The target audience is allowed to see the source.
- The RAG instructions tell the model to say when the source set does not answer a question.

## Review Cadence

- High-change sources: monthly.
- Policy/legal/compliance sources: quarterly or after known regulatory change.
- Static background sources: twice per year.