- AI Policy (Enforceable, Not Aspirational)
- ☐ Defined explicitly prohibited AI use cases
- ☐ Documented approved vs restricted use cases
- ☐ Embedded mandatory human oversight requirements
- ☐ Included LLM / agentic AI-specific rules
- ☐ Established approval workflow for new AI use cases
- EU AI Act Risk Tiering (Liability Trigger)
- ☐ AI systems formally classified (Prohibited / High / Limited / Minimal)
- ☐ Classification rationale documented and reviewable
- ☐ High-risk systems flagged with compliance obligations
- ☐ Process in place to reassess classification over time
- ☐ Clear control ensuring no prohibited systems are deployed
- Pre-Deployment Risk Assessment
- ☐ Bias and discrimination risks assessed
- ☐ Privacy and data leakage risks tested
- ☐ Security vulnerabilities tested (prompt injection, jailbreaks)
- ☐ Hallucination and unsafe output risks evaluated
- ☐ Model inversion / data extraction risks assessed
- ☐ Evidence retained: “tested = controlled”
- Third-Party AI Governance
- ☐ Inventory of all external AI models and vendors
- ☐ Vendor risk assessments completed
- ☐ Contracts include:
- ☐ Data usage and ownership rights
- ☐ Audit and transparency rights
- ☐ SLA / performance guarantees
- ☐ Exit and fallback provisions
- ☐ Internal accountability defined despite outsourcing
- Data Governance & Controls
- ☐ End-to-end data lineage documented
- ☐ Access controls and data masking implemented
- ☐ Consent and legal basis tracked
- ☐ Training data traceability established
- ☐ Mechanism for right-to-erasure (GDPR Art. 17) applied to models
- ☐ Data quality controls actively maintained
- Continuous Red-Teaming
- ☐ Adversarial testing conducted before deployment
- ☐ Continuous testing after deployment
- ☐ Coverage includes:
- ☐ Prompt injection
- ☐ Jailbreak attempts
- ☐ Data exfiltration
- ☐ Testing results documented and remediated
- ☐ Required for all high-risk systems
- Documentation (Legal Evidence)
- ☐ Model cards completed
- ☐ Datasheets for datasets maintained
- ☐ Evaluation and validation reports stored
- ☐ Training data sources and limitations documented
- ☐ Intended use and misuse boundaries defined
- ☐ Technical documentation aligned with EU AI Act requirements
- Accountability & Governance Structure
- ☐ Named model owner (business)
- ☐ Assigned risk approver
- ☐ Independent reviewer function in place
- ☐ Ethics / compliance oversight defined
- ☐ Executive ownership assigned (CAIO / CDAO or equivalent)
- Agentic AI Oversight (If Applicable)
- ☐ Defined scope and autonomy limits
- ☐ Approval gates for critical actions implemented
- ☐ Full action logging and traceability enabled
- ☐ Human-in-the-loop required for irreversible decisions
- ☐ Kill-switch / override mechanisms in place
- Monitoring (Post-Deployment Control)
- ☐ Continuous monitoring of:
- ☐ Model drift
- ☐ Hallucination rates
- ☐ Bias indicators
- ☐ Latency and cost anomalies
- ☐ Fairness monitoring implemented
- ☐ Explainability tools / dashboards available
- ☐ Alerts and escalation thresholds defined
- Incident Response (72-Hour Readiness)
- ☐ Formal AI incident response plan in place
- ☐ Defined workflow:
- ☐ Detect
- ☐ Contain / rollback
- ☐ Fix
- ☐ Postmortem
- ☐ Notify regulators (≤72 hours where required)
- ☐ Roles and responsibilities clearly assigned
- ☐ Incident logs and evidence retention ensured
- Audit & Transparency
- ☐ Systems are audit-ready at all times
- ☐ Evidence of compliance centrally stored
- ☐ AI decision-making transparency documented
- ☐ Regular reporting (internal + regulatory) established
Final Control Question (Board-Level Test)
Before any AI system goes live, you should be able to answer yes to all:
- ☐ Do we know what this system is allowed to do—and not do?
- ☐ Do we know its regulatory classification and obligations?
- ☐ Can we prove it has been tested for real risks?
- ☐ Do we know who is accountable in production?
- ☐ Can we monitor and intervene in real time?
- ☐ Can we respond within 72 hours if it fails?
Bottom Line
This is no longer a maturity model.
It is a liability control framework.