Data Governance
Operational controls for data governance — with maturity levels, evidence requirements, and implementation guidance.
5 controls
Training Data Provenance
Track and document the origin, composition, licensing, and preprocessing history of data used to train or fine-tune AI models.
PII Handling in AI Systems
Establish controls governing how personally identifiable information is handled when it flows through AI inputs, outputs, training pipelines, and logs.
Data Minimization for AI Systems
Ensure AI systems only process the data strictly necessary for their defined purpose, avoiding unnecessary collection, retention, or use of personal information.
AI Output Retention and Deletion
Define and enforce retention schedules and deletion procedures for AI-generated content, decisions, and the personal data contained within them.
Cross-Border Data Transfer Controls for AI
Govern the international transfer of personal data through AI systems, including data sent to AI API providers, training pipelines, and cloud infrastructure in other jurisdictions.