Model & Program Governance
Operational controls for model & program governance — with maturity levels, evidence requirements, and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →9 controls
AI Model Preview and Staged Release Policy
Establish an internal policy that distinguishes preview and experimental AI system access from approved production deployment, and requires documented governance sign-off at each release stage before a system advances to broader use.
AI System Intake and Approval Workflow
Define a standardized intake process for all new AI system deployments that captures use case, data classification, risk tier, and ownership before the system enters the organization's environment, with cross-functional approval routing and GRC recordkeeping.
AI Governance Program Milestone Framework
Define structured governance milestones — evaluated at intervals across a deployment's lifecycle — that must be completed before an AI system advances to the next stage, treating governance readiness as a project dependency rather than a parallel or post-hoc activity.
Continuous AI Assurance Function Design
Design and operate an ongoing AI assurance function that generates regular evidence of control effectiveness across the AI governance program, moving beyond point-in-time audits to a continuous model that provides the board, regulators, and enterprise customers with current assurance on AI governance posture.
Generative AI Input Data Classification
Establish a classification policy for data entering generative AI systems as inputs — prompts, context windows, retrieved documents, tool outputs, and conversation history — addressing privacy, confidentiality, and regulatory risks specific to the generative AI input surface that general data classification policies do not cover.
RAI Benchmark-Aligned Evaluation Framework
Map internal AI system evaluations to published responsible AI benchmarks and standards (HELM Safety, AIR-Bench, FACTS, and equivalents) to produce evaluation evidence that is interpretable against an independent external standard by regulators, auditors, and enterprise customers.
Emerging AI Modality Classification and Governance Extension
Establish a process for detecting when new AI modalities — ambient AI, multimodal agents, brain-computer interfaces, always-on AI assistants, and other emerging capability types — enter the organization's environment, and for extending governance coverage to those modalities before they are widely deployed.
AI-Generated Deliverable Disclosure and Citation Standards
Define standards for disclosing AI involvement in client-facing, regulatory, or published deliverables, and for verifying citations and factual claims in AI-generated content before external distribution, including disclosure before engagement closeout for professional services organizations.
AI Capability Claim Substantiation Standard
Establish a documentation standard for AI capability claims made internally and externally — in marketing materials, product documentation, sales conversations, regulatory submissions, and procurement responses — that produces substantiation evidence meeting FTC disclosure expectations and enterprise customer due diligence requirements.