Model & Program Governance
Operational controls for model & program governance — with maturity levels, evidence requirements, and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →7 controls matching filters
AI Model Preview and Staged Release Policy
Establish an internal policy that distinguishes preview and experimental AI system access from approved production deployment, and requires documented governance sign-off at each release stage before a system advances to broader use.
AI System Intake and Approval Workflow
Define a standardized intake process for all new AI system deployments that captures use case, data classification, risk tier, and ownership before the system enters the organization's environment, with cross-functional approval routing and GRC recordkeeping.
AI Governance Program Milestone Framework
Define structured governance milestones — evaluated at intervals across a deployment's lifecycle — that must be completed before an AI system advances to the next stage, treating governance readiness as a project dependency rather than a parallel or post-hoc activity.
Continuous AI Assurance Function Design
Design and operate an ongoing AI assurance function that generates regular evidence of control effectiveness across the AI governance program, moving beyond point-in-time audits to a continuous model that provides the board, regulators, and enterprise customers with current assurance on AI governance posture.
Generative AI Input Data Classification
Establish a classification policy for data entering generative AI systems as inputs — prompts, context windows, retrieved documents, tool outputs, and conversation history — addressing privacy, confidentiality, and regulatory risks specific to the generative AI input surface that general data classification policies do not cover.
RAI Benchmark-Aligned Evaluation Framework
Map internal AI system evaluations to published responsible AI benchmarks and standards (HELM Safety, AIR-Bench, FACTS, and equivalents) to produce evaluation evidence that is interpretable against an independent external standard by regulators, auditors, and enterprise customers.
Emerging AI Modality Classification and Governance Extension
Establish a process for detecting when new AI modalities — ambient AI, multimodal agents, brain-computer interfaces, always-on AI assistants, and other emerging capability types — enter the organization's environment, and for extending governance coverage to those modalities before they are widely deployed.