Based on ISO 42001, CIS Controls, and NIST CSF frameworks
| Question | Control Reference | Compliance Status |
|---|---|---|
| Does the organization have a documented AI governance policy that aligns with ISO 42001? | ISO 42001 Section 5.2 | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Has the organization established a formal AI risk assessment methodology? | NIST AI RMF (MAP function), ISO 42001 Section 6.1 | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Are AI governance roles and responsibilities clearly defined, including CAISO and AIGC roles? | ISO 42001 Section 5.3, NIST CSF 2.0 (GOVERN function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Does the organization maintain an inventory of all AI systems and their risk classifications? | CIS Control 1, NIST AI RMF (MAP function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Is there a process for regular review and approval of AI systems before deployment? | ISO 42001 Section 8.1, NIST AI RMF (MEASURE function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Does the organization have metrics to measure the effectiveness of AI governance controls? | ISO 42001 Section 9.1, NIST CSF 2.0 (GOVERN function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Question | Control Reference | Compliance Status |
|---|---|---|
| Does the organization have a documented data governance framework specific to AI training and operational data? | ISO 42001 Section 7.5, NIST AI RMF (MAP function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Are there processes to assess and mitigate bias in AI training data? | NIST AI RMF (MEASURE function), ISO 42001 Section 8.2 | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Does the organization maintain data lineage and provenance tracking for AI systems? | CIS Control 3, NIST AI RMF (MAP function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Are there data protection controls specific to AI training datasets and model outputs? | CIS Control 3, ISO 42001 Section 8.3 | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Does the organization have a data retention and disposal policy for AI training data? | CIS Control 3, NIST CSF 2.0 (PROTECT function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
| Is there a process for regular data quality assessment for AI systems? | ISO 42001 Section 9.1, NIST AI RMF (MEASURE function) | □ Compliant □ Partially Compliant □ Non-Compliant □ Not Applicable |
For each non-compliant or partially compliant item, complete the following:
| Question Reference | Remediation Action | Priority | Timeline | Responsible Party | Status |
|---|---|---|---|---|---|
| □ High □ Medium □ Low |
□ Immediate (0-30 days) □ Short-term (1-3 months) □ Long-term (3+ months) |
□ Not Started □ In Progress □ Completed □ Verified |
|||
| □ High □ Medium □ Low |
□ Immediate (0-30 days) □ Short-term (1-3 months) □ Long-term (3+ months) |
□ Not Started □ In Progress □ Completed □ Verified |
|||
| □ High □ Medium □ Low |
□ Immediate (0-30 days) □ Short-term (1-3 months) □ Long-term (3+ months) |
□ Not Started □ In Progress □ Completed □ Verified |