AI Governance & Compliance Self-Assessment Questionnaire

DISCLAIMER: This tool is to be used as a guide only. This guide draws on ISO 42001, and EU an AU guidelines for the Responsible Use of AI however does not take into account individual circumstances.

First Name *

Last Name *

Organisation Name *

Phone Number

Email Address *

Section 1: AI Management System & Governance

1. AI Risk Management Framework: Do you have a documented AI risk management framework that identifies, assesses, and mitigates risks associated with your AI systems?

2. AI Governance Structure: Have you established clear roles, responsibilities, and accountability for AI development, deployment, and procurement decisions?

3. AI System Inventory: Do you maintain a comprehensive inventory of all AI systems (developed internally or third-party products) with their risk classifications per EU AI Act categories (Minimal/Limited/High/Unacceptable)?

Section 2: Data Governance & Classification

4. Data Classification Framework: Have you implemented a data classification system that categorises all data used in AI systems (e.g., Personal/Sensitive/Confidential/Public)?

5. Special Category Data Controls: Do you have specific controls and documentation for AI systems processing special category data (health, biometric, racial/ethnic origin, political opinions, etc.)?

6. Data Quality Management: Are there documented processes to ensure data quality, accuracy, and representativeness for all data classifications used in your AI systems?

Section 3: Testing & Validation - AI/ML Development

7. AI Testing Protocols: Do you have standardised testing protocols that include bias detection, accuracy validation, and robustness testing for your AI systems?

8. Edge Case & Performance Metrics Testing: Do you systematically test and document AI performance on edge cases, outliers, and measure key metrics (sensitivity/recall, specificity, precision, false positive/negative rates)?

9. Performance Monitoring: Have you implemented continuous monitoring systems to track AI performance, drift, and potential biases in production?

Section 4: Transparency & Human Oversight

10. AI Transparency Documentation: Do you maintain clear documentation explaining AI system logic, limitations, and decision-making processes?

11. Human Oversight Mechanisms: Are human oversight and intervention mechanisms implemented for AI decisions, especially for high-risk applications or sensitive data processing?

Section 5: Third-Party AI/ML Management

12. Vendor Risk Assessment: Do you conduct formal risk assessments of third-party AI providers, including their data handling practices and compliance with relevant frameworks and regulations such as ISO 42001/EU AI Act?

13. Contractual Safeguards: Are there contractual requirements for third-party AI providers regarding data protection, audit rights, and compliance obligations?

Section 6: Incident Response & Rights

14. AI Incident Response Plan: Have you established an incident response plan specifically for AI-related issues (bias incidents, data breaches, system failures)?

15. Individual Rights Processes: Are there documented processes to handle individual data subject requests related to AI decisions (explanation, correction, human review)?

16. AI Output Tone & Content Guidelines: Have you established and implemented guidelines for appropriate tone, language, and content generation in AI systems, including safeguards against harmful, biased, or inappropriate outputs?

AI Maturity Rating

Misson Control (Apollo)

AI governance is embedded and largely digitised across risk, testing, data management, transparency, and third-party oversight. Processes are well-documented, with minimal manual effort required. The organisation is well-positioned to scale AI safely, efficiently, and with confidence. Remaining gaps are minor and can likely be resolved through focused sprints or targeted process automation.

Orbiting (Climate Orbiter)

Foundational controls are in place, and the organisation is moving in the right direction—but is still dependent on manual workflows or lacks consistency across functions. AI is not a material risk today, but without maturing documentation, oversight, and tooling, inefficiencies and risk exposure may increase as usage grows. Targeted investments in process alignment and digital enablement would unlock better scalability and assurance.

Lift-Off Pending (Vanguard TV-3)

AI systems are governed through informal, ad hoc, or siloed practices. Documentation, monitoring, and role clarity may be limited or absent. These gaps create moderate to high operational and compliance risk—particularly in high-stakes applications. A structured program of uplift is recommended, beginning with governance structure, risk classification, and digitised monitoring to reduce administrative burden and establish confidence in AI system integrity.

Comments