AI Governance & Compliance Self-Assessment Questionnaire

DISCLAIMER: This tool is to be used as a guide only. This guide draws on ISO 42001, and EU an AU guidelines for the Responsible Use of AI however does not take into account individual circumstances.

First Name *

Last Name *

Organisation Name *

Phone Number

Email Address *

Section 1: AI Management System & Governance

1. AI Risk Management Framework: Do you have a documented AI risk management framework that identifies, assesses, and mitigates risks associated with your AI systems?

2. AI Governance Structure: Have you established clear roles, responsibilities, and accountability for AI development, deployment, and procurement decisions?

3. AI System Inventory: Do you maintain a comprehensive inventory of all AI systems (developed internally or third-party products) with their risk classifications per EU AI Act categories (Minimal/Limited/High/Unacceptable)?

Section 2: Data Governance & Classification

4. Data Classification Framework: Have you implemented a data classification system that categorises all data used in AI systems (e.g., Personal/Sensitive/Confidential/Public)?

5. Special Category Data Controls: Do you have specific controls and documentation for AI systems processing special category data (health, biometric, racial/ethnic origin, political opinions, etc.)?

6. Data Quality Management: Are there documented processes to ensure data quality, accuracy, and representativeness for all data classifications used in your AI systems?

Section 3: Testing & Validation - AI/ML Development

7. AI Testing Protocols: Do you have standardised testing protocols that include bias detection, accuracy validation, and robustness testing for your AI systems?

8. Edge Case & Performance Metrics Testing: Do you systematically test and document AI performance on edge cases, outliers, and measure key metrics (sensitivity/recall, specificity, precision, false positive/negative rates)?

9. Performance Monitoring: Have you implemented continuous monitoring systems to track AI performance, drift, and potential biases in production?

Section 4: Transparency & Human Oversight

10. AI Transparency Documentation: Do you maintain clear documentation explaining AI system logic, limitations, and decision-making processes?

11. Human Oversight Mechanisms: Are human oversight and intervention mechanisms implemented for AI decisions, especially for high-risk applications or sensitive data processing?

Section 5: Third-Party AI/ML Management

12. Vendor Risk Assessment: Do you conduct formal risk assessments of third-party AI providers, including their data handling practices and compliance with relevant frameworks and regulations such as ISO 42001/EU AI Act?

13. Contractual Safeguards: Are there contractual requirements for third-party AI providers regarding data protection, audit rights, and compliance obligations?

Section 6: Incident Response & Rights

14. AI Incident Response Plan: Have you established an incident response plan specifically for AI-related issues (bias incidents, data breaches, system failures)?

15. Individual Rights Processes: Are there documented processes to handle individual data subject requests related to AI decisions (explanation, correction, human review)?

16. AI Output Tone & Content Guidelines: Have you established and implemented guidelines for appropriate tone, language, and content generation in AI systems, including safeguards against harmful, biased, or inappropriate outputs?

Comments