checklist
AI governance readiness checklist
A practical checklist for reviewing AI ownership, risk classification, approval gates, evidence, monitoring, and escalation before AI systems move into business use.
Use this checklist to test whether AI governance is becoming an operating model rather than a policy document. It is written for leaders, architects, risk partners, and delivery teams who need a shared view of readiness.
1. Use-case ownership
- Each AI use case has a named business owner.
- The expected business outcome is written down.
- The affected process, user group, and decision point are clear.
- Human accountability is explicit where the system influences decisions.
- The owner knows which controls apply before production use.
2. Inventory and classification
- The organization has an inventory of active AI systems, pilots, and embedded vendor AI features.
- Each item has a status: idea, pilot, limited production, production, retired.
- Each item records data sensitivity, user population, external exposure, and materiality.
- High-impact, regulated, customer-facing, employee-facing, or externally visible use cases receive deeper review.
- Shadow AI usage is reviewed through discovery, not only policy reminders.
3. Data and model boundaries
- Source datasets are listed with owners and lawful or contractual basis for use.
- Sensitive data, confidential data, and restricted data are identified before model or vendor selection.
- Data retention, prompt retention, output retention, and logging behavior are understood.
- Model, vendor, and hosting choices are documented.
- Cross-border data movement and third-party access are reviewed.
4. Approval gates
- Low-risk use cases can move quickly through a lightweight path.
- Higher-risk use cases require documented review by business, architecture, security, legal, risk, or compliance as appropriate.
- The approval record explains the decision, not only the meeting outcome.
- Exceptions have owners, expiry dates, and follow-up actions.
- The production release gate includes operational readiness, not only policy approval.
5. Evidence and audit trail
- The business case, risk classification, architecture decision, evaluation result, and approval decision are retained.
- Prompt, retrieval, model, and tool-access design choices are traceable.
- Evaluation evidence is linked to the version of the system being released.
- Changes after approval are visible and reviewed according to risk.
- Evidence can be reconstructed without relying on memory or screenshots.
6. Monitoring and escalation
- The system has defined quality, safety, cost, latency, and usage indicators.
- Output review is designed around the risk of the use case.
- Incidents, complaints, policy exceptions, and unexpected behavior have an escalation path.
- Owners review production behavior on a defined cadence.
- Retirement or rollback is possible if the system becomes unsafe, uneconomic, or non-compliant.
7. Questions to ask before production
- Who owns the outcome when the AI system is wrong?
- What data does the system consume, and can we prove it?
- What decision or workflow does the system influence?
- What evidence would satisfy audit, risk, security, or legal review?
- What happens when the vendor, model, dataset, or regulation changes?
Practical scoring
Use a simple three-level score for each section:
- Green: accountable, documented, and operating.
- Amber: partly defined, but evidence or ownership is incomplete.
- Red: unclear, undocumented, or dependent on informal knowledge.
The goal is not to make every use case heavy. The goal is to make governance proportional, explicit, and repeatable.