Seeded Questions
947
Target Bank Size
1,000
Domains
10
Frameworks
9
Domain Coverage
Domain 1
Executive Leadership & Governance
3 / 75
Domain 2
AI Governance Program
127 / 125
Domain 3
AI Inventory & Asset Management
77 / 75
Domain 4
Security & Cybersecurity
177 / 175
Domain 5
Data Governance & Protection
102 / 100
Domain 6
Compliance & Regulatory Readiness
128 / 125
Domain 7
Vendor & Third-Party Risk
77 / 75
Domain 8
Mobile & Shadow AI Governance
76 / 75
Domain 9
Monitoring & Operations
77 / 75
Domain 10
Responsible AI & Ethics
103 / 100
Browse Question Bank
Showing 947 of 947 seeded questions.
GOV-001 · Executive Leadership & Governance · Executive Accountability
Has executive accountability for AI governance been formally assigned?
Critical
w25
Stakeholder
CEO · maturity_scaleFramework Mapping
ISO 42001 · 5.1
NIST AI RMF · GOVERN-1.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assign executive ownership and establish accountability mechanisms.
GOV-002 · Executive Leadership & Governance · Strategic Alignment
Is the AI strategy aligned with enterprise strategy and approved by the board?
High
w16
Stakeholder
Executive Sponsor · yes_noFramework Mapping
ISO 42001 · 5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document board-approved AI strategy linked to enterprise objectives.
GOV-003 · Executive Leadership & Governance · Board Engagement
Does the board review AI risk and governance at least quarterly?
High
w16
Stakeholder
Board Representative · maturity_scaleFramework Mapping
ISO 42001 · 5.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, governanceMaturity
Recommendation · Establish a quarterly board cadence with AI risk reporting.
PRG-001 · AI Governance Program · Policies
Is there an approved enterprise AI Acceptable Use Policy?
High
w16
Stakeholder
Governance Team · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Publish and communicate an approved AI Acceptable Use Policy.
PRG-002 · AI Governance Program · Approval Workflows
Is a formal AI use-case intake and approval workflow in place?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 8.1
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Implement an AI intake workflow with risk-tiered approvals.
INV-001 · AI Inventory & Asset Management · AI Inventory
Has the organization completed a current AI inventory (production + pilots)?
Critical
w25
Stakeholder
IT · maturity_scaleFramework Mapping
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Stand up a centralized AI inventory including shadow-AI discovery.
INV-002 · AI Inventory & Asset Management · Asset Classification
Are AI systems classified against EU AI Act risk tiers?
High
w16
Stakeholder
Business Units · yes_noFramework Mapping
EU AI Act · Art. 6
NIST AI RMF · MAP-2.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, regulatoryReadiness
Recommendation · Apply EU AI Act risk-tier taxonomy to every AI system.
SEC-001 · Security & Cybersecurity · Monitoring
Are AI systems integrated into enterprise security monitoring (SIEM/SOC)?
Critical
w25
Stakeholder
CISO · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Onboard AI systems to SIEM with detections for prompt injection and abuse.
SEC-002 · Security & Cybersecurity · Incident Response
Does the incident response plan explicitly address AI-related incidents?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap
Recommendation · Extend the IR plan with AI-specific playbooks and tabletop exercises.
DAT-001 · Data Governance & Protection · Data Classification
Is data used for AI training, fine-tuning, and prompts formally classified?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
Report Mapping
aiTrustScore, complianceGapAnalysis, remediationRoadmap, regulatoryReadiness
Recommendation · Classify all training/fine-tuning/prompt data using the enterprise scheme.
DAT-002 · Data Governance & Protection · Data Loss Prevention
Are DLP controls applied to AI prompts, outputs, and logs?
Critical
w25
Stakeholder
Security · yes_noFramework Mapping
GDPR · Art. 32
ISO 27001 · A.8.12
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, regulatoryReadiness
Recommendation · Apply DLP controls to AI prompts, outputs, and logs handling sensitive data.
COM-001 · Compliance & Regulatory Readiness · AIDA
Has an AIDA readiness assessment been completed?
Critical
w25
Stakeholder
Compliance · yes_noFramework Mapping
AIDA · Readiness
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, complianceGapAnalysis, regulatoryReadiness
Recommendation · Complete an AIDA readiness assessment and remediate identified gaps.
COM-002 · Compliance & Regulatory Readiness · EU AI Act
Has the organization mapped in-scope AI systems to EU AI Act obligations?
Critical
w25
Stakeholder
Legal · yes_noFramework Mapping
EU AI Act · Art. 9–15
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, regulatoryReadiness
Recommendation · Map in-scope AI systems to EU AI Act obligations and document evidence.
COM-003 · Compliance & Regulatory Readiness · ISO 42001
Has ISO 42001 readiness been formally evaluated?
High
w16
Stakeholder
Governance · maturity_scaleFramework Mapping
ISO 42001 · All clauses
Report Mapping
aiTrustScore, executiveBriefing, governanceMaturity, regulatoryReadiness
Recommendation · Conduct an ISO 42001 readiness review and develop a path to certification.
VEN-001 · Vendor & Third-Party Risk · Due Diligence
Are AI vendors evaluated against a documented due-diligence framework?
High
w16
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 7.4
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap
Recommendation · Adopt a tiered AI vendor due-diligence framework with documented evidence.
VEN-002 · Vendor & Third-Party Risk · Contracts
Do AI vendor contracts contain AI-specific clauses (data, IP, liability)?
Medium
w9
Stakeholder
Legal · yes_noFramework Mapping
ISO 42001 · 7.4
Report Mapping
aiTrustScore, riskRegister, remediationRoadmap
Recommendation · Add AI-specific contract clauses covering data use, IP, and liability.
SHA-001 · Mobile & Shadow AI Governance · Shadow AI
Does the organization detect and govern shadow AI usage?
High
w12
Stakeholder
Security · maturity_scaleFramework Mapping
ISO 42001 · 8.3
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap
Recommendation · Deploy shadow-AI discovery and an enforced acceptable-use policy.
OPS-001 · Monitoring & Operations · Operational Governance
Are AI metrics reported to governance forums on a defined cadence?
Medium
w9
Stakeholder
Operations · maturity_scaleFramework Mapping
ISO 42001 · 9.1
Report Mapping
aiTrustScore, executiveBriefing, governanceMaturity
Recommendation · Define KPIs and report AI operational metrics on a regular cadence.
OPS-002 · Monitoring & Operations · Monitoring
Is continuous performance and drift monitoring in place for production AI?
High
w16
Stakeholder
Operations · maturity_scaleFramework Mapping
NIST AI RMF · MEASURE-2.4
Report Mapping
aiTrustScore, riskRegister, remediationRoadmap
Recommendation · Implement drift and performance monitoring with alerting thresholds.
RAI-001 · Responsible AI & Ethics · Fairness
Are AI outputs evaluated for bias, fairness, and disparate impact?
High
w16
Stakeholder
Governance · maturity_scaleFramework Mapping
NIST AI RMF · MEASURE-2.11
ISO 42001 · 6.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, remediationRoadmap
Recommendation · Implement bias and fairness testing for customer-facing and decision-support AI.
RAI-002 · Responsible AI & Ethics · Human Oversight
Is human oversight defined and documented for high-risk AI systems?
Critical
w25
Stakeholder
Risk · yes_noFramework Mapping
EU AI Act · Art. 14
ISO 42001 · 6.5
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, regulatoryReadiness
Recommendation · Document human oversight roles, escalation, and override procedures.
RAI-003 · Responsible AI & Ethics · Transparency
Are end users informed when they interact with an AI system?
Medium
w9
Stakeholder
Governance · yes_noFramework Mapping
EU AI Act · Art. 13
Report Mapping
aiTrustScore, complianceGapAnalysis, regulatoryReadiness
Recommendation · Add AI disclosure notices to customer-facing AI surfaces.
AIG-001 · AI Governance Program · AI Governance Policies
Does the organization maintain a formally approved AI Governance Policy?
Critical
w25
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-002 · AI Governance Program · AI Governance Policies
Has executive leadership approved the AI Governance Policy?
Critical
w25
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-003 · AI Governance Program · AI Governance Policies
Is the AI Governance Policy reviewed at least annually?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-004 · AI Governance Program · AI Governance Policies
Does the policy define AI governance objectives?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-005 · AI Governance Program · AI Governance Policies
Does the policy define acceptable AI use?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-006 · AI Governance Program · AI Governance Policies
Does the policy define prohibited AI use?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-007 · AI Governance Program · AI Governance Policies
Does the policy address generative AI?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-008 · AI Governance Program · AI Governance Policies
Does the policy address internally developed AI?
High
w12
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-009 · AI Governance Program · AI Governance Policies
Does the policy address third-party AI solutions?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-010 · AI Governance Program · AI Governance Policies
Does the policy address data privacy obligations?
Critical
w25
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-011 · AI Governance Program · AI Governance Policies
Does the policy address AI security requirements?
Critical
w25
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-012 · AI Governance Program · AI Governance Policies
Does the policy address AI ethics requirements?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-013 · AI Governance Program · AI Governance Policies
Does the policy address regulatory compliance requirements?
Critical
w25
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-014 · AI Governance Program · AI Governance Policies
Are policy exceptions formally documented?
Medium
w9
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-015 · AI Governance Program · AI Governance Policies
Are policy violations tracked and reported?
High
w16
Stakeholder
AI Governance Lead · yes_noFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-2.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Update the enterprise AI Governance Policy to cover this requirement, secure executive approval, and communicate to stakeholders.
AIG-016 · AI Governance Program · Roles & Responsibilities
Are AI governance responsibilities documented?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-017 · AI Governance Program · Roles & Responsibilities
Has an AI governance owner been assigned?
Critical
w25
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-018 · AI Governance Program · Roles & Responsibilities
Are AI system owners identified?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-019 · AI Governance Program · Roles & Responsibilities
Are AI risk owners identified?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-020 · AI Governance Program · Roles & Responsibilities
Are AI compliance owners identified?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-021 · AI Governance Program · Roles & Responsibilities
Are AI data owners identified?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-022 · AI Governance Program · Roles & Responsibilities
Are AI vendor owners identified?
Medium
w9
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-023 · AI Governance Program · Roles & Responsibilities
Are accountability structures documented?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-024 · AI Governance Program · Roles & Responsibilities
Is a RACI matrix maintained?
Medium
w9
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-025 · AI Governance Program · Roles & Responsibilities
Are governance responsibilities communicated?
Medium
w9
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-026 · AI Governance Program · Roles & Responsibilities
Are responsibilities reviewed annually?
Medium
w9
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-027 · AI Governance Program · Roles & Responsibilities
Are governance responsibilities incorporated into job descriptions?
Medium
w9
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-028 · AI Governance Program · Roles & Responsibilities
Do leaders acknowledge governance responsibilities?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-029 · AI Governance Program · Roles & Responsibilities
Are responsibilities aligned to risk levels?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-030 · AI Governance Program · Roles & Responsibilities
Are governance ownership gaps identified and remediated?
High
w16
Stakeholder
Chief AI Officer · maturity_scaleFramework Mapping
ISO 42001 · 5.3
NIST AI RMF · GOVERN-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Formalize the responsibility, assign a named owner, and reflect the assignment in the governance charter and RACI.
AIG-031 · AI Governance Program · AI Use Case Governance
Is every AI use case formally documented?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-032 · AI Governance Program · AI Use Case Governance
Are AI use cases categorized by business function?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-033 · AI Governance Program · AI Use Case Governance
Are AI use cases classified by risk?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-034 · AI Governance Program · AI Use Case Governance
Is a use-case approval process established?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-035 · AI Governance Program · AI Use Case Governance
Are high-risk use cases reviewed separately?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-036 · AI Governance Program · AI Use Case Governance
Are prohibited use cases identified?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-037 · AI Governance Program · AI Use Case Governance
Are use cases reviewed periodically?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-038 · AI Governance Program · AI Use Case Governance
Are use cases linked to business objectives?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-039 · AI Governance Program · AI Use Case Governance
Are use cases assessed for regulatory impact?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-040 · AI Governance Program · AI Use Case Governance
Are use cases assessed for privacy impact?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-041 · AI Governance Program · AI Use Case Governance
Are use cases assessed for security impact?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-042 · AI Governance Program · AI Use Case Governance
Are use cases assessed for ethical considerations?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-043 · AI Governance Program · AI Use Case Governance
Are use cases approved before deployment?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-044 · AI Governance Program · AI Use Case Governance
Are retired use cases formally closed?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-045 · AI Governance Program · AI Use Case Governance
Are use cases monitored after implementation?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Capture the use case in the AI register, classify by risk, and route through the governance approval workflow.
AIG-046 · AI Governance Program · AI Approval Workflows
Is there a documented AI approval workflow?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-047 · AI Governance Program · AI Approval Workflows
Are approval criteria documented?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-048 · AI Governance Program · AI Approval Workflows
Are approvals risk-based?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-049 · AI Governance Program · AI Approval Workflows
Do high-risk AI systems require executive approval?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-050 · AI Governance Program · AI Approval Workflows
Do high-risk AI systems require legal review?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-051 · AI Governance Program · AI Approval Workflows
Do high-risk AI systems require privacy review?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-052 · AI Governance Program · AI Approval Workflows
Do high-risk AI systems require security review?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-053 · AI Governance Program · AI Approval Workflows
Are approval decisions documented?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-054 · AI Governance Program · AI Approval Workflows
Are approval records retained?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-055 · AI Governance Program · AI Approval Workflows
Can approval decisions be audited?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-056 · AI Governance Program · AI Approval Workflows
Are emergency approvals documented?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-057 · AI Governance Program · AI Approval Workflows
Are rejected proposals documented?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-058 · AI Governance Program · AI Approval Workflows
Are approval metrics tracked?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-059 · AI Governance Program · AI Approval Workflows
Are workflow bottlenecks reviewed?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-060 · AI Governance Program · AI Approval Workflows
Are approval processes periodically improved?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.1
SOC 2 · CC3.1
NIST AI RMF · GOVERN-3.2
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Codify the approval gate in the AI workflow, capture decision artifacts, and require sign-off proportionate to risk tier.
AIG-061 · AI Governance Program · Risk Management
Are AI risks formally identified?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-062 · AI Governance Program · Risk Management
Is an AI risk register maintained?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-063 · AI Governance Program · Risk Management
Are risks assigned owners?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-064 · AI Governance Program · Risk Management
Are risks prioritized?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-065 · AI Governance Program · Risk Management
Are risk ratings documented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-066 · AI Governance Program · Risk Management
Are mitigation plans documented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-067 · AI Governance Program · Risk Management
Are residual risks assessed?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-068 · AI Governance Program · Risk Management
Are emerging risks monitored?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-069 · AI Governance Program · Risk Management
Are risk trends reported?
Medium
w9
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-070 · AI Governance Program · Risk Management
Are risks reviewed quarterly?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-071 · AI Governance Program · Risk Management
Are risks linked to governance controls?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-072 · AI Governance Program · Risk Management
Are risks mapped to compliance obligations?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-073 · AI Governance Program · Risk Management
Are risk acceptance decisions documented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-074 · AI Governance Program · Risk Management
Are critical risks escalated?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-075 · AI Governance Program · Risk Management
Are mitigation activities tracked?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · MANAGE-1.1
ISO 27001 · 6.1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a living AI risk register with owners, ratings, mitigation, and quarterly review cadence linked to governance forums.
AIG-076 · AI Governance Program · Documentation & Records Management
Are AI governance documents centrally stored?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-077 · AI Governance Program · Documentation & Records Management
Are governance records version controlled?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-078 · AI Governance Program · Documentation & Records Management
Are document owners assigned?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-079 · AI Governance Program · Documentation & Records Management
Are document review dates maintained?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-080 · AI Governance Program · Documentation & Records Management
Are obsolete documents archived?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-081 · AI Governance Program · Documentation & Records Management
Are governance records protected?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-082 · AI Governance Program · Documentation & Records Management
Are retention periods defined?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-083 · AI Governance Program · Documentation & Records Management
Are records searchable?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-084 · AI Governance Program · Documentation & Records Management
Are audit records maintained?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-085 · AI Governance Program · Documentation & Records Management
Are approval records retained?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-086 · AI Governance Program · Documentation & Records Management
Are meeting minutes retained?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-087 · AI Governance Program · Documentation & Records Management
Are policy acknowledgements retained?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-088 · AI Governance Program · Documentation & Records Management
Are governance reports retained?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-089 · AI Governance Program · Documentation & Records Management
Are governance artifacts accessible during audits?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-090 · AI Governance Program · Documentation & Records Management
Are documentation practices reviewed regularly?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
SOC 2 · CC2.1
ISO 27001 · A.5.33
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize governance artifacts with version control, retention rules, owners, and audit-ready accessibility.
AIG-091 · AI Governance Program · Training & Awareness
Is AI governance training mandatory?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-092 · AI Governance Program · Training & Awareness
Do executives receive AI governance training?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-093 · AI Governance Program · Training & Awareness
Do developers receive AI governance training?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-094 · AI Governance Program · Training & Awareness
Do business users receive AI governance training?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-095 · AI Governance Program · Training & Awareness
Is training effectiveness measured?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-096 · AI Governance Program · Training & Awareness
Are training records maintained?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-097 · AI Governance Program · Training & Awareness
Is refresher training required?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-098 · AI Governance Program · Training & Awareness
Is training updated for regulatory changes?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-099 · AI Governance Program · Training & Awareness
Are awareness campaigns conducted?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-100 · AI Governance Program · Training & Awareness
Are training gaps tracked?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.2
ISO 27001 · A.6.3
NIST AI RMF · GOVERN-4.1
Report Mapping
aiTrustScore, executiveBriefing, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Roll out role-based AI governance training with mandatory completion, refresher cadence, and effectiveness measurement.
AIG-101 · AI Governance Program · Control Testing & Assurance
Are AI governance controls tested?
Critical
w25
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-102 · AI Governance Program · Control Testing & Assurance
Are testing procedures documented?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-103 · AI Governance Program · Control Testing & Assurance
Are testing results retained?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-104 · AI Governance Program · Control Testing & Assurance
Are control deficiencies tracked?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-105 · AI Governance Program · Control Testing & Assurance
Are remediation activities monitored?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-106 · AI Governance Program · Control Testing & Assurance
Are internal audits conducted?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-107 · AI Governance Program · Control Testing & Assurance
Are external reviews conducted?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-108 · AI Governance Program · Control Testing & Assurance
Are assurance reports generated?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-109 · AI Governance Program · Control Testing & Assurance
Are control maturity assessments performed?
High
w16
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-110 · AI Governance Program · Control Testing & Assurance
Are findings reported to leadership?
Critical
w25
Stakeholder
Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 9.2
SOC 2 · CC4.1
ISO 27001 · 9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a control testing program with documented procedures, deficiency tracking, and leadership reporting.
AIG-111 · AI Governance Program · Continuous Improvement
Is governance maturity assessed annually?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-112 · AI Governance Program · Continuous Improvement
Are improvement initiatives documented?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-113 · AI Governance Program · Continuous Improvement
Are governance metrics reviewed?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-114 · AI Governance Program · Continuous Improvement
Are lessons learned captured?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-115 · AI Governance Program · Continuous Improvement
Are governance reviews conducted after incidents?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-116 · AI Governance Program · Continuous Improvement
Are recommendations tracked?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-117 · AI Governance Program · Continuous Improvement
Are improvement plans funded?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-118 · AI Governance Program · Continuous Improvement
Are governance objectives updated?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-119 · AI Governance Program · Continuous Improvement
Are stakeholder feedback mechanisms established?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-120 · AI Governance Program · Continuous Improvement
Are benchmarking exercises conducted?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-121 · AI Governance Program · Continuous Improvement
Are industry best practices monitored?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-122 · AI Governance Program · Continuous Improvement
Are governance innovations evaluated?
Low
w4
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-123 · AI Governance Program · Continuous Improvement
Are improvement targets established?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-124 · AI Governance Program · Continuous Improvement
Are improvement outcomes measured?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
AIG-125 · AI Governance Program · Continuous Improvement
Does leadership actively sponsor governance improvement?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 10.1
NIST AI RMF · GOVERN-1.6
Report Mapping
aiTrustScore, executiveBriefing, remediationRoadmap, governanceMaturity
Recommendation · Operate a continuous improvement cycle with annual maturity assessment, funded initiatives, and leadership sponsorship.
INV-001 · AI Inventory & Asset Management · AI System Inventory
Has the organization established a formal AI inventory process?
Critical
w25
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-002 · AI Inventory & Asset Management · AI System Inventory
Is a centralized inventory of AI systems maintained?
Critical
w25
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-003 · AI Inventory & Asset Management · AI System Inventory
Have all business units reported AI systems in use?
Critical
w25
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-004 · AI Inventory & Asset Management · AI System Inventory
Are AI systems assigned unique identifiers?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-005 · AI Inventory & Asset Management · AI System Inventory
Are AI systems categorized by business function?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-006 · AI Inventory & Asset Management · AI System Inventory
Are AI systems classified by risk level?
Critical
w25
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-007 · AI Inventory & Asset Management · AI System Inventory
Are AI systems classified by criticality?
High
w16
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-008 · AI Inventory & Asset Management · AI System Inventory
Are AI systems linked to system owners?
High
w16
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-009 · AI Inventory & Asset Management · AI System Inventory
Are AI systems linked to business sponsors?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-010 · AI Inventory & Asset Management · AI System Inventory
Are AI systems linked to departments?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-011 · AI Inventory & Asset Management · AI System Inventory
Are AI systems reviewed annually?
High
w16
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-012 · AI Inventory & Asset Management · AI System Inventory
Are retired AI systems removed from inventory?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-013 · AI Inventory & Asset Management · AI System Inventory
Are AI inventory records validated periodically?
High
w16
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-014 · AI Inventory & Asset Management · AI System Inventory
Are inventory exceptions documented?
Medium
w9
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-015 · AI Inventory & Asset Management · AI System Inventory
Is inventory completeness measured?
High
w16
Stakeholder
CIO · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
SOC 2 · CC3.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or extend the centralized AI system inventory, assign owners, classify by risk, and review on a defined cadence.
INV-016 · AI Inventory & Asset Management · AI Model Inventory
Does the organization maintain an inventory of AI models?
Critical
w25
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-017 · AI Inventory & Asset Management · AI Model Inventory
Are internally developed models inventoried?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-018 · AI Inventory & Asset Management · AI Model Inventory
Are externally sourced models inventoried?
Critical
w25
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-019 · AI Inventory & Asset Management · AI Model Inventory
Are model versions tracked?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-020 · AI Inventory & Asset Management · AI Model Inventory
Are model owners assigned?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-021 · AI Inventory & Asset Management · AI Model Inventory
Are model purposes documented?
Medium
w9
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-022 · AI Inventory & Asset Management · AI Model Inventory
Are model risk ratings assigned?
Critical
w25
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-023 · AI Inventory & Asset Management · AI Model Inventory
Are model dependencies documented?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-024 · AI Inventory & Asset Management · AI Model Inventory
Are retired models archived?
Medium
w9
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-025 · AI Inventory & Asset Management · AI Model Inventory
Are model inventories reviewed regularly?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MAP-2.2
EU AI Act · Art. 11
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Stand up a model registry that tracks ownership, versions, dependencies, and risk ratings for all internal and third-party models.
INV-026 · AI Inventory & Asset Management · AI Application Inventory
Are AI applications inventoried?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-027 · AI Inventory & Asset Management · AI Application Inventory
Are generative AI applications identified?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-028 · AI Inventory & Asset Management · AI Application Inventory
Are AI-powered SaaS applications identified?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-029 · AI Inventory & Asset Management · AI Application Inventory
Are approved AI applications documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-030 · AI Inventory & Asset Management · AI Application Inventory
Are prohibited AI applications documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-031 · AI Inventory & Asset Management · AI Application Inventory
Are application owners assigned?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-032 · AI Inventory & Asset Management · AI Application Inventory
Are application risks documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-033 · AI Inventory & Asset Management · AI Application Inventory
Are application vendors documented?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-034 · AI Inventory & Asset Management · AI Application Inventory
Are application usage statistics tracked?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-035 · AI Inventory & Asset Management · AI Application Inventory
Are AI applications reviewed annually?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.5.9
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current registry of approved, prohibited, and shadow AI applications with owners, vendors, and usage telemetry.
INV-036 · AI Inventory & Asset Management · AI Vendor Inventory
Does the organization maintain an AI vendor inventory?
Critical
w25
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-037 · AI Inventory & Asset Management · AI Vendor Inventory
Are all AI vendors identified?
Critical
w25
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-038 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor services documented?
High
w16
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-039 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor contracts linked to inventory records?
High
w16
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-040 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor risk ratings assigned?
Critical
w25
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-041 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor compliance certifications documented?
High
w16
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-042 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor data handling practices documented?
Critical
w25
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-043 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor contacts assigned?
Medium
w9
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-044 · AI Inventory & Asset Management · AI Vendor Inventory
Are vendor reviews performed annually?
High
w16
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-045 · AI Inventory & Asset Management · AI Vendor Inventory
Are terminated vendors removed from inventory?
Medium
w9
Stakeholder
Procurement · maturity_scaleFramework Mapping
ISO 42001 · 8.4
ISO 27001 · A.5.19
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI vendor register integrated with procurement: contracts, certifications, data-handling practices, and annual reviews.
INV-046 · AI Inventory & Asset Management · AI Data Inventory
Is data used by AI systems inventoried?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-047 · AI Inventory & Asset Management · AI Data Inventory
Are data sources documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-048 · AI Inventory & Asset Management · AI Data Inventory
Are data classifications assigned?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-049 · AI Inventory & Asset Management · AI Data Inventory
Are sensitive data elements identified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-050 · AI Inventory & Asset Management · AI Data Inventory
Are personal information elements identified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-051 · AI Inventory & Asset Management · AI Data Inventory
Are data owners assigned?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-052 · AI Inventory & Asset Management · AI Data Inventory
Are retention requirements documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-053 · AI Inventory & Asset Management · AI Data Inventory
Are data flows documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-054 · AI Inventory & Asset Management · AI Data Inventory
Are external data sources identified?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-055 · AI Inventory & Asset Management · AI Data Inventory
Is data inventory reviewed periodically?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.5
GDPR · Art. 30
PIPEDA · Principle 4.1
NIST AI RMF · MAP-2.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Extend the data inventory to AI training and inference datasets, classify sensitive and personal data, and document flows and retention.
INV-056 · AI Inventory & Asset Management · AI Infrastructure Inventory
Are AI infrastructure assets inventoried?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
ISO 42001 · 8.6
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Catalogue AI infrastructure across cloud and on-premises with named owners and annual recertification.
INV-057 · AI Inventory & Asset Management · AI Infrastructure Inventory
Are cloud environments documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
ISO 42001 · 8.6
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Catalogue AI infrastructure across cloud and on-premises with named owners and annual recertification.
INV-058 · AI Inventory & Asset Management · AI Infrastructure Inventory
Are on-premises AI environments documented?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
ISO 42001 · 8.6
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Catalogue AI infrastructure across cloud and on-premises with named owners and annual recertification.
INV-059 · AI Inventory & Asset Management · AI Infrastructure Inventory
Are infrastructure owners assigned?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
ISO 42001 · 8.6
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Catalogue AI infrastructure across cloud and on-premises with named owners and annual recertification.
INV-060 · AI Inventory & Asset Management · AI Infrastructure Inventory
Are infrastructure inventories reviewed annually?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
ISO 42001 · 8.6
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Catalogue AI infrastructure across cloud and on-premises with named owners and annual recertification.
INV-061 · AI Inventory & Asset Management · AI Use Case Inventory
Is every AI use case documented?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a use case register linked to AI systems, business objectives, and risk ratings; retire dormant use cases.
INV-062 · AI Inventory & Asset Management · AI Use Case Inventory
Are use cases linked to business objectives?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a use case register linked to AI systems, business objectives, and risk ratings; retire dormant use cases.
INV-063 · AI Inventory & Asset Management · AI Use Case Inventory
Are use cases linked to AI systems?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a use case register linked to AI systems, business objectives, and risk ratings; retire dormant use cases.
INV-064 · AI Inventory & Asset Management · AI Use Case Inventory
Are use case risk levels assigned?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a use case register linked to AI systems, business objectives, and risk ratings; retire dormant use cases.
INV-065 · AI Inventory & Asset Management · AI Use Case Inventory
Are inactive use cases retired?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.1
EU AI Act · Art. 9
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a use case register linked to AI systems, business objectives, and risk ratings; retire dormant use cases.
INV-066 · AI Inventory & Asset Management · AI Integrations Inventory
Are AI integrations documented?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 27001 · A.8.21
ISO 42001 · 8.7
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Inventory every AI integration and API connection with owners, risk assessment, and a periodic review cadence.
INV-067 · AI Inventory & Asset Management · AI Integrations Inventory
Are API connections inventoried?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 27001 · A.8.21
ISO 42001 · 8.7
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Inventory every AI integration and API connection with owners, risk assessment, and a periodic review cadence.
INV-068 · AI Inventory & Asset Management · AI Integrations Inventory
Are integration owners assigned?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 27001 · A.8.21
ISO 42001 · 8.7
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Inventory every AI integration and API connection with owners, risk assessment, and a periodic review cadence.
INV-069 · AI Inventory & Asset Management · AI Integrations Inventory
Are integration risks assessed?
High
w16
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 27001 · A.8.21
ISO 42001 · 8.7
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Inventory every AI integration and API connection with owners, risk assessment, and a periodic review cadence.
INV-070 · AI Inventory & Asset Management · AI Integrations Inventory
Are integration reviews conducted periodically?
Medium
w9
Stakeholder
Enterprise Architecture · maturity_scaleFramework Mapping
ISO 27001 · A.8.21
ISO 42001 · 8.7
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Inventory every AI integration and API connection with owners, risk assessment, and a periodic review cadence.
INV-071 · AI Inventory & Asset Management · Inventory Governance
Are inventory management procedures documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 9.1
NIST AI RMF · GOVERN-1.6
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Codify inventory procedures, assign ownership, report metrics to leadership, and audit accuracy on a defined cycle.
INV-072 · AI Inventory & Asset Management · Inventory Governance
Are inventory ownership responsibilities defined?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 9.1
NIST AI RMF · GOVERN-1.6
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Codify inventory procedures, assign ownership, report metrics to leadership, and audit accuracy on a defined cycle.
INV-073 · AI Inventory & Asset Management · Inventory Governance
Are inventory metrics reported to leadership?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 9.1
NIST AI RMF · GOVERN-1.6
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Codify inventory procedures, assign ownership, report metrics to leadership, and audit accuracy on a defined cycle.
INV-074 · AI Inventory & Asset Management · Inventory Governance
Are inventory audits conducted?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 9.1
NIST AI RMF · GOVERN-1.6
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Codify inventory procedures, assign ownership, report metrics to leadership, and audit accuracy on a defined cycle.
INV-075 · AI Inventory & Asset Management · Inventory Governance
Is inventory accuracy measured and improved?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 9.1
NIST AI RMF · GOVERN-1.6
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Codify inventory procedures, assign ownership, report metrics to leadership, and audit accuracy on a defined cycle.
SEC-001 · Security & Cybersecurity · Security Governance
Has an AI security program been formally established?
Critical
w25
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-002 · Security & Cybersecurity · Security Governance
Has executive leadership approved AI security requirements?
Critical
w25
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-003 · Security & Cybersecurity · Security Governance
Are AI security roles documented?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-004 · Security & Cybersecurity · Security Governance
Are AI security responsibilities assigned?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-005 · Security & Cybersecurity · Security Governance
Are AI security policies maintained?
Critical
w25
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-006 · Security & Cybersecurity · Security Governance
Are AI security standards maintained?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-007 · Security & Cybersecurity · Security Governance
Are AI security procedures documented?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-008 · Security & Cybersecurity · Security Governance
Are AI systems included in enterprise security governance?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-009 · Security & Cybersecurity · Security Governance
Are AI security KPIs defined?
Medium
w9
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-010 · Security & Cybersecurity · Security Governance
Are AI security metrics reported?
Medium
w9
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-011 · Security & Cybersecurity · Security Governance
Are AI security reviews performed annually?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-012 · Security & Cybersecurity · Security Governance
Are AI security audits conducted?
High
w16
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-013 · Security & Cybersecurity · Security Governance
Are AI security risks tracked?
Critical
w25
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-014 · Security & Cybersecurity · Security Governance
Are AI security exceptions documented?
Medium
w9
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-015 · Security & Cybersecurity · Security Governance
Are AI security improvements tracked?
Medium
w9
Stakeholder
Chief Information Security Officer (CISO) · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish or reinforce the AI security program: approved policies, standards, roles, KPIs, and an annual audit cadence.
SEC-016 · Security & Cybersecurity · Identity & Access Management
Are AI systems integrated with centralized identity management?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-017 · Security & Cybersecurity · Identity & Access Management
Are users uniquely identified?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-018 · Security & Cybersecurity · Identity & Access Management
Are privileged accounts identified?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-019 · Security & Cybersecurity · Identity & Access Management
Is multi-factor authentication required?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-020 · Security & Cybersecurity · Identity & Access Management
Are access reviews performed regularly?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-021 · Security & Cybersecurity · Identity & Access Management
Are dormant accounts removed?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-022 · Security & Cybersecurity · Identity & Access Management
Are service accounts managed?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-023 · Security & Cybersecurity · Identity & Access Management
Are privileged accounts monitored?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-024 · Security & Cybersecurity · Identity & Access Management
Is least-privilege enforced?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-025 · Security & Cybersecurity · Identity & Access Management
Are role-based permissions implemented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-026 · Security & Cybersecurity · Identity & Access Management
Are administrative activities logged?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-027 · Security & Cybersecurity · Identity & Access Management
Are privileged credentials protected?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-028 · Security & Cybersecurity · Identity & Access Management
Are access exceptions documented?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-029 · Security & Cybersecurity · Identity & Access Management
Are user access requests approved?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-030 · Security & Cybersecurity · Identity & Access Management
Are account provisioning controls documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-031 · Security & Cybersecurity · Identity & Access Management
Are account deprovisioning controls documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-032 · Security & Cybersecurity · Identity & Access Management
Are third-party accounts managed?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-033 · Security & Cybersecurity · Identity & Access Management
Are API credentials protected?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-034 · Security & Cybersecurity · Identity & Access Management
Are authentication failures monitored?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-035 · Security & Cybersecurity · Identity & Access Management
Are identity risks assessed?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.15
NIST AI RMF · MANAGE-2.1
SOC 2 · CC6.1
ISO 42001 · 8.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Centralize identity, enforce MFA and least-privilege, manage privileged and service accounts, and monitor authentication events.
SEC-036 · Security & Cybersecurity · AI Application Security
Are AI applications security assessed before deployment?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-037 · Security & Cybersecurity · AI Application Security
Are security reviews documented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-038 · Security & Cybersecurity · AI Application Security
Are AI applications classified by risk?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-039 · Security & Cybersecurity · AI Application Security
Are application vulnerabilities tracked?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-040 · Security & Cybersecurity · AI Application Security
Are security testing results documented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-041 · Security & Cybersecurity · AI Application Security
Are AI-generated outputs validated?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-042 · Security & Cybersecurity · AI Application Security
Are prompt injection risks assessed?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-043 · Security & Cybersecurity · AI Application Security
Are jailbreak risks assessed?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-044 · Security & Cybersecurity · AI Application Security
Are prompt security controls implemented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-045 · Security & Cybersecurity · AI Application Security
Are application security requirements documented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-046 · Security & Cybersecurity · AI Application Security
Are application changes reviewed?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-047 · Security & Cybersecurity · AI Application Security
Are application security incidents tracked?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-048 · Security & Cybersecurity · AI Application Security
Are unauthorized AI applications identified?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-049 · Security & Cybersecurity · AI Application Security
Are AI applications monitored continuously?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-050 · Security & Cybersecurity · AI Application Security
Are generative AI applications governed?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-051 · Security & Cybersecurity · AI Application Security
Are AI application owners assigned?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-052 · Security & Cybersecurity · AI Application Security
Are security controls periodically reviewed?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-053 · Security & Cybersecurity · AI Application Security
Are application risks reassessed annually?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-054 · Security & Cybersecurity · AI Application Security
Are security exceptions approved?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-055 · Security & Cybersecurity · AI Application Security
Are AI application security metrics maintained?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 27001 · A.8.25
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Embed AI-specific security testing (prompt injection, jailbreaks, output validation) into the SDLC and monitor applications continuously.
SEC-056 · Security & Cybersecurity · Vulnerability Management
Are AI systems included in vulnerability management?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-057 · Security & Cybersecurity · Vulnerability Management
Are vulnerability scans performed?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-058 · Security & Cybersecurity · Vulnerability Management
Are scans conducted regularly?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-059 · Security & Cybersecurity · Vulnerability Management
Are vulnerabilities prioritized?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-060 · Security & Cybersecurity · Vulnerability Management
Are vulnerability owners assigned?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-061 · Security & Cybersecurity · Vulnerability Management
Are remediation timelines defined?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-062 · Security & Cybersecurity · Vulnerability Management
Are critical vulnerabilities escalated?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-063 · Security & Cybersecurity · Vulnerability Management
Are vulnerability trends analyzed?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-064 · Security & Cybersecurity · Vulnerability Management
Are unresolved vulnerabilities tracked?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-065 · Security & Cybersecurity · Vulnerability Management
Are penetration tests conducted?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-066 · Security & Cybersecurity · Vulnerability Management
Are penetration test results retained?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-067 · Security & Cybersecurity · Vulnerability Management
Are AI models tested for weaknesses?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-068 · Security & Cybersecurity · Vulnerability Management
Are AI APIs tested?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-069 · Security & Cybersecurity · Vulnerability Management
Are cloud environments tested?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-070 · Security & Cybersecurity · Vulnerability Management
Are mobile AI applications tested?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-071 · Security & Cybersecurity · Vulnerability Management
Are third-party vulnerabilities tracked?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-072 · Security & Cybersecurity · Vulnerability Management
Are patching processes documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-073 · Security & Cybersecurity · Vulnerability Management
Are patch compliance metrics tracked?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-074 · Security & Cybersecurity · Vulnerability Management
Are vulnerability exceptions documented?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-075 · Security & Cybersecurity · Vulnerability Management
Are vulnerability management processes reviewed?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.8
NIST AI RMF · MANAGE-3.2
SOC 2 · CC7.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Run continuous vulnerability scanning, AI model red-teaming, and patch management with owners, SLAs, and escalation paths.
SEC-076 · Security & Cybersecurity · Monitoring & Threat Detection
Are AI systems monitored continuously?
Critical
w25
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-077 · Security & Cybersecurity · Monitoring & Threat Detection
Are security logs collected?
Critical
w25
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-078 · Security & Cybersecurity · Monitoring & Threat Detection
Are logs retained?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-079 · Security & Cybersecurity · Monitoring & Threat Detection
Are suspicious activities detected?
Critical
w25
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-080 · Security & Cybersecurity · Monitoring & Threat Detection
Are AI-specific alerts configured?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-081 · Security & Cybersecurity · Monitoring & Threat Detection
Are monitoring responsibilities assigned?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-082 · Security & Cybersecurity · Monitoring & Threat Detection
Are monitoring procedures documented?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-083 · Security & Cybersecurity · Monitoring & Threat Detection
Are threat intelligence feeds utilized?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-084 · Security & Cybersecurity · Monitoring & Threat Detection
Are indicators of compromise monitored?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-085 · Security & Cybersecurity · Monitoring & Threat Detection
Are insider threats monitored?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-086 · Security & Cybersecurity · Monitoring & Threat Detection
Are API activities monitored?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-087 · Security & Cybersecurity · Monitoring & Threat Detection
Are authentication anomalies monitored?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-088 · Security & Cybersecurity · Monitoring & Threat Detection
Are abnormal AI usage patterns monitored?
Critical
w25
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-089 · Security & Cybersecurity · Monitoring & Threat Detection
Are vendor security events monitored?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-090 · Security & Cybersecurity · Monitoring & Threat Detection
Are alert thresholds documented?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-091 · Security & Cybersecurity · Monitoring & Threat Detection
Are monitoring dashboards maintained?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-092 · Security & Cybersecurity · Monitoring & Threat Detection
Are false positives reviewed?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-093 · Security & Cybersecurity · Monitoring & Threat Detection
Are monitoring metrics reported?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-094 · Security & Cybersecurity · Monitoring & Threat Detection
Are threat detection capabilities tested?
High
w16
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-095 · Security & Cybersecurity · Monitoring & Threat Detection
Are monitoring improvements tracked?
Medium
w9
Stakeholder
SOC Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Stream AI telemetry into the SIEM with AI-specific detections, threat intel, and validated alerting; review false positives regularly.
SEC-096 · Security & Cybersecurity · Incident Response
Does the organization maintain an AI incident response plan?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-097 · Security & Cybersecurity · Incident Response
Are AI incidents formally defined?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-098 · Security & Cybersecurity · Incident Response
Are incident response roles assigned?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-099 · Security & Cybersecurity · Incident Response
Are incident response procedures documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-100 · Security & Cybersecurity · Incident Response
Are incidents classified by severity?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-101 · Security & Cybersecurity · Incident Response
Are incident escalation criteria documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-102 · Security & Cybersecurity · Incident Response
Are AI incidents reported to leadership?
Critical
w25
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-103 · Security & Cybersecurity · Incident Response
Are incident response exercises conducted?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-104 · Security & Cybersecurity · Incident Response
Are tabletop exercises performed?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-105 · Security & Cybersecurity · Incident Response
Are lessons learned documented?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-106 · Security & Cybersecurity · Incident Response
Are incident metrics reported?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-107 · Security & Cybersecurity · Incident Response
Are incident response vendors identified?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-108 · Security & Cybersecurity · Incident Response
Are forensic procedures documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-109 · Security & Cybersecurity · Incident Response
Are evidence handling procedures defined?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-110 · Security & Cybersecurity · Incident Response
Are communications plans maintained?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-111 · Security & Cybersecurity · Incident Response
Are recovery procedures documented?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-112 · Security & Cybersecurity · Incident Response
Are post-incident reviews conducted?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-113 · Security & Cybersecurity · Incident Response
Are incident trends analyzed?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-114 · Security & Cybersecurity · Incident Response
Are remediation activities tracked?
Medium
w9
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-115 · Security & Cybersecurity · Incident Response
Are response plans reviewed annually?
High
w16
Stakeholder
Security Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
EU AI Act · Art. 62
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Operate an AI-aware incident response plan with named roles, severity tiers, regular exercises, and post-incident reviews.
SEC-116 · Security & Cybersecurity · Cloud & Infrastructure Security
Are AI cloud environments inventoried?
Critical
w25
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-117 · Security & Cybersecurity · Cloud & Infrastructure Security
Are cloud security baselines defined?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-118 · Security & Cybersecurity · Cloud & Infrastructure Security
Are cloud configurations reviewed?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-119 · Security & Cybersecurity · Cloud & Infrastructure Security
Are cloud permissions monitored?
Critical
w25
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-120 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure security controls documented?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-121 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure assets monitored?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-122 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure vulnerabilities tracked?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-123 · Security & Cybersecurity · Cloud & Infrastructure Security
Are backups maintained?
Critical
w25
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-124 · Security & Cybersecurity · Cloud & Infrastructure Security
Are backups tested?
Critical
w25
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-125 · Security & Cybersecurity · Cloud & Infrastructure Security
Are disaster recovery procedures documented?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-126 · Security & Cybersecurity · Cloud & Infrastructure Security
Are recovery objectives defined?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-127 · Security & Cybersecurity · Cloud & Infrastructure Security
Are cloud providers assessed?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-128 · Security & Cybersecurity · Cloud & Infrastructure Security
Are network controls documented?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-129 · Security & Cybersecurity · Cloud & Infrastructure Security
Are segmentation controls implemented?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-130 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure changes approved?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-131 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure logs retained?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-132 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure incidents tracked?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-133 · Security & Cybersecurity · Cloud & Infrastructure Security
Are recovery exercises conducted?
High
w16
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-134 · Security & Cybersecurity · Cloud & Infrastructure Security
Are infrastructure security metrics reported?
Medium
w9
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-135 · Security & Cybersecurity · Cloud & Infrastructure Security
Are cloud security improvements tracked?
Medium
w9
Stakeholder
Cloud Team · maturity_scaleFramework Mapping
ISO 27001 · A.8.9
NIST AI RMF · MANAGE-2.2
SOC 2 · CC6.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply hardened baselines to cloud AI environments, monitor permissions and config drift, and test backups and DR.
SEC-136 · Security & Cybersecurity · Third-Party Security
Are vendor security assessments conducted?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-137 · Security & Cybersecurity · Third-Party Security
Are vendor security requirements documented?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-138 · Security & Cybersecurity · Third-Party Security
Are vendor certifications reviewed?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-139 · Security & Cybersecurity · Third-Party Security
Are third-party risks classified?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-140 · Security & Cybersecurity · Third-Party Security
Are security clauses included in contracts?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-141 · Security & Cybersecurity · Third-Party Security
Are vendor incidents monitored?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-142 · Security & Cybersecurity · Third-Party Security
Are vendor security reviews conducted annually?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-143 · Security & Cybersecurity · Third-Party Security
Are subcontractors evaluated?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-144 · Security & Cybersecurity · Third-Party Security
Are vendor access controls reviewed?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-145 · Security & Cybersecurity · Third-Party Security
Are third-party integrations monitored?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-146 · Security & Cybersecurity · Third-Party Security
Are vendor remediation activities tracked?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-147 · Security & Cybersecurity · Third-Party Security
Are third-party security reports retained?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-148 · Security & Cybersecurity · Third-Party Security
Are vendor security metrics reported?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-149 · Security & Cybersecurity · Third-Party Security
Are vendor risks escalated appropriately?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-150 · Security & Cybersecurity · Third-Party Security
Are vendor security processes improved continuously?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 8.4
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Apply consistent third-party security assessments, contractual clauses, monitoring, and annual reviews for every AI vendor and subcontractor.
SEC-151 · Security & Cybersecurity · Mobile & Shadow AI Security
Are AI applications on mobile devices identified?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-152 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile AI risks assessed?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-153 · Security & Cybersecurity · Mobile & Shadow AI Security
Are BYOD AI risks assessed?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-154 · Security & Cybersecurity · Mobile & Shadow AI Security
Are unauthorized AI applications detected?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-155 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile device security controls implemented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-156 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile AI usage policies enforced?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-157 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile AI activities monitored?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-158 · Security & Cybersecurity · Mobile & Shadow AI Security
Are shadow AI incidents tracked?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-159 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile AI risks reported?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-160 · Security & Cybersecurity · Mobile & Shadow AI Security
Are device inventories maintained?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-161 · Security & Cybersecurity · Mobile & Shadow AI Security
Are AI browser extensions monitored?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-162 · Security & Cybersecurity · Mobile & Shadow AI Security
Are AI application permissions reviewed?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-163 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile security alerts configured?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-164 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile security audits conducted?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-165 · Security & Cybersecurity · Mobile & Shadow AI Security
Are mobile governance improvements tracked?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.8.1
ISO 42001 · 8.3
NIST AI RMF · MANAGE-3.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Detect and govern mobile, BYOD, and browser-based AI usage; track shadow AI incidents and enforce acceptable-use policies.
SEC-166 · Security & Cybersecurity · Security Training & Culture
Is AI security training mandatory?
Critical
w25
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-167 · Security & Cybersecurity · Security Training & Culture
Do executives receive AI security training?
High
w16
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-168 · Security & Cybersecurity · Security Training & Culture
Do developers receive AI security training?
Critical
w25
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-169 · Security & Cybersecurity · Security Training & Culture
Do business users receive AI security training?
High
w16
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-170 · Security & Cybersecurity · Security Training & Culture
Are training records maintained?
High
w16
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-171 · Security & Cybersecurity · Security Training & Culture
Are phishing simulations conducted?
High
w16
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-172 · Security & Cybersecurity · Security Training & Culture
Are security awareness campaigns performed?
Medium
w9
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-173 · Security & Cybersecurity · Security Training & Culture
Is training effectiveness measured?
Medium
w9
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-174 · Security & Cybersecurity · Security Training & Culture
Are security culture assessments conducted?
Medium
w9
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
SEC-175 · Security & Cybersecurity · Security Training & Culture
Are training improvements tracked?
Medium
w9
Stakeholder
Compliance · maturity_scaleFramework Mapping
ISO 27001 · A.6.3
ISO 42001 · 7.3
NIST AI RMF · GOVERN-3.1
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Mandate role-based AI security training (executives, developers, business users), track completion, and measure effectiveness.
DGP-001 · Data Governance & Protection · Data Governance Program
Has a formal data governance program been established?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-002 · Data Governance & Protection · Data Governance Program
Has executive leadership approved the data governance program?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-003 · Data Governance & Protection · Data Governance Program
Are data governance roles documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-004 · Data Governance & Protection · Data Governance Program
Are data governance responsibilities assigned?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-005 · Data Governance & Protection · Data Governance Program
Is a data governance committee established?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-006 · Data Governance & Protection · Data Governance Program
Are data governance policies maintained?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-007 · Data Governance & Protection · Data Governance Program
Are data governance standards maintained?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-008 · Data Governance & Protection · Data Governance Program
Are governance procedures documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-009 · Data Governance & Protection · Data Governance Program
Are governance reviews conducted annually?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-010 · Data Governance & Protection · Data Governance Program
Are governance metrics reported?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-011 · Data Governance & Protection · Data Governance Program
Are governance risks tracked?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-012 · Data Governance & Protection · Data Governance Program
Are governance audits performed?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-013 · Data Governance & Protection · Data Governance Program
Are governance exceptions documented?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-014 · Data Governance & Protection · Data Governance Program
Are governance improvements tracked?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-015 · Data Governance & Protection · Data Governance Program
Are governance objectives reviewed annually?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved data governance program with documented roles, policies, standards, and an annual review cadence.
DGP-016 · Data Governance & Protection · Data Inventory & Ownership
Is a data inventory maintained?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-017 · Data Governance & Protection · Data Inventory & Ownership
Are data owners assigned?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-018 · Data Governance & Protection · Data Inventory & Ownership
Are data custodians assigned?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-019 · Data Governance & Protection · Data Inventory & Ownership
Are critical data assets identified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-020 · Data Governance & Protection · Data Inventory & Ownership
Are sensitive data assets identified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-021 · Data Governance & Protection · Data Inventory & Ownership
Are personal information assets identified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-022 · Data Governance & Protection · Data Inventory & Ownership
Are AI training datasets inventoried?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-023 · Data Governance & Protection · Data Inventory & Ownership
Are AI output datasets inventoried?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-024 · Data Governance & Protection · Data Inventory & Ownership
Are data inventories reviewed annually?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-025 · Data Governance & Protection · Data Inventory & Ownership
Are ownership records kept current?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.5.9
NIST AI RMF · MAP-1.1
GDPR · Art. 30
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current data inventory with assigned owners and custodians, identifying critical, sensitive, and personal information assets used by AI.
DGP-026 · Data Governance & Protection · Data Classification
Is a data classification framework established?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-027 · Data Governance & Protection · Data Classification
Are classification levels documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-028 · Data Governance & Protection · Data Classification
Are AI datasets classified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-029 · Data Governance & Protection · Data Classification
Are personal information records classified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-030 · Data Governance & Protection · Data Classification
Are confidential records classified?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-031 · Data Governance & Protection · Data Classification
Are classification responsibilities assigned?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-032 · Data Governance & Protection · Data Classification
Are classification reviews performed?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-033 · Data Governance & Protection · Data Classification
Are classification exceptions documented?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-034 · Data Governance & Protection · Data Classification
Are classification metrics tracked?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-035 · Data Governance & Protection · Data Classification
Are classification controls enforced?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 27001 · A.5.12
GDPR · Art. 5
NIST AI RMF · MAP-2.1
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Implement a data classification framework covering AI datasets, personal information, and confidential records with assigned responsibilities and enforced controls.
DGP-036 · Data Governance & Protection · Privacy & Personal Information
Are privacy requirements documented?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-037 · Data Governance & Protection · Privacy & Personal Information
Are privacy impact assessments performed?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-038 · Data Governance & Protection · Privacy & Personal Information
Are AI systems evaluated for privacy risks?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-039 · Data Governance & Protection · Privacy & Personal Information
Are consent requirements documented?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-040 · Data Governance & Protection · Privacy & Personal Information
Are personal information inventories maintained?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-041 · Data Governance & Protection · Privacy & Personal Information
Are privacy notices maintained?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-042 · Data Governance & Protection · Privacy & Personal Information
Are privacy complaints tracked?
Medium
w9
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-043 · Data Governance & Protection · Privacy & Personal Information
Are privacy incidents tracked?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-044 · Data Governance & Protection · Privacy & Personal Information
Are privacy obligations reviewed annually?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-045 · Data Governance & Protection · Privacy & Personal Information
Are privacy risks reported to leadership?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-046 · Data Governance & Protection · Privacy & Personal Information
Are cross-border data transfers identified?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-047 · Data Governance & Protection · Privacy & Personal Information
Are privacy controls monitored?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-048 · Data Governance & Protection · Privacy & Personal Information
Are privacy audits conducted?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-049 · Data Governance & Protection · Privacy & Personal Information
Are privacy metrics reported?
Medium
w9
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-050 · Data Governance & Protection · Privacy & Personal Information
Are privacy improvements tracked?
Medium
w9
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
GDPR · Art. 5
PIPEDA · Principle 4
CPPA · s. 5
EU AI Act · Art. 10
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy requirements, perform PIAs on AI systems, maintain consent and notice records, and report privacy risks to leadership.
DGP-051 · Data Governance & Protection · Data Quality & Integrity
Are data quality standards established?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-052 · Data Governance & Protection · Data Quality & Integrity
Are AI training datasets assessed for quality?
Critical
w25
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-053 · Data Governance & Protection · Data Quality & Integrity
Are data validation procedures documented?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-054 · Data Governance & Protection · Data Quality & Integrity
Are data quality issues tracked?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-055 · Data Governance & Protection · Data Quality & Integrity
Are duplicate records monitored?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-056 · Data Governance & Protection · Data Quality & Integrity
Are data quality metrics maintained?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-057 · Data Governance & Protection · Data Quality & Integrity
Are data corrections tracked?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-058 · Data Governance & Protection · Data Quality & Integrity
Are data quality audits conducted?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-059 · Data Governance & Protection · Data Quality & Integrity
Are data quality risks assessed?
High
w16
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-060 · Data Governance & Protection · Data Quality & Integrity
Are data quality improvements monitored?
Medium
w9
Stakeholder
Data Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.2
NIST AI RMF · MEASURE-2.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish data quality standards, assess AI training datasets, document validation procedures, and track issues and corrections.
DGP-061 · Data Governance & Protection · Data Retention & Records Management
Are retention schedules documented?
Critical
w25
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-062 · Data Governance & Protection · Data Retention & Records Management
Are AI datasets assigned retention periods?
Critical
w25
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-063 · Data Governance & Protection · Data Retention & Records Management
Are personal information records assigned retention periods?
Critical
w25
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-064 · Data Governance & Protection · Data Retention & Records Management
Are disposal procedures documented?
High
w16
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-065 · Data Governance & Protection · Data Retention & Records Management
Are records destruction activities tracked?
High
w16
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-066 · Data Governance & Protection · Data Retention & Records Management
Are retention exceptions documented?
Medium
w9
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-067 · Data Governance & Protection · Data Retention & Records Management
Are records management audits conducted?
High
w16
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-068 · Data Governance & Protection · Data Retention & Records Management
Are retention controls monitored?
Medium
w9
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-069 · Data Governance & Protection · Data Retention & Records Management
Are retention metrics reported?
Medium
w9
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-070 · Data Governance & Protection · Data Retention & Records Management
Are records management improvements tracked?
Medium
w9
Stakeholder
Records Management · maturity_scaleFramework Mapping
GDPR · Art. 5(1)(e)
PIPEDA · Principle 4.5
ISO 27001 · A.5.33
SOC 2 · CC6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document retention schedules for AI datasets and personal information, define disposal procedures, and audit records management practices.
DGP-071 · Data Governance & Protection · Data Security & Encryption
Are sensitive datasets encrypted at rest?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-072 · Data Governance & Protection · Data Security & Encryption
Are sensitive datasets encrypted in transit?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-073 · Data Governance & Protection · Data Security & Encryption
Are encryption standards documented?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-074 · Data Governance & Protection · Data Security & Encryption
Are encryption keys managed securely?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-075 · Data Governance & Protection · Data Security & Encryption
Are encryption reviews performed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-076 · Data Governance & Protection · Data Security & Encryption
Are data security incidents tracked?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-077 · Data Governance & Protection · Data Security & Encryption
Are data protection controls tested?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-078 · Data Governance & Protection · Data Security & Encryption
Are encryption exceptions documented?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-079 · Data Governance & Protection · Data Security & Encryption
Are data security metrics reported?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-080 · Data Governance & Protection · Data Security & Encryption
Are data security improvements tracked?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.24
GDPR · Art. 32
SOC 2 · CC6.7
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Encrypt sensitive AI datasets at rest and in transit, manage keys securely, document standards, and track data security incidents.
DGP-081 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt security requirements documented?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-082 · Data Governance & Protection · Prompt Security & AI Data Handling
Are employees trained on prompt security?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-083 · Data Governance & Protection · Prompt Security & AI Data Handling
Are sensitive prompts prohibited?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-084 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt handling procedures documented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-085 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt risks assessed?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-086 · Data Governance & Protection · Prompt Security & AI Data Handling
Are AI-generated outputs reviewed?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-087 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt-related incidents tracked?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-088 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt security controls monitored?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-089 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt security audits conducted?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-090 · Data Governance & Protection · Prompt Security & AI Data Handling
Are prompt security improvements tracked?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · MEASURE-2.7
EU AI Act · Art. 15
ISO 27001 · A.8.25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document prompt security requirements, train employees, prohibit sensitive prompts, and assess, monitor, and audit prompt-related risks.
DGP-091 · Data Governance & Protection · Intellectual Property Protection
Are intellectual property protection requirements documented?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-092 · Data Governance & Protection · Intellectual Property Protection
Are AI-generated outputs reviewed for IP risks?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-093 · Data Governance & Protection · Intellectual Property Protection
Are proprietary datasets identified?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-094 · Data Governance & Protection · Intellectual Property Protection
Are trade secrets protected?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-095 · Data Governance & Protection · Intellectual Property Protection
Are IP ownership requirements documented?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-096 · Data Governance & Protection · Intellectual Property Protection
Are AI licensing obligations tracked?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-097 · Data Governance & Protection · Intellectual Property Protection
Are copyright risks assessed?
Medium
w9
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-098 · Data Governance & Protection · Intellectual Property Protection
Are IP incidents tracked?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-099 · Data Governance & Protection · Intellectual Property Protection
Are IP audits conducted?
Medium
w9
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
DGP-100 · Data Governance & Protection · Intellectual Property Protection
Are IP protection improvements tracked?
Medium
w9
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.2
NIST AI RMF · GOVERN-5.1
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document IP protection requirements, review AI outputs for IP risks, identify proprietary datasets, protect trade secrets, and track licensing obligations and incidents.
CMP-001 · Compliance & Regulatory Readiness · Compliance Governance
Has a formal AI compliance program been established?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-002 · Compliance & Regulatory Readiness · Compliance Governance
Has executive leadership approved the compliance program?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-003 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance roles assigned?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-004 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance responsibilities documented?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-005 · Compliance & Regulatory Readiness · Compliance Governance
Is a compliance committee established?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-006 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance policies maintained?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-007 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance procedures documented?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-008 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance reviews conducted annually?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-009 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance metrics reported?
Medium
w9
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-010 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance risks tracked?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-011 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance audits conducted?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-012 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance findings tracked?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-013 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance exceptions documented?
Medium
w9
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-014 · Compliance & Regulatory Readiness · Compliance Governance
Are compliance improvements tracked?
Medium
w9
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-015 · Compliance & Regulatory Readiness · Compliance Governance
Is compliance performance reviewed by leadership?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
ISO 42001 · 6.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved AI compliance program with documented roles, policies, procedures, annual reviews, and leadership oversight.
CMP-016 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Has the organization identified applicable AI regulations?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-017 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Has the organization identified applicable privacy regulations?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-018 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Has the organization identified applicable cybersecurity obligations?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-019 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Is a regulatory obligations register maintained?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-020 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are regulatory owners assigned?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-021 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are regulatory changes monitored?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-022 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are regulatory updates communicated internally?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-023 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are obligations mapped to controls?
Critical
w25
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-024 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are obligations reviewed annually?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-025 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are new obligations assessed for impact?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-026 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are regulatory compliance gaps documented?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-027 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are remediation plans established?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-028 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are compliance deadlines tracked?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-029 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are obligations linked to business processes?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-030 · Compliance & Regulatory Readiness · Regulatory Obligation Management
Are obligations reported to leadership?
High
w16
Stakeholder
Regulatory Affairs · maturity_scaleFramework Mapping
AIDA · All obligations
GDPR · Art. 5
EU AI Act · Art. 9
ISO 42001 · 4.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Maintain a current regulatory obligations register with assigned owners, map obligations to controls, monitor changes, and report to leadership.
CMP-031 · Compliance & Regulatory Readiness · AIDA Readiness
Has AIDA applicability been assessed?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-032 · Compliance & Regulatory Readiness · AIDA Readiness
Have high-impact AI systems been identified?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-033 · Compliance & Regulatory Readiness · AIDA Readiness
Are high-impact systems documented?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-034 · Compliance & Regulatory Readiness · AIDA Readiness
Are risk assessments conducted for high-impact systems?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-035 · Compliance & Regulatory Readiness · AIDA Readiness
Are mitigation measures documented?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-036 · Compliance & Regulatory Readiness · AIDA Readiness
Are monitoring requirements documented?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-037 · Compliance & Regulatory Readiness · AIDA Readiness
Are accountability requirements assigned?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-038 · Compliance & Regulatory Readiness · AIDA Readiness
Are transparency requirements addressed?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-039 · Compliance & Regulatory Readiness · AIDA Readiness
Are incident reporting procedures established?
Critical
w25
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-040 · Compliance & Regulatory Readiness · AIDA Readiness
Are records maintained for regulated AI systems?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-041 · Compliance & Regulatory Readiness · AIDA Readiness
Are compliance reviews conducted?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-042 · Compliance & Regulatory Readiness · AIDA Readiness
Are corrective actions tracked?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-043 · Compliance & Regulatory Readiness · AIDA Readiness
Are AIDA risks reported?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-044 · Compliance & Regulatory Readiness · AIDA Readiness
Are AIDA metrics monitored?
Medium
w9
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-045 · Compliance & Regulatory Readiness · AIDA Readiness
Is executive oversight established?
High
w16
Stakeholder
Chief Compliance Officer · maturity_scaleFramework Mapping
AIDA · All obligations
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess AIDA applicability, identify and document high-impact AI systems, conduct risk assessments, and establish accountability and incident reporting.
CMP-046 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Has privacy law applicability been assessed?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-047 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are lawful processing requirements documented?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-048 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are consent requirements documented?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-049 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are data subject rights processes established?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-050 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are access requests managed?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-051 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are correction requests managed?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-052 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are deletion requests managed?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-053 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy impact assessments conducted?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-054 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy breach procedures established?
Critical
w25
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-055 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are breach notifications documented?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-056 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are cross-border transfers assessed?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-057 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy notices maintained?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-058 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are retention requirements documented?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-059 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy audits conducted?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-060 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy risks tracked?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-061 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy metrics reported?
Medium
w9
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-062 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy findings remediated?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-063 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy controls tested?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-064 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Are privacy obligations reviewed annually?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-065 · Compliance & Regulatory Readiness · Privacy Regulatory Readiness
Is privacy compliance reported to leadership?
High
w16
Stakeholder
Chief Privacy Officer · maturity_scaleFramework Mapping
PIPEDA · Principle 4
CPPA · s. 5
GDPR · Art. 5
ISO 42001 · 6.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document privacy law requirements, establish data subject rights processes, conduct PIAs, define breach procedures, and report privacy compliance to leadership.
CMP-066 · Compliance & Regulatory Readiness · EU AI Act Readiness
Has EU AI Act applicability been assessed?
Critical
w25
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-067 · Compliance & Regulatory Readiness · EU AI Act Readiness
Have prohibited AI practices been evaluated?
Critical
w25
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-068 · Compliance & Regulatory Readiness · EU AI Act Readiness
Have high-risk AI systems been identified?
Critical
w25
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-069 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are risk management procedures documented?
Critical
w25
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-070 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are transparency requirements addressed?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-071 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are human oversight controls documented?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-072 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are bias monitoring procedures established?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-073 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are recordkeeping obligations documented?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-074 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are conformity assessment requirements evaluated?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-075 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are vendor obligations assessed?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-076 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are post-market monitoring procedures established?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-077 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are incident reporting obligations documented?
Critical
w25
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-078 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are EU AI Act audits conducted?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-079 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are compliance gaps documented?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-080 · Compliance & Regulatory Readiness · EU AI Act Readiness
Are remediation activities tracked?
High
w16
Stakeholder
General Counsel · maturity_scaleFramework Mapping
EU AI Act · Art. 9–15
ISO 42001 · 6.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess EU AI Act applicability, identify prohibited and high-risk AI systems, document risk management and human oversight controls, and track remediation.
CMP-081 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Has ISO 42001 applicability been assessed?
Critical
w25
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-082 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Has ISO 27001 applicability been assessed?
Critical
w25
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-083 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are governance requirements implemented?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-084 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are risk management requirements implemented?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-085 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are control objectives documented?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-086 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are internal audits conducted?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-087 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are management reviews conducted?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-088 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are corrective actions tracked?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-089 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are control owners assigned?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-090 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are compliance metrics monitored?
Medium
w9
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-091 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are documented procedures maintained?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-092 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are evidence repositories maintained?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-093 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are certification objectives established?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-094 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are certification gaps documented?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-095 · Compliance & Regulatory Readiness · ISO 42001 & ISO 27001 Readiness
Are readiness reviews performed?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 42001 · All clauses
ISO 27001 · All clauses
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess ISO 42001 and ISO 27001 applicability, implement governance and risk management requirements, conduct internal audits and management reviews, and track certification gaps.
CMP-096 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Has NIST AI RMF applicability been assessed?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-097 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Has SOC 2 applicability been assessed?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-098 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are governance functions implemented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-099 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are mapping functions implemented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-100 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are measurement functions implemented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-101 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are management functions implemented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-102 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are SOC 2 controls documented?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-103 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are assurance requirements addressed?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-104 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are audit requirements addressed?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-105 · Compliance & Regulatory Readiness · NIST AI RMF & SOC 2 Readiness
Are readiness reviews performed?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
NIST AI RMF · All functions
SOC 2 · All Trust Services Criteria
ISO 42001 · 6.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Assess NIST AI RMF and SOC 2 applicability, implement governance, mapping, measurement, and management functions, and document controls and assurance requirements.
CMP-106 · Compliance & Regulatory Readiness · Audits & Assurance
Is a compliance audit program established?
Critical
w25
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-107 · Compliance & Regulatory Readiness · Audits & Assurance
Are compliance audits conducted annually?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-108 · Compliance & Regulatory Readiness · Audits & Assurance
Are audit findings documented?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-109 · Compliance & Regulatory Readiness · Audits & Assurance
Are audit owners assigned?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-110 · Compliance & Regulatory Readiness · Audits & Assurance
Are remediation plans tracked?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-111 · Compliance & Regulatory Readiness · Audits & Assurance
Are audit metrics reported?
Medium
w9
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-112 · Compliance & Regulatory Readiness · Audits & Assurance
Are external assessments conducted?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-113 · Compliance & Regulatory Readiness · Audits & Assurance
Are assurance reports maintained?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-114 · Compliance & Regulatory Readiness · Audits & Assurance
Are recurring findings monitored?
High
w16
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-115 · Compliance & Regulatory Readiness · Audits & Assurance
Are audit trends analyzed?
Medium
w9
Stakeholder
Internal Audit · maturity_scaleFramework Mapping
ISO 27001 · A.5.35
SOC 2 · CC4.1
ISO 42001 · 9.2
NIST AI RMF · MEASURE-2.8
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a compliance audit program with annual audits, documented findings, assigned owners, tracked remediation plans, and external assessments.
CMP-116 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Is compliance maturity assessed annually?
High
w16
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-117 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are improvement initiatives documented?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-118 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are compliance objectives updated?
High
w16
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-119 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are lessons learned documented?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-120 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are industry best practices reviewed?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-121 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are regulatory developments monitored?
High
w16
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-122 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are benchmarking exercises conducted?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-123 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are compliance KPIs reviewed?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-124 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Are compliance investments evaluated?
Medium
w9
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
CMP-125 · Compliance & Regulatory Readiness · Continuous Compliance Improvement
Does leadership sponsor continuous improvement?
High
w16
Stakeholder
Executive Sponsor · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess compliance maturity annually, document improvement initiatives, monitor regulatory developments, review KPIs, and ensure leadership sponsors continuous improvement.
VTR-001 · Vendor & Third-Party Risk · Vendor Governance
Has a formal third-party risk management program been established?
Critical
w25
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-002 · Vendor & Third-Party Risk · Vendor Governance
Has executive leadership approved the program?
Critical
w25
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-003 · Vendor & Third-Party Risk · Vendor Governance
Are vendor risk management roles documented?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-004 · Vendor & Third-Party Risk · Vendor Governance
Are vendor owners assigned?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-005 · Vendor & Third-Party Risk · Vendor Governance
Are vendor governance procedures documented?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-006 · Vendor & Third-Party Risk · Vendor Governance
Are vendor governance reviews conducted annually?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-007 · Vendor & Third-Party Risk · Vendor Governance
Are vendor risk metrics reported?
Medium
w9
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-008 · Vendor & Third-Party Risk · Vendor Governance
Are vendor risks tracked?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-009 · Vendor & Third-Party Risk · Vendor Governance
Are vendor governance audits conducted?
High
w16
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-010 · Vendor & Third-Party Risk · Vendor Governance
Are governance improvements tracked?
Medium
w9
Stakeholder
Procurement Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.4
SOC 2 · CC9.2
NIST AI RMF · GOVERN-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved third-party risk management program with documented roles, assigned owners, annual reviews, and tracked metrics.
VTR-011 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Is a centralized vendor inventory maintained?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-012 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are all AI vendors identified?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-013 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are vendors categorized by service type?
High
w16
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-014 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are vendors classified by risk level?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-015 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are critical vendors identified?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-016 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are vendors linked to business owners?
High
w16
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-017 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are vendors linked to contracts?
High
w16
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-018 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are vendor inventories reviewed annually?
High
w16
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-019 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Are terminated vendors removed from inventory?
Medium
w9
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-020 · Vendor & Third-Party Risk · Vendor Inventory & Classification
Is inventory accuracy validated?
Medium
w9
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.19
ISO 42001 · 7.5
SOC 2 · CC9.2
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a centralized, risk-classified vendor inventory linked to business owners and contracts, and validate accuracy annually.
VTR-021 · Vendor & Third-Party Risk · Vendor Due Diligence
Are due diligence assessments performed before onboarding vendors?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-022 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor security capabilities evaluated?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-023 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor privacy practices evaluated?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-024 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor compliance programs evaluated?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-025 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor financial risks assessed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-026 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor operational risks assessed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-027 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor reputational risks assessed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-028 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor subcontractors evaluated?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-029 · Vendor & Third-Party Risk · Vendor Due Diligence
Are AI governance capabilities evaluated?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-030 · Vendor & Third-Party Risk · Vendor Due Diligence
Are vendor certifications reviewed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-031 · Vendor & Third-Party Risk · Vendor Due Diligence
Are penetration testing reports reviewed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-032 · Vendor & Third-Party Risk · Vendor Due Diligence
Are audit reports reviewed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-033 · Vendor & Third-Party Risk · Vendor Due Diligence
Are due diligence findings documented?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-034 · Vendor & Third-Party Risk · Vendor Due Diligence
Are onboarding approvals documented?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-035 · Vendor & Third-Party Risk · Vendor Due Diligence
Are due diligence reviews updated periodically?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.20
ISO 42001 · 7.4
SOC 2 · CC9.2
GDPR · Art. 28
EU AI Act · Art. 25
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform comprehensive due diligence before vendor onboarding covering security, privacy, compliance, financial, operational, and AI governance capabilities.
VTR-036 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include security requirements?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-037 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include privacy requirements?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-038 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include regulatory compliance obligations?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-039 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include incident reporting requirements?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-040 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include audit rights?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-041 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include data ownership provisions?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-042 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include confidentiality provisions?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-043 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include subcontractor requirements?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-044 · Vendor & Third-Party Risk · Contractual Controls
Do contracts include termination provisions?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-045 · Vendor & Third-Party Risk · Contractual Controls
Are contracts reviewed by legal counsel?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 27001 · A.5.21
ISO 42001 · 7.4
GDPR · Art. 28
EU AI Act · Art. 25
SOC 2 · CC9.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Ensure vendor contracts include security, privacy, compliance, incident reporting, audit rights, data ownership, and termination provisions reviewed by legal counsel.
VTR-046 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor security assessments conducted annually?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-047 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor privacy assessments conducted?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-048 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor certifications monitored?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-049 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor incidents reviewed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-050 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor vulnerabilities tracked?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-051 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor remediation plans monitored?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-052 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor access controls reviewed?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-053 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor data protection controls evaluated?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-054 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are vendor security reports retained?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-055 · Vendor & Third-Party Risk · Security & Privacy Assurance
Are assurance findings reported?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
ISO 42001 · 8.4
SOC 2 · CC7.2
GDPR · Art. 32
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Conduct annual vendor security and privacy assessments, monitor certifications, track vulnerabilities and remediation, and evaluate data protection controls.
VTR-056 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendors assessed for governance maturity?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-057 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendors assessed for transparency practices?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-058 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendors assessed for explainability capabilities?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-059 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendors assessed for bias management controls?
Critical
w25
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-060 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendors assessed for human oversight controls?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-061 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendor monitoring procedures documented?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-062 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendor risks reassessed periodically?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-063 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendor compliance obligations tracked?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-064 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendor governance reports reviewed?
Medium
w9
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-065 · Vendor & Third-Party Risk · Third-Party AI Governance
Are AI vendor findings reported to leadership?
High
w16
Stakeholder
AI Governance Lead · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
EU AI Act · Art. 25
AIDA · High-impact systems
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Assess AI vendors for governance maturity, transparency, explainability, bias management, and human oversight; document monitoring procedures and report findings to leadership.
VTR-066 · Vendor & Third-Party Risk · Continuous Monitoring
Are vendor risks monitored continuously?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
SOC 2 · CC7.2
NIST AI RMF · MEASURE-2.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous vendor risk monitoring with quarterly critical vendor reviews, performance tracking, incident escalation, and regular reporting.
VTR-067 · Vendor & Third-Party Risk · Continuous Monitoring
Are critical vendor reviews performed quarterly?
Critical
w25
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
SOC 2 · CC7.2
NIST AI RMF · MEASURE-2.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous vendor risk monitoring with quarterly critical vendor reviews, performance tracking, incident escalation, and regular reporting.
VTR-068 · Vendor & Third-Party Risk · Continuous Monitoring
Are vendor performance metrics tracked?
Medium
w9
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
SOC 2 · CC7.2
NIST AI RMF · MEASURE-2.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous vendor risk monitoring with quarterly critical vendor reviews, performance tracking, incident escalation, and regular reporting.
VTR-069 · Vendor & Third-Party Risk · Continuous Monitoring
Are vendor incidents escalated appropriately?
High
w16
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
SOC 2 · CC7.2
NIST AI RMF · MEASURE-2.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous vendor risk monitoring with quarterly critical vendor reviews, performance tracking, incident escalation, and regular reporting.
VTR-070 · Vendor & Third-Party Risk · Continuous Monitoring
Are monitoring results reported?
Medium
w9
Stakeholder
Risk Manager · maturity_scaleFramework Mapping
ISO 27001 · A.5.22
SOC 2 · CC7.2
NIST AI RMF · MEASURE-2.6
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous vendor risk monitoring with quarterly critical vendor reviews, performance tracking, incident escalation, and regular reporting.
VTR-071 · Vendor & Third-Party Risk · Vendor Incident Management
Are vendor-related incidents tracked?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
SOC 2 · CC7.3
GDPR · Art. 33
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Track vendor-related incidents, establish breach notification procedures, document response responsibilities, and analyze incident trends for continuous improvement.
VTR-072 · Vendor & Third-Party Risk · Vendor Incident Management
Are vendor breach notification procedures established?
Critical
w25
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
SOC 2 · CC7.3
GDPR · Art. 33
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Track vendor-related incidents, establish breach notification procedures, document response responsibilities, and analyze incident trends for continuous improvement.
VTR-073 · Vendor & Third-Party Risk · Vendor Incident Management
Are vendor incident response responsibilities documented?
High
w16
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
SOC 2 · CC7.3
GDPR · Art. 33
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Track vendor-related incidents, establish breach notification procedures, document response responsibilities, and analyze incident trends for continuous improvement.
VTR-074 · Vendor & Third-Party Risk · Vendor Incident Management
Are lessons learned documented?
Medium
w9
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
SOC 2 · CC7.3
GDPR · Art. 33
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Track vendor-related incidents, establish breach notification procedures, document response responsibilities, and analyze incident trends for continuous improvement.
VTR-075 · Vendor & Third-Party Risk · Vendor Incident Management
Are vendor incident trends analyzed?
Medium
w9
Stakeholder
Vendor Management Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
SOC 2 · CC7.3
GDPR · Art. 33
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Track vendor-related incidents, establish breach notification procedures, document response responsibilities, and analyze incident trends for continuous improvement.
MOB-001 · Mobile & Shadow AI Governance · Mobile AI Governance
Has a mobile AI governance program been established?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-002 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile AI governance policies documented?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-003 · Mobile & Shadow AI Governance · Mobile AI Governance
Have mobile AI usage requirements been approved by leadership?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-004 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile AI governance responsibilities assigned?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-005 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile AI governance reviews conducted?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-006 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile AI governance metrics reported?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-007 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile AI governance risks tracked?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-008 · Mobile & Shadow AI Governance · Mobile AI Governance
Are governance exceptions documented?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-009 · Mobile & Shadow AI Governance · Mobile AI Governance
Are mobile governance audits conducted?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-010 · Mobile & Shadow AI Governance · Mobile AI Governance
Are governance improvements tracked?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.5.1
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a mobile AI governance program with documented policies, leadership approval, assigned responsibilities, and regular audits.
MOB-011 · Mobile & Shadow AI Governance · Mobile Device Inventory
Is a mobile device inventory maintained?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-012 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are corporate mobile devices identified?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-013 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are BYOD devices identified?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-014 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are device owners assigned?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-015 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are mobile operating systems tracked?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-016 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are device security baselines documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-017 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are device inventories reviewed regularly?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-018 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are inactive devices removed from inventory?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-019 · Mobile & Shadow AI Governance · Mobile Device Inventory
Are inventory metrics reported?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-020 · Mobile & Shadow AI Governance · Mobile Device Inventory
Is inventory accuracy validated?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.5.9
SOC 2 · CC6.1
NIST AI RMF · MAP-1.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Maintain a current mobile device inventory including corporate and BYOD devices, assign owners, document security baselines, and validate accuracy.
MOB-021 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI applications on mobile devices identified?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-022 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI-powered applications inventoried?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-023 · Mobile & Shadow AI Governance · AI Application Discovery
Are generative AI applications identified?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-024 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI browser applications identified?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-025 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI application owners assigned?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-026 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI application risks assessed?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-027 · Mobile & Shadow AI Governance · AI Application Discovery
Are application inventories reviewed regularly?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-028 · Mobile & Shadow AI Governance · AI Application Discovery
Are unauthorized applications identified?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-029 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI application metrics tracked?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-030 · Mobile & Shadow AI Governance · AI Application Discovery
Are AI application risks reported?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.9
SOC 2 · CC6.7
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Identify and inventory all AI applications on mobile devices including generative AI and browser apps, assess risks, and identify unauthorized applications.
MOB-031 · Mobile & Shadow AI Governance · Shadow AI Discovery
Has the organization established a Shadow AI identification process?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-032 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are unauthorized AI applications monitored?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-033 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are AI browser extensions identified?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-034 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are employee AI usage patterns monitored?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-035 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are unauthorized AI integrations identified?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-036 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are Shadow AI risks documented?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-037 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are Shadow AI incidents tracked?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-038 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are high-risk AI activities escalated?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-039 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are Shadow AI metrics reported?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-040 · Mobile & Shadow AI Governance · Shadow AI Discovery
Are Shadow AI reviews conducted periodically?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 42001 · 8.3
NIST AI RMF · GOVERN-3.1
ISO 27001 · A.8.1
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish a Shadow AI identification process to monitor unauthorized applications, browser extensions, and employee usage patterns; document risks and track incidents.
MOB-041 · Mobile & Shadow AI Governance · BYOD Governance
Is a BYOD governance program established?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-042 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD AI policies documented?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-043 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD users required to acknowledge policies?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-044 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD devices subject to security requirements?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-045 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD AI risks assessed?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-046 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD compliance reviews conducted?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-047 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD incidents tracked?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-048 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD metrics reported?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-049 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD audits conducted?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-050 · Mobile & Shadow AI Governance · BYOD Governance
Are BYOD improvements tracked?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 27001 · A.6.7
SOC 2 · CC6.6
GDPR · Art. 32
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Establish BYOD governance with documented AI policies, user acknowledgements, security requirements, and regular compliance reviews and audits.
MOB-051 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are employees prohibited from entering sensitive data into unauthorized AI tools?
Critical
w25
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-052 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are data leakage risks assessed?
Critical
w25
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-053 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are prompt security controls enforced?
Critical
w25
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-054 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are AI-related data handling requirements documented?
High
w16
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-055 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are information protection controls monitored?
High
w16
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-056 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are AI-related data leakage incidents tracked?
High
w16
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-057 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are sensitive information classifications enforced?
High
w16
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-058 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are information protection metrics reported?
Medium
w9
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-059 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are data leakage audits conducted?
High
w16
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-060 · Mobile & Shadow AI Governance · Data Leakage & Information Protection
Are information protection improvements tracked?
Medium
w9
Stakeholder
Privacy Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.12
GDPR · Art. 32
PIPEDA · Principle 4
SOC 2 · CC6.7
EU AI Act · Art. 15
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Prohibit sensitive data entry into unauthorized AI tools, enforce prompt security controls, monitor data leakage, and conduct regular audits.
MOB-061 · Mobile & Shadow AI Governance · Monitoring & Detection
Are AI activities monitored on managed devices?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-062 · Mobile & Shadow AI Governance · Monitoring & Detection
Are AI application downloads monitored?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-063 · Mobile & Shadow AI Governance · Monitoring & Detection
Are AI browser activities monitored?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-064 · Mobile & Shadow AI Governance · Monitoring & Detection
Are AI-related alerts configured?
Critical
w25
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-065 · Mobile & Shadow AI Governance · Monitoring & Detection
Are suspicious AI activities investigated?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-066 · Mobile & Shadow AI Governance · Monitoring & Detection
Are monitoring procedures documented?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-067 · Mobile & Shadow AI Governance · Monitoring & Detection
Are monitoring responsibilities assigned?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-068 · Mobile & Shadow AI Governance · Monitoring & Detection
Are monitoring dashboards maintained?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-069 · Mobile & Shadow AI Governance · Monitoring & Detection
Are monitoring metrics reported?
Medium
w9
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-070 · Mobile & Shadow AI Governance · Monitoring & Detection
Are monitoring capabilities tested periodically?
High
w16
Stakeholder
Chief Information Security Officer · maturity_scaleFramework Mapping
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Monitor AI activities on managed devices, configure AI-specific alerts, investigate suspicious activities, and periodically test monitoring capabilities.
MOB-071 · Mobile & Shadow AI Governance · Training & User Awareness
Are employees trained on approved AI usage?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.6.3
SOC 2 · CC1.4
NIST AI RMF · GOVERN-1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Train employees on approved AI usage, Shadow AI risks, and data protection requirements; conduct awareness campaigns and measure training effectiveness.
MOB-072 · Mobile & Shadow AI Governance · Training & User Awareness
Are employees trained on Shadow AI risks?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.6.3
SOC 2 · CC1.4
NIST AI RMF · GOVERN-1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Train employees on approved AI usage, Shadow AI risks, and data protection requirements; conduct awareness campaigns and measure training effectiveness.
MOB-073 · Mobile & Shadow AI Governance · Training & User Awareness
Are employees trained on data protection requirements?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.6.3
SOC 2 · CC1.4
NIST AI RMF · GOVERN-1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Train employees on approved AI usage, Shadow AI risks, and data protection requirements; conduct awareness campaigns and measure training effectiveness.
MOB-074 · Mobile & Shadow AI Governance · Training & User Awareness
Are AI awareness campaigns conducted?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.6.3
SOC 2 · CC1.4
NIST AI RMF · GOVERN-1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Train employees on approved AI usage, Shadow AI risks, and data protection requirements; conduct awareness campaigns and measure training effectiveness.
MOB-075 · Mobile & Shadow AI Governance · Training & User Awareness
Is training effectiveness measured?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
ISO 27001 · A.6.3
SOC 2 · CC1.4
NIST AI RMF · GOVERN-1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Train employees on approved AI usage, Shadow AI risks, and data protection requirements; conduct awareness campaigns and measure training effectiveness.
MON-001 · Monitoring & Operations · Monitoring Governance
Has a formal AI monitoring program been established?
Critical
w25
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-002 · Monitoring & Operations · Monitoring Governance
Have monitoring responsibilities been assigned?
Critical
w25
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-003 · Monitoring & Operations · Monitoring Governance
Are monitoring policies documented?
Critical
w25
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-004 · Monitoring & Operations · Monitoring Governance
Are monitoring procedures documented?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-005 · Monitoring & Operations · Monitoring Governance
Are monitoring objectives defined?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-006 · Monitoring & Operations · Monitoring Governance
Are monitoring reviews conducted annually?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-007 · Monitoring & Operations · Monitoring Governance
Are monitoring metrics reported?
Medium
w9
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-008 · Monitoring & Operations · Monitoring Governance
Are monitoring risks tracked?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-009 · Monitoring & Operations · Monitoring Governance
Are monitoring audits performed?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-010 · Monitoring & Operations · Monitoring Governance
Are monitoring improvements tracked?
Medium
w9
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-1.1
SOC 2 · CC1.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formal AI monitoring program with documented policies, procedures, objectives, assigned responsibilities, and annual reviews.
MON-011 · Monitoring & Operations · Continuous Monitoring
Are AI systems monitored continuously?
Critical
w25
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-012 · Monitoring & Operations · Continuous Monitoring
Are monitoring requirements documented?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-013 · Monitoring & Operations · Continuous Monitoring
Are monitoring thresholds defined?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-014 · Monitoring & Operations · Continuous Monitoring
Are monitoring responsibilities assigned?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-015 · Monitoring & Operations · Continuous Monitoring
Are monitoring dashboards maintained?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-016 · Monitoring & Operations · Continuous Monitoring
Are monitoring exceptions documented?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-017 · Monitoring & Operations · Continuous Monitoring
Are monitoring gaps tracked?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-018 · Monitoring & Operations · Continuous Monitoring
Are monitoring metrics reviewed regularly?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-019 · Monitoring & Operations · Continuous Monitoring
Are monitoring activities audited?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-020 · Monitoring & Operations · Continuous Monitoring
Are monitoring capabilities tested periodically?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.8.16
NIST AI RMF · MEASURE-2.6
SOC 2 · CC7.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Implement continuous monitoring for AI systems with documented requirements, defined thresholds, maintained dashboards, and periodic capability testing.
MON-021 · Monitoring & Operations · Alert Management
Are AI-related alerts configured?
Critical
w25
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-022 · Monitoring & Operations · Alert Management
Are alert thresholds documented?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-023 · Monitoring & Operations · Alert Management
Are alert owners assigned?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-024 · Monitoring & Operations · Alert Management
Are critical alerts escalated automatically?
Critical
w25
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-025 · Monitoring & Operations · Alert Management
Are alert response procedures documented?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-026 · Monitoring & Operations · Alert Management
Are alerts reviewed regularly?
High
w16
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-027 · Monitoring & Operations · Alert Management
Are false positives tracked?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-028 · Monitoring & Operations · Alert Management
Are alert metrics reported?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-029 · Monitoring & Operations · Alert Management
Are alert trends analyzed?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-030 · Monitoring & Operations · Alert Management
Are alert management improvements tracked?
Medium
w9
Stakeholder
Security Operations Center (SOC) · maturity_scaleFramework Mapping
ISO 27001 · A.5.24
ISO 42001 · 9.2
NIST AI RMF · MANAGE-4.1
SOC 2 · CC7.3
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Configure AI-related alerts with documented thresholds, assign owners, enable automatic escalation for critical alerts, and track false positives and trends.
MON-031 · Monitoring & Operations · Risk & Compliance Monitoring
Are AI risks monitored continuously?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-032 · Monitoring & Operations · Risk & Compliance Monitoring
Are risk indicators defined?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-033 · Monitoring & Operations · Risk & Compliance Monitoring
Are compliance controls monitored?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-034 · Monitoring & Operations · Risk & Compliance Monitoring
Are regulatory obligations monitored?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-035 · Monitoring & Operations · Risk & Compliance Monitoring
Are control failures identified?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-036 · Monitoring & Operations · Risk & Compliance Monitoring
Are risk trends analyzed?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-037 · Monitoring & Operations · Risk & Compliance Monitoring
Are compliance metrics reported?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-038 · Monitoring & Operations · Risk & Compliance Monitoring
Are compliance exceptions tracked?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-039 · Monitoring & Operations · Risk & Compliance Monitoring
Are risk exposures escalated appropriately?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-040 · Monitoring & Operations · Risk & Compliance Monitoring
Are risk monitoring reviews conducted regularly?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.8
SOC 2 · CC4.1
GDPR · Art. 5
EU AI Act · Art. 61
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Continuously monitor AI risks and compliance controls, define risk indicators, identify control failures, and conduct regular risk monitoring reviews.
MON-041 · Monitoring & Operations · Performance & KPI Management
Are AI performance KPIs defined?
Critical
w25
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-042 · Monitoring & Operations · Performance & KPI Management
Are governance KPIs monitored?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-043 · Monitoring & Operations · Performance & KPI Management
Are security KPIs monitored?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-044 · Monitoring & Operations · Performance & KPI Management
Are compliance KPIs monitored?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-045 · Monitoring & Operations · Performance & KPI Management
Are KPI targets established?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-046 · Monitoring & Operations · Performance & KPI Management
Are KPI owners assigned?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-047 · Monitoring & Operations · Performance & KPI Management
Are KPI reports generated regularly?
Medium
w9
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-048 · Monitoring & Operations · Performance & KPI Management
Are KPI trends analyzed?
Medium
w9
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-049 · Monitoring & Operations · Performance & KPI Management
Are KPI deviations investigated?
High
w16
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-050 · Monitoring & Operations · Performance & KPI Management
Are KPI improvements tracked?
Medium
w9
Stakeholder
AI Operations (AIOps) · maturity_scaleFramework Mapping
ISO 42001 · 9.1
ISO 27001 · A.5.35
NIST AI RMF · MEASURE-2.1
SOC 2 · CC4.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Define and monitor AI performance, governance, security, and compliance KPIs with assigned owners, established targets, and regular trend analysis.
MON-051 · Monitoring & Operations · Service Management & Operations
Are AI operational procedures documented?
Critical
w25
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-052 · Monitoring & Operations · Service Management & Operations
Are service owners assigned?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-053 · Monitoring & Operations · Service Management & Operations
Are service dependencies documented?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-054 · Monitoring & Operations · Service Management & Operations
Are operational reviews conducted?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-055 · Monitoring & Operations · Service Management & Operations
Are operational incidents tracked?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-056 · Monitoring & Operations · Service Management & Operations
Are service level objectives defined?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-057 · Monitoring & Operations · Service Management & Operations
Are service level metrics monitored?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-058 · Monitoring & Operations · Service Management & Operations
Are operational risks tracked?
High
w16
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-059 · Monitoring & Operations · Service Management & Operations
Are operational improvements documented?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-060 · Monitoring & Operations · Service Management & Operations
Are operational performance reports generated?
Medium
w9
Stakeholder
IT Operations · maturity_scaleFramework Mapping
ISO 42001 · 8.3
ISO 27001 · A.8.15
SOC 2 · CC7.1
NIST AI RMF · MANAGE-2.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Document AI operational procedures, assign service owners, document dependencies, define service level objectives, and track incidents and operational risks.
MON-061 · Monitoring & Operations · Business Continuity & Resilience
Are AI systems included in business continuity planning?
Critical
w25
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-062 · Monitoring & Operations · Business Continuity & Resilience
Are recovery objectives documented?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-063 · Monitoring & Operations · Business Continuity & Resilience
Are recovery procedures documented?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-064 · Monitoring & Operations · Business Continuity & Resilience
Are continuity exercises conducted?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-065 · Monitoring & Operations · Business Continuity & Resilience
Are resilience risks assessed?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-066 · Monitoring & Operations · Business Continuity & Resilience
Are continuity metrics tracked?
Medium
w9
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-067 · Monitoring & Operations · Business Continuity & Resilience
Are continuity findings documented?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-068 · Monitoring & Operations · Business Continuity & Resilience
Are continuity plans reviewed annually?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-069 · Monitoring & Operations · Business Continuity & Resilience
Are resilience improvements tracked?
Medium
w9
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-070 · Monitoring & Operations · Business Continuity & Resilience
Are continuity reports provided to leadership?
High
w16
Stakeholder
Business Continuity Team · maturity_scaleFramework Mapping
ISO 27001 · A.5.29
ISO 42001 · 8.6
SOC 2 · CC9.1
NIST AI RMF · MANAGE-4.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Include AI systems in business continuity planning, document recovery objectives and procedures, conduct exercises, assess resilience risks, and report to leadership.
MON-071 · Monitoring & Operations · Continuous Improvement & Reporting
Are monitoring maturity assessments performed?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform monitoring maturity assessments, document lessons learned, track improvement initiatives, and deliver monitoring reports to executives with leadership sponsorship.
MON-072 · Monitoring & Operations · Continuous Improvement & Reporting
Are lessons learned documented?
Medium
w9
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform monitoring maturity assessments, document lessons learned, track improvement initiatives, and deliver monitoring reports to executives with leadership sponsorship.
MON-073 · Monitoring & Operations · Continuous Improvement & Reporting
Are improvement initiatives tracked?
Medium
w9
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform monitoring maturity assessments, document lessons learned, track improvement initiatives, and deliver monitoring reports to executives with leadership sponsorship.
MON-074 · Monitoring & Operations · Continuous Improvement & Reporting
Are monitoring reports delivered to executives?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform monitoring maturity assessments, document lessons learned, track improvement initiatives, and deliver monitoring reports to executives with leadership sponsorship.
MON-075 · Monitoring & Operations · Continuous Improvement & Reporting
Does leadership sponsor operational improvement initiatives?
High
w16
Stakeholder
Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 10.2
ISO 27001 · A.5.1
NIST AI RMF · GOVERN-5.2
SOC 2 · CC5.1
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Perform monitoring maturity assessments, document lessons learned, track improvement initiatives, and deliver monitoring reports to executives with leadership sponsorship.
ETH-001 · Responsible AI & Ethics · Responsible AI Governance
Has a Responsible AI program been established?
Critical
w25
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-002 · Responsible AI & Ethics · Responsible AI Governance
Has executive leadership approved Responsible AI objectives?
Critical
w25
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-003 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI roles assigned?
High
w16
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-004 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI policies documented?
Critical
w25
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-005 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI standards maintained?
High
w16
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-006 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI procedures documented?
High
w16
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-007 · Responsible AI & Ethics · Responsible AI Governance
Are governance reviews conducted annually?
High
w16
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-008 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI metrics reported?
Medium
w9
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-009 · Responsible AI & Ethics · Responsible AI Governance
Are Responsible AI risks tracked?
High
w16
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-010 · Responsible AI & Ethics · Responsible AI Governance
Are governance improvements tracked?
Medium
w9
Stakeholder
Executive Leadership · maturity_scaleFramework Mapping
ISO 42001 · 6.1
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Governance
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Establish a formally approved Responsible AI program with documented policies, standards, procedures, roles, and annual governance reviews.
ETH-011 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness requirements documented?
Critical
w25
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-012 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness assessments conducted?
Critical
w25
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-013 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are protected groups identified?
Critical
w25
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-014 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness risks assessed?
Critical
w25
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-015 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness controls implemented?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-016 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are datasets reviewed for fairness concerns?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-017 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness metrics defined?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-018 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness metrics monitored?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-019 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness findings documented?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-020 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness issues escalated?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-021 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness audits conducted?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-022 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness improvements tracked?
Medium
w9
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-023 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness reports generated?
Medium
w9
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-024 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness responsibilities assigned?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-025 · Responsible AI & Ethics · Fairness & Non-Discrimination
Are fairness reviews conducted periodically?
High
w16
Stakeholder
AI Governance Team · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
SOC 2 · CC5.2
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document fairness requirements, conduct fairness assessments for protected groups, define and monitor fairness metrics, and perform periodic fairness audits.
ETH-026 · Responsible AI & Ethics · Bias Management
Are bias management requirements documented?
Critical
w25
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-027 · Responsible AI & Ethics · Bias Management
Are bias assessments performed?
Critical
w25
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-028 · Responsible AI & Ethics · Bias Management
Are training datasets evaluated for bias?
Critical
w25
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-029 · Responsible AI & Ethics · Bias Management
Are model outputs evaluated for bias?
Critical
w25
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-030 · Responsible AI & Ethics · Bias Management
Are bias testing procedures documented?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-031 · Responsible AI & Ethics · Bias Management
Are bias mitigation controls implemented?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-032 · Responsible AI & Ethics · Bias Management
Are bias findings tracked?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-033 · Responsible AI & Ethics · Bias Management
Are bias incidents documented?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-034 · Responsible AI & Ethics · Bias Management
Are bias metrics monitored?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-035 · Responsible AI & Ethics · Bias Management
Are bias risks reported?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-036 · Responsible AI & Ethics · Bias Management
Are bias audits conducted?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-037 · Responsible AI & Ethics · Bias Management
Are bias remediation activities tracked?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-038 · Responsible AI & Ethics · Bias Management
Are bias reports provided to leadership?
Medium
w9
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-039 · Responsible AI & Ethics · Bias Management
Are bias reviews conducted annually?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-040 · Responsible AI & Ethics · Bias Management
Are emerging bias risks monitored?
High
w16
Stakeholder
Data Governance · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · MEASURE-2.11
EU AI Act · Art. 10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document bias management requirements, evaluate training datasets and model outputs for bias, implement mitigation controls, and conduct annual bias audits.
ETH-041 · Responsible AI & Ethics · Transparency
Are transparency requirements documented?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-042 · Responsible AI & Ethics · Transparency
Are AI systems clearly identified to users?
Critical
w25
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-043 · Responsible AI & Ethics · Transparency
Are AI use cases disclosed appropriately?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-044 · Responsible AI & Ethics · Transparency
Are transparency notices maintained?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-045 · Responsible AI & Ethics · Transparency
Are transparency controls reviewed regularly?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-046 · Responsible AI & Ethics · Transparency
Are transparency obligations monitored?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-047 · Responsible AI & Ethics · Transparency
Are transparency reports generated?
Medium
w9
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-048 · Responsible AI & Ethics · Transparency
Are transparency risks tracked?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-049 · Responsible AI & Ethics · Transparency
Are transparency audits conducted?
High
w16
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-050 · Responsible AI & Ethics · Transparency
Are transparency improvements tracked?
Medium
w9
Stakeholder
Legal Counsel · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 13–14
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document transparency requirements, clearly identify AI systems to users, maintain transparency notices, and conduct regular audits.
ETH-051 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability requirements documented?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-052 · Responsible AI & Ethics · Explainability & Interpretability
Are explanations available for high-risk AI decisions?
Critical
w25
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-053 · Responsible AI & Ethics · Explainability & Interpretability
Are model decisions interpretable?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-054 · Responsible AI & Ethics · Explainability & Interpretability
Are explanation procedures documented?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-055 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability reviews conducted?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-056 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability metrics monitored?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-057 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability findings tracked?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-058 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability reports generated?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-059 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability audits conducted?
High
w16
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-060 · Responsible AI & Ethics · Explainability & Interpretability
Are explainability improvements tracked?
Medium
w9
Stakeholder
AI Product Owners · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 13
NIST AI RMF · MEASURE-2.10
GDPR · Art. 22
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document explainability requirements, ensure explanations are available for high-risk AI decisions, and conduct regular explainability audits.
ETH-061 · Responsible AI & Ethics · Human Oversight & Accountability
Are human oversight requirements documented?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-062 · Responsible AI & Ethics · Human Oversight & Accountability
Are oversight responsibilities assigned?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-063 · Responsible AI & Ethics · Human Oversight & Accountability
Can humans intervene in AI decisions?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-064 · Responsible AI & Ethics · Human Oversight & Accountability
Can humans override AI decisions?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-065 · Responsible AI & Ethics · Human Oversight & Accountability
Are escalation procedures documented?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-066 · Responsible AI & Ethics · Human Oversight & Accountability
Are oversight activities monitored?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-067 · Responsible AI & Ethics · Human Oversight & Accountability
Are accountability requirements documented?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-068 · Responsible AI & Ethics · Human Oversight & Accountability
Are accountability metrics tracked?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-069 · Responsible AI & Ethics · Human Oversight & Accountability
Are oversight reviews conducted?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-070 · Responsible AI & Ethics · Human Oversight & Accountability
Are oversight improvements tracked?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.5
EU AI Act · Art. 14
NIST AI RMF · GOVERN-5.1
AIDA · Accountability
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity, regulatoryReadiness
Recommendation · Document human oversight and accountability requirements, assign oversight responsibilities, ensure human intervention and override capabilities, and document escalation procedures.
ETH-071 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are AI safety requirements documented?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-072 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are potential harms identified?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-073 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety risk assessments conducted?
Critical
w25
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-074 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety controls implemented?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-075 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety incidents tracked?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-076 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety metrics monitored?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-077 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety audits conducted?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-078 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety findings reported?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-079 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety remediation activities tracked?
High
w16
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-080 · Responsible AI & Ethics · AI Safety & Harm Prevention
Are safety improvements monitored?
Medium
w9
Stakeholder
Risk Management · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.2
EU AI Act · Art. 15
AIDA · Safety
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, complianceGapAnalysis, remediationRoadmap, governanceMaturity
Recommendation · Document AI safety requirements, identify potential harms, conduct safety risk assessments, implement controls, track incidents, and conduct safety audits.
ETH-081 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are stakeholder impacts assessed?
High
w16
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-082 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are customer impacts evaluated?
High
w16
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-083 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are employee impacts evaluated?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-084 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are societal impacts evaluated?
High
w16
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-085 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are vulnerable populations considered?
Critical
w25
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-086 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are stakeholder concerns documented?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-087 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are stakeholder consultations conducted?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-088 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are impact findings tracked?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-089 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are impact reports generated?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-090 · Responsible AI & Ethics · Stakeholder Impact & Social Responsibility
Are impact improvements monitored?
Medium
w9
Stakeholder
Diversity & Inclusion Leaders · maturity_scaleFramework Mapping
ISO 42001 · 6.4
NIST AI RMF · GOVERN-1.1
EU AI Act · Art. 9
AIDA · Impact Assessment
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Assess stakeholder, customer, employee, and societal impacts of AI systems; consider vulnerable populations; document concerns; and conduct stakeholder consultations.
ETH-091 · Responsible AI & Ethics · Responsible AI Training & Culture
Is Responsible AI training mandatory?
Critical
w25
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-092 · Responsible AI & Ethics · Responsible AI Training & Culture
Do executives receive Responsible AI training?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-093 · Responsible AI & Ethics · Responsible AI Training & Culture
Do developers receive Responsible AI training?
Critical
w25
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-094 · Responsible AI & Ethics · Responsible AI Training & Culture
Do business users receive Responsible AI training?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-095 · Responsible AI & Ethics · Responsible AI Training & Culture
Are training records maintained?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-096 · Responsible AI & Ethics · Responsible AI Training & Culture
Are awareness campaigns conducted?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-097 · Responsible AI & Ethics · Responsible AI Training & Culture
Are ethical concerns reporting mechanisms available?
High
w16
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-098 · Responsible AI & Ethics · Responsible AI Training & Culture
Is training effectiveness measured?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-099 · Responsible AI & Ethics · Responsible AI Training & Culture
Are culture assessments conducted?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
ETH-100 · Responsible AI & Ethics · Responsible AI Training & Culture
Are cultural improvements tracked?
Medium
w9
Stakeholder
Human Resources · maturity_scaleFramework Mapping
ISO 42001 · 7.5
NIST AI RMF · GOVERN-1.4
SOC 2 · CC1.4
Report Mapping
aiTrustScore, executiveBriefing, boardSummary, riskRegister, remediationRoadmap, governanceMaturity
Recommendation · Make Responsible AI training mandatory for executives, developers, and business users; maintain training records, conduct awareness campaigns, and provide ethical concerns reporting mechanisms.
CSV Import Schema
The bank accepts bulk imports using the documented production schema. Each row becomes a fully-typed QuestionBankEntry.
Question_Code,Domain,Subdomain,Question_Text,Description,Stakeholder,Question_Type,Weight,Risk_Level,Evidence_Required,Framework_Mappings,Report_Mappings,Recommendation
Framework_Mappings: pipe-delimited Framework:ControlID pairs.
Report_Mappings: pipe-delimited tags (TrustScore, ExecutiveBriefing, BoardSummary, RiskRegister, ComplianceGap, Roadmap, GovernanceMaturity, RegulatoryReadiness).
Engines Powered by the Bank
- computeAiTrustScoreWeighted 0–100 score with risk + evidence modifiers and domain reconciliation.
- deriveComplianceGapsPer-control gap entries with current state and recommendation.
- deriveRoadmapFromResponsesFindings bucketed Immediate / Short-Term / Medium-Term / Strategic by risk.
- importQuestionBankCsvBulk import of new questions from the production CSV schema.
The Clariantix Question Bank™ is proprietary intellectual property of Clariantix and is continuously expanded as AI regulations, governance standards, and industry best practices evolve.