Key outputs

→ Governance & Risk Foundation

• AI system inventory and risk-based classification (EU AI Act aligned)
• AI governance and accountability model (including roles across the three lines of defence)
• Consolidated AI risk register aligned with regulatory risk categories

→ Compliance & Conformity Readiness

• EU AI Act gap assessment and applicability analysis
• High-risk AI system identification and obligation mapping
• Technical documentation framework aligned with Article 11 requirements
• Conformity assessment and CE-marking readiness support (where applicable)

→ Lifecycle Controls & Documentation

• End-to-end lifecycle control framework (design, validation, deployment, monitoring)
• Model documentation standards (model cards, data documentation, assumptions and limitations)
• Data governance and dataset quality controls (bias, representativeness, lineage)

→ Transparency & Human Oversight

• AI transparency and user disclosure framework (AI interaction, limitations, intended use)
• Human oversight model including escalation paths, override mechanisms and accountability
• Explainability requirements aligned with risk level and use case criticality

→ Monitoring, Logging & Incident Management

• Logging and traceability framework aligned with EU AI Act requirements
• Post-market monitoring and performance tracking model
• AI incident and breach reporting process (internal and regulatory escalation)

→ Third-Party & Vendor Governance

• AI vendor risk assessment and due diligence framework
• Contractual and control expectations for third-party AI providers
• Ongoing vendor monitoring and dependency risk assessment

→ Remediation & Audit Readiness

• Prioritised remediation roadmap based on risk and regulatory exposure
• Audit-ready evidence pack (policies, controls, documentation, traceability)
• Board-level readiness pack with risk exposure, decisions and oversight model

Key outputs

→ Governance Structure & Operating Model

• AI governance framework including roles, committees and decision-making bodies
• Definition of decision rights, approval processes and escalation paths
• Integration with existing governance structures (risk, compliance, IT, internal audit)
• Alignment with the three lines of defence model

→ Accountability & Lifecycle Ownership

• AI accountability model across the full AI lifecycle (design, deployment, monitoring)
• Clear definition of roles such as AI owner, model owner, risk owner and control owner
• RACI matrix for key AI governance and risk processes
• Definition of accountability for AI-assisted and AI-driven decisions

→ Policy & Internal Standards Framework

• AI policy framework covering responsible AI principles and governance requirements
• Acceptable use policy for AI tools (including generative AI)
• Definition of internal standards for AI development, validation and use
• Control requirements embedded into policies to ensure enforceability and auditability

→ Risk Governance & Risk Appetite

• Definition of key AI risk categories (e.g. bias, explainability, data quality, robustness, security)
• AI risk appetite statement and tolerance thresholds
• Alignment with enterprise risk management framework and existing risk taxonomy
• Guidance on acceptable vs non-acceptable AI use cases

→ Oversight, Reporting & Escalation

• Governance reporting framework for senior management and board
• Definition of key risk indicators (KRIs) and escalation triggers
• Structured escalation process for AI-related incidents and control failures
• Board- and senior-management-ready governance documentation

→ Control Integration & Operational Embedding

• Integration of governance requirements into business processes and workflows
• Definition of minimum control requirements for AI systems based on risk level
• Linkage between governance framework and lifecycle controls (development, validation, monitoring)
• Alignment with recognised control frameworks (including ISO/IEC 42001 and NIST AI RMF)

Key outputs

→ AI Risk Taxonomy & Framework

• AI risk taxonomy aligned with Enterprise Risk Management and Operational Risk frameworks
• Definition of key AI risk categories (e.g. bias, explainability, data quality, robustness, security, third-party risk)
• Alignment with recognised standards (including ISO/IEC 42001 and NIST AI RMF)
• Mapping of AI risks to existing enterprise risk categories

→ Use Case-Level Risk Assessment

• Structured AI risk assessments for individual AI use cases
• Evaluation of likelihood, impact and risk severity based on defined criteria
• Identification of inherent and residual risks
• Linkage between risk level and required control intensity (including high-risk AI considerations under the EU AI Act)

→ Risk Ownership & Accountability

• Assignment of risk ownership and accountability for each identified risk
• Integration with existing risk governance structures and three lines of defence
• Definition of responsibilities for risk acceptance, mitigation and monitoring
• RACI alignment for key risk management activities

→ Centralised Risk Register & Aggregation

• Centralised AI risk register consolidating risks across all AI use cases
• Aggregation of risks into an enterprise-wide view
• Identification of systemic risk concentrations and cross-cutting themes
• Integration with existing risk reporting and tooling

→ Mitigation, Controls & Monitoring

• Definition of risk mitigation measures and control strategies
• Linkage between identified risks and existing or required controls
• Definition of Key Risk Indicators (KRIs) and monitoring thresholds
• Ongoing risk monitoring framework aligned with lifecycle management

→ Reporting & Decision Support

• Board- and senior-management-ready AI risk reporting
• Risk dashboards highlighting exposure, trends and critical issues
• Support for risk-based decision-making and prioritisation
• Alignment with regulatory and audit expectations

Key outputs

→ Lifecycle Control Framework

• End-to-end lifecycle control expectations covering design, development, validation, deployment, monitoring, change and retirement
• Definition of minimum control requirements based on AI risk level and use case criticality
• Alignment of lifecycle controls with governance decisions, approvals and risk assessments
• Integration with recognised frameworks (including ISO/IEC 42001 and NIST AI RMF)

→ Logging, Traceability & Reproducibility

• Logging and traceability requirements proportionate to AI risk and criticality
• Definition of traceability across data, models, versions and decisions
• Reproducibility expectations for model outputs and decision pathways
• Alignment with EU AI Act expectations on logging and record-keeping

→ Explainability & Transparency Controls

• Explainability requirements tailored to use case sensitivity and impact
• Transparency expectations for AI-assisted and AI-driven decisions
• Definition of minimum documentation for assumptions, limitations and model behaviour
• Alignment with regulatory expectations for high-risk AI systems

→ Evidence & Documentation Standards

• Definition of evidence requirements for audits, investigations and regulatory dialogue
• Structured documentation standards (e.g. model documentation, data documentation, decision logs)
• Audit trail expectations across the AI lifecycle
• Preparation of audit-ready evidence aligned with EU AI Act and recognised standards

→ Change Management & Model Governance

• Control expectations for model updates, retraining and versioning
• Change approval workflows and documentation requirements
• Rollback and fallback control expectations
• Linkage between change management and risk reassessment

→ Incident Management & Operational Resilience

• Control expectations for AI-related incident detection, escalation and resolution
• Definition of incident classification and response procedures
• Fallback mechanisms and human intervention triggers
• Alignment with operational resilience expectations and business continuity principles

→ Control Integration & Internal Control Alignment

• Integration of AI controls into existing internal control frameworks
• Mapping of AI controls to existing control libraries and processes
• Guidance on control ownership, execution and testing
• Alignment with internal audit expectations and control testing approaches

Key outputs

→ Vendor Selection & Assessment Framework

• AI vendor assessment and selection framework aligned with procurement and risk requirements
• Definition of minimum control and transparency expectations for AI vendors
• Risk-based vendor classification based on criticality and AI use case impact
• Alignment with existing third-party risk management and outsourcing frameworks

→ Due Diligence & Risk Analysis

• Structured AI vendor due diligence covering governance, controls and risk exposure
• Assessment of model transparency, explainability and data usage practices
• Evaluation of vendor control environment and documentation maturity
• Identification of inherent risks including bias, security, data protection and model limitations

→ Dependency, Concentration & Substitutability Risk

• Assessment of dependency on external AI providers and critical services
• Analysis of concentration risk across vendors and technologies
• Evaluation of substitutability and portability of AI solutions
• Identification of lock-in risks and mitigation strategies

→ Contractual & Control Requirements

• Definition of AI-specific contractual clauses (e.g. transparency, audit rights, data usage, performance)
• Minimum control expectations to be embedded in vendor agreements
• Alignment with internal governance, compliance and risk requirements
• Support for integration into procurement and legal processes

→ Ongoing Monitoring & Vendor Oversight

• Framework for continuous monitoring of AI vendor performance and risk exposure
• Definition of KPIs/KRIs and reporting requirements for vendors
• Periodic reassessment of vendor risk and control effectiveness
• Integration with existing vendor monitoring and review cycles

→ Operational Resilience & Exit Strategy

• Alignment of AI vendors with operational resilience objectives
• Assessment of impact of vendor failure on critical processes
• Definition of fallback solutions and contingency measures
• Exit and transition strategy including data, model and service continuity

→ Documentation & Audit Readiness

• Documentation package supporting procurement, risk and audit review
• Evidence of vendor due diligence, risk assessment and monitoring activities
• Alignment with internal audit expectations and regulatory scrutiny
• Support for supervisory interactions and third-party risk reviews

Key outputs

→ Agent Autonomy & Decision Boundaries

• Assessment of agent autonomy levels (decision support vs decision execution)
• Definition of decision boundaries and permitted actions for AI agents
• Identification of high-impact or sensitive decisions requiring human involvement
• Definition of escalation logic and approval thresholds

→ Control Impact & Segregation of Duties

• Impact analysis of AI agents on existing internal controls
• Identification of potential control bypass scenarios
• Assessment of segregation of duties (SoD) risks introduced by agent behaviour
• Definition of control safeguards to preserve control effectiveness

→ Oversight & Accountability Model

• Governance model for AI agents including roles and responsibilities
• Clear accountability for agent-driven decisions and outcomes
• Definition of human-in-the-loop / human-on-the-loop oversight mechanisms
• Integration with existing governance and risk frameworks

→ Dependency & Operational Resilience Risk

• Identification of dependencies on external systems, APIs and vendors
• Assessment of resilience risks linked to agent availability and performance
• Evaluation of failure scenarios and cascading effects across processes
• Alignment with operational resilience and business continuity expectations

→ Monitoring, Intervention & Fallback Controls

• Definition of monitoring requirements for agent behaviour and performance
• Triggers for human intervention and override mechanisms
• Operational fallback procedures in case of agent failure or unexpected behaviour
• Alignment with incident management and escalation processes

→ Evidence, Traceability & Auditability

• Definition of logging and traceability requirements for agent decisions and actions
• Documentation standards for agent logic, workflows and interactions
• Evidence expectations for audits, investigations and regulatory reviews
• Audit-ready documentation aligned with recognised standards (including ISO/IEC 42001)

Key outputs

→ Assurance Scope & Methodology

• Definition of AI assurance scope, objectives and assessment criteria
• Risk-based scoping aligned with AI use cases and risk classification
• Alignment with internal audit methodologies and recognised standards (including ISO/IEC 42001 and NIST AI RMF)
• Definition of audit approach (governance, risk, controls, lifecycle)

→ Control Testing & Effectiveness Assessment

• Testing of AI governance and control design and operating effectiveness
• Assessment of control implementation across the AI lifecycle
• Identification of control gaps, weaknesses and inconsistencies
• Evaluation of alignment between defined controls and actual practices

→ Evidence Review & Documentation Assessment

• Assessment of evidence quality, completeness and traceability
• Review of documentation (policies, model documentation, decision logs, monitoring records)
• Verification of audit trail and reproducibility of AI-driven outcomes
• Evaluation of readiness for audit and regulatory scrutiny

→ Model Evaluation & Validation Governance

• Review of model evaluation, validation and benchmarking practices
• Assessment of governance over testing methodologies and performance metrics
• Evaluation of explainability, robustness and fairness validation processes
• Alignment with regulatory expectations for high-risk AI systems

→ Audit & Regulatory Support

• Direct support during internal audits, compliance reviews and regulatory inspections
• Preparation of documentation and evidence for audit processes
• Interaction support with internal audit, compliance and supervisory authorities
• Alignment with EU AI Act expectations and audit requirements

→ Reporting, Findings & Remediation

• AI assurance reports tailored for management and Audit Committees
• Clear articulation of findings, root causes and risk implications
• Prioritised remediation recommendations and action plans
• Tracking of remediation actions and follow-up reviews