0%
complete
Check every item your organization currently has in place
Items marked critical carry the highest oversight and audit risk. Work through all four sections, then click "See My Score" when done.
0 / 8
►
AI decisions are constrained by documented policy rules aligned to organizational statute or regulation
Policy rules are machine-enforceable — not manual guidelines staff are expected to follow
Policy rules can be updated centrally and propagate immediately across all AI workflows
AI outputs are blocked or flagged when they conflict with governing policy
Policy coverage extends to every system and department using AI — not just pilot environments
Policy enforcement is documented and defensible for IG, GAO, regulatory, or board review
CJIS Security Policy requirements are addressed for any AI operating in or adjacent to criminal justice data environments
HIPAA-aligned policy rules govern any AI involved in patient data, clinical decisions, or health record access
0 / 8
►
High-stakes AI-assisted decisions require documented human approval before action is taken
Approval authority is role-based — only authorized personnel can approve specific decision types
Approval workflows are time-bound with escalation paths for delayed or contested decisions
Approvals are logged with the approver identity, timestamp, and rationale
Staff can override or reject AI recommendations with a recorded reason
Approval thresholds are calibrated to risk level — higher risk requires higher authority approval
Approval records are retained and accessible for audit, FOIA, or regulatory review
Emergency override procedures exist and are documented for time-critical decisions
0 / 8
►
Every AI output includes attribution — which data sources and inputs produced the result
AI reasoning is presented in plain language staff and reviewers can understand and evaluate
Confidence levels or uncertainty indicators accompany AI recommendations
Staff can interrogate AI outputs — asking why a recommendation was made or what data it used
Outputs trace to the specific policy, rule, or regulation that governs the decision context
Explainability outputs meet the evidentiary standards required for your oversight or regulatory environment
Explainability is available at the point of decision — not only in post-hoc review
Explainability covers both what the AI recommended and what it did not recommend and why
0 / 8
►
All AI decisions are logged with timestamp, inputs, outputs, and the identity of any human reviewer
Audit logs are immutable — they cannot be modified, deleted, or overwritten after creation
Audit logs are accessible for internal review, IG inspection, FOIA requests, or litigation holds
Log retention policies meet applicable regulatory requirements for your industry and jurisdiction
Audit trails cover the full decision lifecycle — from data ingestion through output and human disposition
Anomaly detection or alerting exists for unusual AI behavior or access patterns
Audit data is exportable in a format acceptable to regulators, auditors, or oversight bodies
Your AI audit posture has been reviewed by legal, compliance, or an external auditor within the past 12 months
Check at least 5 items to unlock your score