AI Governance Readiness Checklist

Mercury Security | 2025

Introduction

Before engaging in a formal audit, organizations benefit from a quick self-assessment of their readiness for AI governance. This checklist is designed to help teams at any knowledge level identify where they stand. It does not replace an independent audit but provides a clear baseline for conversation with auditors and executives. The items below are drawn from leading frameworks including the EU AI Act, the NIST AI Risk Management Framework, GDPR, and ISO/IEC 42001 (European Union, 2016; European Union, 2024; NIST, 2023; ISO, 2023).

Checklist

Governance and Purpose

• The organization can clearly describe the purpose of each AI system.
• Out-of-scope activities for each system are explicitly documented.
• Ownership for system accountability has been assigned.

Transparency and User Awareness

• Users are informed when they are interacting with AI.
• Responses are either source-linked or disclosed when no source is available.
• Refusal patterns are consistent for restricted or sensitive topics.

Human Oversight

• Escalation procedures are documented and tested.
• Human-in-the-loop checkpoints exist for critical workflows.
• Escalations are logged with timestamps and outcomes.

Access and Identity Management

• AI systems are connected to enterprise identity providers.
• Role-based access control is in place.
• Connectors and integrations follow least-privilege principles.

Data Protection

• Personal or sensitive data is redacted before and after processing.
• Logs are redacted but still preserve essential audit information.
• Data retention schedules are documented, including deletion processes.

Logging and Monitoring

• Logs contain prompts, sources, responses, and timestamps.
• Logs are tamper-evident, using WORM storage or equivalent.
• Regular monitoring samples are reviewed and signed off.

Change and Lifecycle Management

• Model versions and configurations are documented and version-controlled.
• Rollback procedures are tested.
• A change log is maintained and reviewed.

Testing and Validation

• Bias and safety tests are performed at least quarterly.
• Refusal and consistency tests are conducted monthly.
• Evidence packs are maintained for audits and reviews.

Hosting and Assurance

• Hosting providers are vetted with Data Processing Agreements.
• Regional hosting options align with data protection requirements.
• Secure transport (e.g., TLS/HTTPS) is enforced.

How to Interpret Results

• Most items checked: The organization is ready for a formal audit.
• Many items unchecked: Governance maturity is limited; the audit will identify and prioritize remediation steps.
• No items checked: AI systems are likely non-compliant and at risk; immediate action is required.

Next Steps

This checklist provides an initial self-assessment. A structured four-week audit expands upon these points by gathering evidence, prioritizing gaps, and creating a governance roadmap. For details, see From Audit to Governance in Four Weeks: A Practical Starting Point (European Union, 2024; NIST, 2023).

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. Retrieved from https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. International Organization for Standardization.

National Institute of Standards and Technology. (2023). AI Risk Management Framework (NIST AI RMF 1.0). Gaithersburg, MD: NIST.