Compliance Readiness

Optional Inputs

• Current governance framework (if any)
• Upcoming audit dates
• Existing compliance certifications (SOC2, ISO 27001, HIPAA, etc.)
• Number of AI vendors/tools in use

Assessment Framework

Score each dimension 1-5 (1=no controls, 5=mature):

8 Dimensions

1. Risk Classification — Have you categorized AI systems by risk level per EU AI Act / NIST?
2. Documentation — Technical docs, model cards, data lineage for each AI system?
3. Human Oversight — Defined human-in-the-loop processes for high-risk decisions?
4. Bias & Fairness — Regular bias audits, fairness metrics, disparate impact testing?
5. Data Governance — Training data provenance, consent, retention, and deletion policies?
6. Incident Response — AI-specific incident playbook, reporting procedures, rollback plans?
7. Vendor Management — AI vendor risk assessments, contractual AI governance requirements?
8. Audit Trail — Logging, explainability, decision traceability for AI-assisted outputs?

Scoring

• 35-40: Compliance-ready — minor gaps to address
• 25-34: Partially prepared — significant work needed in specific areas
• 15-24: High risk — major gaps across multiple dimensions
• 8-14: Critical — immediate action required before any regulatory review

Output Format

Generate a report with:

1. Executive Summary — Overall score, risk level, top 3 gaps
2. Dimension Scores — Table with score, evidence, and gap description per dimension
3. Regulatory Exposure — Which regulations apply and key deadlines:
   • EU AI Act: Aug 2, 2026 (high-risk system requirements)
   • HHS AI Transparency: April 3, 2026 (healthcare)
   • NIST AI RMF: Ongoing (federal contractors + best practice)
   • State bar AI rules: Varies (legal industry)