Skip to main content

Pro audit program · v1.0

AI Model Risk & Governance

Whether you train, fine-tune or just consume models, you need governance — inventory, risk classification, human oversight, evaluation.

  • General target area
  • NIST AI RMF / ISO 42001 framework
  • 8 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

Whether you train, fine-tune or just consume models, you need governance — inventory, risk classification, human oversight, evaluation.

Risks addressed

  • High Shadow AI: models used by teams with no oversight
  • High Bias / unfair outcomes harming customers + the brand
  • Medium Model drift goes unnoticed in production
  • Critical High-risk use-case (e.g. EU AI Act) without conformity

Controls (8)

  1. AI use-case inventory

    High

    AI use-case inventory

    How to test + evidence

    Testing procedure: Register every AI use-case (internal + customer-facing) with owner + risk tier.

    Evidence to collect: Inventory document.

  2. Risk classification per use-case

    High

    Risk classification per use-case

    How to test + evidence

    Testing procedure: Each use-case classified (low / limited / high / unacceptable per EU AI Act + your taxonomy).

    Evidence to collect: Classification register.

  3. Approved-model list + procurement gate

    High

    Approved-model list + procurement gate

    How to test + evidence

    Testing procedure: Models / providers approved by Security + Legal before use; vendor DPA reviewed.

    Evidence to collect: Approved list + procurement workflow.

  4. Human oversight for high-risk decisions

    Critical

    Human oversight for high-risk decisions

    How to test + evidence

    Testing procedure: Decisions affecting customers (credit, hiring, etc.) reviewable by a human; not fully automated.

    Evidence to collect: Process flow + sample reviews.

  5. Bias + fairness testing pre-launch

    High

    Bias + fairness testing pre-launch

    How to test + evidence

    Testing procedure: Bias evaluation performed before launch + at every material model update.

    Evidence to collect: Eval reports.

  6. Drift + accuracy monitoring

    Medium

    Drift + accuracy monitoring

    How to test + evidence

    Testing procedure: Production metrics tracked + alerted on degradation.

    Evidence to collect: Monitoring dashboard.

  7. Documented model cards / system cards

    Medium

    Documented model cards / system cards

    How to test + evidence

    Testing procedure: Each deployed model has a card: intended use, limits, data, evals, owner.

    Evidence to collect: Card repository.

  8. User notification + opt-out where required

    Medium

    User notification + opt-out where required

    How to test + evidence

    Testing procedure: Users informed when interacting with AI; opt-out path for synthetic content.

    Evidence to collect: Notice + opt-out flow.