AI Governance Explorer

Identify internal/external issues relevant to the AI Management System (AIMS) and the intended outcomes.

Identify interested parties (users, regulators, affected persons) and their requirements.

Define which AI systems, processes and units are inside the AIMS boundary.

Establish, implement, maintain and continually improve the AIMS and its processes.

Top management demonstrates commitment to the AIMS and accountability for outcomes.

Assign and communicate AI roles, including authority for AIMS conformance.

Plan actions to address AI risks and opportunities arising from context.

Define and apply a process to identify, analyse and evaluate AI risks.

Select and apply risk treatments; produce a Statement of Applicability against Annex A.

Assess potential consequences for individuals, groups and society throughout the AI lifecycle.

Set measurable AI objectives consistent with the AI policy.

Provide resources needed to establish and run the AIMS.

Ensure people performing AI work are competent and demonstrate it.

Workforce is aware of AI policy, their contribution and risks of non-conformance.

Internal and external communications regarding AIMS.

Create, control and retain documented information required by the AIMS.

Plan, implement and control operational processes for the AI lifecycle.

Perform risk assessments at planned intervals and on significant change.

Implement risk treatment plan and verify it is effective.

Conduct impact assessments at planned intervals and on change.

Define what to monitor, methods, frequency, and evaluate AI performance.

Plan and conduct internal audits of the AIMS at planned intervals.

Top management reviews AIMS suitability, adequacy and effectiveness.

Continually improve suitability, adequacy and effectiveness of the AIMS.

Respond to nonconformities, take corrective action and prevent recurrence.

Document, approve and communicate an AI policy that sets the organisation's intent for responsible AI.

Align the AI policy with other organisational policies (privacy, security, quality, ethics).

Review the AI policy at planned intervals and after significant change to keep it suitable.

Define, assign and communicate roles, responsibilities and authorities for AI activities.

Provide a mechanism for personnel to raise concerns about AI systems without fear of reprisal.

Identify and document the resources (data, tooling, compute, people) needed for each AI system.

Document the data resources used by AI systems across the lifecycle.

Document the tools used to develop, deploy and operate AI systems.

Document the system and computing resources (infrastructure, compute) supporting AI systems.

Document the human resources, competences and AI literacy needed for AI systems.

Establish a process to assess the potential impacts of AI systems on people and society.

Document the results of AI system impact assessments and keep them available for review.

Assess potential impacts of AI systems on individuals and groups of individuals.

Assess potential societal impacts of AI systems beyond direct users.

Set objectives that guide responsible development of AI systems across the lifecycle.

Define processes for the responsible design and development of AI systems.

Specify and document requirements for each AI system, including performance and risk criteria.

Document the design and development of AI systems to support review and audit.

Define and apply measures to verify and validate AI systems against requirements.

Plan and control the deployment of AI systems into production environments.

Operate and monitor AI systems in production, including drift and performance checks.

Produce technical documentation that describes the AI system to stakeholders and regulators.

Record event logs from AI systems to support traceability, monitoring and incident response.

Manage the data used to develop and enhance AI systems across the lifecycle.

Control how data is acquired for AI systems, including sourcing and legal basis.

Manage the quality of data used by AI systems, including accuracy, completeness and bias.

Track the provenance of data used for AI systems so origin and changes are known.

Manage the preparation of data (cleaning, labelling, transformation) used for AI systems.

Provide system documentation and information so users can use the AI system correctly.

Report externally on AI system performance, incidents and impacts as appropriate.

Communicate AI system incidents to affected parties and authorities in a timely way.

Provide information about AI systems to interested parties beyond direct users.

Define processes for the responsible use of AI systems within the organisation.

Set objectives for the responsible use of AI systems, aligned with the AI policy.

Ensure AI systems are used for their intended purpose, with human oversight in place.

Allocate responsibilities for AI risk between the organisation and third parties.

Manage AI risk arising from suppliers of data, models, tools and services.

Manage AI risk arising from how customers use the AI systems the organisation provides.