Free Tools·4 minutes

AI Governance & Risk Exposure Audit

Answer 20 yes/partially/no questions about how AI is governed in your organization. You'll see your exposure level immediately — the itemized gap list and remediation priorities are emailed as a free report.

Progress0 of 20 answered

Policy & Accountability

A written, current policy defines acceptable AI use across the organization.
A named executive is accountable for AI risk.
You maintain an inventory of AI systems in use, including shadow/unsanctioned tools.
AI use cases are risk-classified (e.g., low-risk drafting vs. consequential decisions).

Human Oversight

Consequential automated actions require defined human review before execution.
Operators can halt or override an AI system at any point.
There is a defined escalation path when an AI system behaves unexpectedly.
People reviewing AI output are trained on its failure modes.

Monitoring & Audit Trails

AI system actions and decisions are logged centrally.
Logs are retained long enough to reconstruct incidents (12+ months).
Output quality is monitored over time, not just at launch.
AI incidents have a defined reporting and post-mortem process.

Vendor & Model Risk

AI vendor contracts cover data handling, retention, and training-use restrictions.
New AI vendors/models pass a security and risk review before adoption.
You could switch providers for critical AI workloads without major disruption.
Model/provider changes (versions, deprecations) are tracked and tested before rollout.

Data Privacy

Data shared with AI systems is classified, and sensitive categories are restricted.
AI systems receive only the data needed for their task (least privilege).
You can honor data-subject rights (deletion, access) for data processed by AI systems.
You know where AI-processed data is stored and which jurisdictions apply.

Answer all questions to see your score.