AI Governance Checklist
Control checklists by compliance regime — what auditors actually ask about AI usage.
Controls in scope (14)
of the 14 controls in scope for SOC 2, GDPR are in place — 12 gaps remain before audit prep is honest.
Open gaps
- AI tool & model inventory — A maintained inventory of approved AI tools, models and their data-handling characteristics.
- Usage logging & audit trail — Prompts, tool calls and spend are logged per user with retention aligned to evidence requirements.
- Data retention & deletion — Provider-side retention settings reviewed; zero-retention or short-retention modes enabled where available.
- Vendor DPAs / BAAs — Signed data-processing agreements (GDPR) or business associate agreements (HIPAA) with each AI provider.
- Vendor security assessment — Each AI vendor passes the standard vendor review (SOC 2 report, pen-test summary, subprocessor list) before approval.
- Human oversight of AI output — AI-generated code and decisions are reviewed by a human before production impact; reviewers are named.
- Workforce training — Staff with AI tool access complete training on data rules and incident reporting before access is granted.
- AI incident response path — A documented path for suspected data exposure through an AI tool, wired into the existing IR process.
- Lawful basis & records of processing — Personal data processed through AI tools has a documented lawful basis and appears in the RoPA.
- Data residency verification — Provider processing locations verified against customer residency commitments.
- AI risk register entries — AI-specific risks (prompt leakage, model behavior change, vendor lock-in) recorded and reviewed at standard cadence.
- Spend limits & anomaly alerts — Per-team budgets with automated alerts; runaway usage is investigated as a potential control failure.
A planning aid built from common audit requests — not legal advice or a substitute for your auditor's control list.
How it works
This checklist turns the vague mandate of "AI governance" into a concrete, regime-scoped control list. Select the compliance frameworks that apply to your organization — SOC 2, ISO 27001, HIPAA, GDPR, the EU AI Act — and the tool filters an embedded dataset of fifteen AI-usage controls down to the ones actually in scope for that combination. Check items off as you implement them, watch the progress percentage, and export the whole state as a markdown audit-prep document. Everything runs in your browser; no account, no upload.
The control set is built from what auditors recurrently request rather than from framework text alone. Access control and usage logging anchor the SOC 2 and ISO 27001 view: who can use which tool, and can you prove what they did. Data classification rules for prompts appear under every regime because prompt leakage is the dominant real-world failure mode. HIPAA and GDPR add the contractual layer — BAAs and DPAs with each provider, retention settings, lawful-basis records, residency checks. The EU AI Act contributes the newer obligations: a model inventory, human oversight of consequential output, and transparency where AI materially affects people.
The gap list is the working output. Every unchecked control in scope appears with its description, so the export reads as a remediation backlog you can paste into a tracker and assign owners against. Auditors respond far better to a documented gap with a date than to confident silence, and the export is deliberately structured to support that conversation.
Two honest limits. First, this is a planning aid distilled from common practice, not legal advice — your auditor's control list and your counsel's reading of the regulations govern. Second, several controls here are only as real as the tooling behind them: usage logging, spend limits and anomaly alerts need systems, not checkbox intent. That enforcement layer — per-developer tracking with hard budget caps — is precisely what FORG provides, which is why those controls link naturally to it.
Frequently asked questions
What do auditors actually ask about AI usage?
The recurring themes are inventory, access and evidence. Auditors want a list of approved AI tools and what data each can touch, proof that access is provisioned and revoked through your normal process, logs that show who used what, documented data-classification rules for prompts, and a vendor file containing security assessments and signed agreements. Teams fail audits on missing evidence far more often than on missing controls.
How does the EU AI Act change governance for a software team?
For most engineering teams using AI coding tools, the Act's main demands are transparency, human oversight and documentation. You need a model and system inventory, a record of where AI output materially affects people, named humans reviewing consequential output, and a risk classification exercise showing why your usage falls outside the high-risk categories. The heavy obligations target providers of high-risk systems, but deployers still carry documentation duties.
Do I need every control on this list before an audit?
No — scope follows the regimes you select. HIPAA only matters if you handle protected health information; the EU AI Act sections apply if you operate in or sell into the EU. The checklist filters to controls in scope for your selections, and even then auditors expect a credible roadmap more than perfection: a documented gap with an owner and a date usually passes, an undocumented gap discovered live does not.
How is this different from the compliance mapping matrix tool?
This checklist is organized by control: pick regimes, get a single working list to track and export for audit preparation. The compliance mapping matrix is organized by activity: it crosses what your team actually does with AI — code generation, customer data in prompts, fine-tuning — against each regime to show requirement levels per intersection. Use the matrix to understand exposure, then this checklist to track remediation.
Can the exported markdown serve as audit evidence?
It serves as your preparation tracker and a useful artifact to show governance intent, but it is not evidence by itself. Auditors verify each control through its native trail — access logs, signed DPAs, training completion records, ticket history. Export the document, attach it to your compliance project, and link each checked item to where the real evidence lives. The honest gap list is often the most valuable part of the export.
Budgeting AI spend for a team? FORG is $15/dev with hard budget caps and per-seat attribution.
See FORG pricing