Eight questions every executive should be able to answer about the AI their company is about to sign off on.
A working list, distilled from boardroom conversations. None of them require technical expertise; all of them reveal whether the programme is ready to be signed.
This assessment helps Boards make smart decisions on their journey to the summit of AI exploitation and exploration, without creating unmanaged risk.
Answer each statement with YES or NO.
We have approved an AI governance policy that defines what AI may and may not be used for across the organisation.
We know which AI systems, tools, vendors, and shadow AI use cases are active in the organisation, and each has a named owner.
We have assigned clear executive accountability for AI, including decision rights between the Board, CEO, CIO, CISO, legal, privacy, and business leaders.
Every new AI use case goes through a formal intake and approval process that considers value, risk, legal obligations, privacy, security, and human oversight.
We assess and treat AI risks within an agreed risk appetite, including bias, privacy, security, regulatory exposure, operational failure, and reputational impact.
We can demonstrate compliance with relevant AI laws and regulations, including evidence for audits, supplier obligations, and high-risk AI use cases.
We continuously monitor critical AI systems for performance, misuse, incidents, data leakage, access violations, and changes in risk.
We have trained Board members, executives, AI users, and technical teams on their responsibilities so AI is used safely, ethically, and effectively.
These eight statements condense the maturity themes from the AI Capability Maturity Model: governance, accountability, inventory, approval, risk treatment, compliance, monitoring, and training.
Supporting readings: https://isaca.nl/an-exploration-of-ai-risk-collaborative-assessment-methodology/