Regulated or audit-facing firm Does your firm operate in a regulated, audited, or board-supervised environment where AI usage could be challenged by a regulator, auditor, client, or risk committee?
Yes No
Active AI usage Are staff already using AI tools, copilots, embedded SaaS AI features, workflow automations, or LLMs for real work rather than only controlled experiments?
Yes No
Sensitive or client data exposure Could AI usage involve client data, confidential business data, regulated records, model-risk inputs, personal data, or material decision support?
Yes No
Evidence demand Has a regulator, auditor, board member, client, insurer, or internal risk team already asked, or is likely to ask in the next 12 months, how AI is controlled?
Yes No
Accountable owner Is there a named executive or control owner accountable for proving how AI is used, approved, monitored, and remediated across the firm?
Yes No
Complete AI inventory Do you have a complete inventory of every AI tool, copilot, vendor feature, and LLM your staff currently use, including ones embedded in SaaS your firm already pays for?
Yes No
Execution-time policy enforcement Are AI usage policies enforced at execution time before a request reaches a provider, not just documented in a register?
Yes No
Ninety-day audit trail Can you produce a complete audit trail of who used which AI model, when, with what input, and at what cost for the last 90 days, exportable for a regulator?
Yes No
Role-based model access Do you have role-based access controls that determine which staff can use which AI models, with hard usage caps that cannot be bypassed?
Yes No
Shadow AI classification Have you classified shadow AI such as vendor copilots, embedded analytics, and workflow automations that your model risk register does not formally cover?
Yes No
Team spend caps Do you enforce per-team or per-project AI spend caps that block runaway costs before they happen, rather than alerting after the fact?
Yes No
Multi-provider routing Can you route AI requests across multiple providers based on cost, quality, or policy without staff having to know which is which?
Yes No
Regulatory operating evidence Is your firm explicitly prepared for EU AI Act, NIST AI RMF, FCA, OCC, SEC, FINRA, or equivalent AI-governance expectations in a way that goes beyond a written policy document?
Yes No
Version-controlled policies Do you have version-controlled AI policies with approval workflows, so a policy change can be audited and reverted if needed?
Yes No
One-hour regulator response If a regulator asked tomorrow about a specific AI-assisted client communication sent in the last 30 days, could you produce the prompt, model, cost, and approval trail in under 1 hour?
Yes No
