Who this questionnaire is for

Risk, legal, compliance, audit, policy, and governance teams — as well as regulators and internal oversight functions.

What it assesses
Whether governance controls are enforceable in practice, including ownership definitions, evidence trails, logging, incident response, policy enforcement, and auditability.

How it helps
This questionnaire distinguishes between documented governance and operational governance. It shows whether controls exist only on paper or are embedded into systems and workflows. Outputs support internal audits, regulatory conversations, and remediation planning.

Best used when

Preparing for audits or regulatory review
Formalising AI governance programs
Evaluating whether policies are actually enforced

Oyez Tools

Practical tools and field guides used together to decide what to build, how to ship it, and how to govern AI systems in real organisations.

Field Guides

AI Strategy Field Guide

Executive framing, ownership models, and adoption paths.
Engineering Field Guide

Production systems, reliability, and failure modes.
Governance Field Guide

Controls, accountability, auditability, and compliance.

Strategy & Direction

Strategy & Adoption Readiness (Executive)

Used by executives to set direction, ownership, and ship gates.

Intake & Decision Gates

AI Adoption Readiness

Baseline check for mixed teams starting or scaling AI.
Use-Case Intake & Risk Tiering

Approve, condition, or block AI use cases.

Build & Reliability

Engineering Maturity (Systems)

Assess production readiness and drift risk.
RAG & Grounding Readiness

Shipping retrieval-grounded AI safely.

Governance & Procurement

Governance & Compliance Readiness

Controls, evidence, and regulatory posture.
Vendor Procurement & Due Diligence

Evaluate AI vendors before purchase or renewal.

Operate & Review

Change, Drift & Incident Review

Post-incident and post-release review.

Field guides explain the concepts. Questionnaires test whether they exist in practice.

AI Governance & Compliance Readiness

Scores automatically as you click. The top fields are optional — only the questions affect scoring.

Status: Not scored Coverage: 0% Score: — Decision: —

Optional fields: these improve your governance record, but are not required to score.

Your role (optional)

Company or project identifier (optional)

Your score

out of 45

Readiness

—

Answer the questions to see your readiness level.

Section A — Governance Model & Accountability

1) Are AI systems covered by an explicit governance model (owners, approvals, risk tiers, and escalation paths)?

Accountability

A real governance model names owners, defines approval gates, and makes escalation paths usable in practice.

NoNo explicit governance model for AI systems.

Informal / partialSome governance exists, but roles/approvals/escalation are incomplete.

DocumentedGovernance model is written and assigned to owners.

Documented + operating cadenceGovernance runs on a cadence and is used to make decisions.

2) Do you maintain an inventory of AI use cases (purpose, owners, users, data sources, and risk classification)?

Inventory

Inventory is the foundation for evidence, controls, and audit scope.

No inventoryNo consistent list of AI use cases exists.

Partial listSome use cases are tracked, but scope/owners/risk tiers are missing.

Complete inventoryUse cases are listed with owners, users, sources, and risk classification.

Inventory + change controlsInventory is updated via change controls and reflects reality.

3) Are policies translated into enforceable controls (not only documents) for high-stakes or sensitive contexts?

Enforcement

Controls should be measurable and testable — not just statements of principle.

NoPolicies are mostly written guidance without enforcement.

Some controls existControls exist, but are limited or inconsistent.

Most controls existControls are generally implemented across major systems.

Controls enforced + testedControls are enforced and validated through evaluation/testing.

4) Is human accountability defined for decisions influenced by AI (who signs off, who reviews, who can override)?

Human-in-loop

Define sign-off, review responsibilities, and override authority.

NoNo clear accountability for AI-influenced decisions.

InformalPeople intervene, but responsibilities are not formalised.

DocumentedAccountability is defined and communicated.

Documented + auditedAccountability is verified and reviewed (evidence exists).

5) Are third-party vendors evaluated using evidence requirements (logs, exportability, failure-path demonstrations) and contractual expectations?

Vendors

Vendor due diligence should demand evidence, not just marketing claims.

NoNo meaningful evidence requirements for vendors.

Basic due diligenceSome review occurs, but evidence requirements are weak.

Defined criteriaClear criteria exist (logs, exportability, failure-path evidence).

Criteria + sign-off + monitoringCriteria are enforced with sign-off and ongoing review.

Section B — Evidence, Transparency & Audit Trail

6) Can you produce an evidence trail for outputs (sources used, checks run, and why the system answered/refused)?

Evidence

Evidence is your defence in audits and incidents.

NoNo usable evidence trail for outputs.

Partial / inconsistentEvidence exists sometimes, but cannot be relied on.

Mostly consistentEvidence is usually available and reviewable.

Fully consistent + exportableEvidence is consistent and exportable for audit.

7) Are outputs labelled appropriately (uncertainty, limitations, scope, and “not advice” language where needed)?

Disclosure

Disclosure reduces harm and improves defensibility.

NoNo consistent labelling of scope/limitations.

SometimesLabelling exists, but is inconsistent by team/use case.

UsuallyLabelling is common and mostly correct.

Enforced via templates/policiesLabelling is enforced through templates and governance rules.

8) Are logs retained with a defined retention policy and access controls (privacy/security aligned)?

Retention

Retention and access governance are as important as having logs at all.

NoNo defined retention policy or access controls.

Partial retentionSome retention exists, but policies or access controls are incomplete.

Defined retention + access rulesRetention and access rules are defined and followed most of the time.

Defined + enforced + reviewedRetention/access is enforced and periodically reviewed.

9) Can you reproduce an output later (same versioned prompt/model/tools, with recorded context)?

Reproducibility

Versioning + recorded context allow incident reconstruction and audit defence.

NoOutputs cannot be reliably reproduced later.

SometimesReproduction is possible for some systems, not consistently.

UsuallyMost outputs can be reproduced with reasonable effort.

AlwaysReproduction is designed-in and works reliably.

10) Are high-stakes use cases subject to stronger requirements (human review, refusal thresholds, stricter evidence, additional tests)?

High-stakes

High-stakes should not rely on generic “best effort” behaviour.

NoNo stronger requirements for high-stakes contexts.

InformalExtra caution exists, but it’s not formalised or enforced.

DocumentedRequirements are documented by risk tier.

Enforced + auditedHigh-stakes requirements are enforced and audited.

Section C — Change Management, Incidents & Continuous Assurance

11) Do you have change controls for prompts, models, tools, and data access (approvals + rollback)?

Change control

Governance is weakest at change boundaries — enforce approvals and rollback paths.

NoNo consistent change controls exist.

Ad-hocChange controls exist, but are inconsistently applied.

ConsistentChange approvals and rollback paths are generally used.

Consistent + auditedChange controls are enforced and audited.

12) Are structured evaluations run before release and at regular intervals (not only demos)?

Evaluation

You can’t govern what you don’t measure — require structured tests beyond demos.

NoNo structured evaluations are required.

OccasionallyEvaluations happen sometimes, but are not standard.

Before major releasesEvaluations are run before major releases.

Continuous + staged metricsEvaluations run continuously with stage-separated metrics.

13) Do you maintain an incident response process for AI failures (triage, comms, remediation, learning loop)?

Incident response should be usable, practiced, and tied to measurable remediation.

NoNo incident response process for AI failures.

InformalPeople respond, but process and ownership are unclear.

DocumentedIR process is documented for AI failures.

Practiced + measurable outcomesIR is practiced; outcomes and remediation are measured.

14) Do you monitor drift and control effectiveness (verification pass rates, refusal shifts, new failure classes)?

Monitoring

If drift is not measured, governance silently decays.

NoNo drift/control monitoring in practice.

SometimesSome monitoring exists, but is inconsistent.

Regular reviewMonitoring exists with a review cadence.

Monitoring + alerting + ownershipMonitoring triggers alerts with named owners.

15) Are periodic audits performed (controls reviewed, gaps tracked, remediation verified)?

Audit

Audits keep governance honest and prevent “paper compliance”.

NoNo audits of AI controls are performed.

Informal / ad-hocSome reviews exist, but they’re not consistent or evidenced.

Scheduled auditsAudits occur on a schedule with defined scope.

Scheduled + evidenced remediationAudits produce tracked remediation with verification.

Tip: The most common governance failure is policy without enforcement. If your score is high on documentation but low on audit trails, focus on making controls measurable and exportable.

Readiness

—

Recommended decision

—

Top risks

Recommended next steps

Tip: store the summary in your governance record, risk register, or audit evidence pack.