AI Risk Self-Assessment

Tier 2 GOVERNANCE
ISO Cl.6 ISO Cl.9 NIST GV-4 NIST MG-3 OWASP ASI08

Related Templates

AI Risk Self-Assessment Questionnaire

What This Requires

Conduct periodic self-assessments — at minimum semi-annually and upon material changes to the AI environment — to evaluate the organization's AI risk posture, control effectiveness, and governance maturity. Self-assessments must use a standardized scoring methodology, compare results against prior periods to track trend direction, and produce actionable remediation plans for identified gaps.

Why It Matters

AI risk is not static — new threat techniques, regulatory requirements, and organizational AI adoption continuously shift the risk landscape. Without regular self-assessment, governance programs become disconnected from operational reality, and control gaps accumulate silently until they manifest as incidents. Periodic measurement provides the empirical foundation for resource allocation, executive reporting, and continuous improvement of the AI governance program.

How To Implement

Define Assessment Framework and Scoring

Adopt or adapt a maturity model (e.g., NIST AI RMF tiers, ISO 42001 clauses, or a custom framework aligned to organizational controls) with clearly defined maturity levels: Initial (ad hoc), Developing (documented), Defined (standardized), Managed (measured), and Optimizing (continuously improving). Assign scoring criteria for each control domain so assessments are repeatable and comparable across periods.

Conduct the Assessment

Assemble a cross-functional assessment team including representatives from security, legal, AI engineering, data governance, and business operations. Evaluate each control against current evidence — request documentation, interview control owners, inspect technical configurations, and review recent incident and audit findings. Score each control independently and document supporting evidence for every rating.

Analyze Gaps and Prioritize Remediation

Compare current scores against the previous assessment to identify trends (improving, stable, or degrading). For controls scoring below the target maturity level, document specific gaps, assign remediation owners, estimate effort, and set target completion dates. Prioritize remediation based on risk severity and regulatory exposure, not ease of implementation.

Report to Leadership and Track Progress

Present assessment results to the AI governance committee and executive leadership in a standardized format showing overall maturity score, domain-level scores, trend direction, top gaps, and remediation status. Track remediation plan completion as a standing agenda item in governance meetings. Archive all assessment artifacts for audit and regulatory evidence.

Evidence & Audit

  • Self-assessment framework document with maturity model and scoring criteria
  • Completed assessment scorecards for the current and prior periods
  • Cross-functional assessment team roster and participation records
  • Gap analysis with prioritized remediation plan and assigned owners
  • Executive briefing materials presenting assessment results and trends
  • Remediation tracking records showing completion against planned dates
  • Archived assessment artifacts organized by assessment period

Related Controls

AI Acceptable Use Policy AI Deployment Validation and Approval Continuous AI Monitoring