AI Governance & Risk

Is Your Business Exposed to AI Risk?

Our free diagnostic assesses your organisation's AI governance maturity across 7 key areas — producing a personalised risk report aligned to UK and EU regulatory expectations.

Completed in Under 10 Minutes

Seven focused sections covering the areas that matter most to regulators and risk teams.

Confidential & Unbiased

Your responses are used solely to produce your risk report — never sold or shared.

Professional Risk Report

Free results summary — with a full 8-page board-ready PDF available for £79.

About You

Tell us about yourself & your organisation

This helps us tailor your assessment results accurately. Your information is handled in confidence.

Full Name *

Job Title / Role *

Professional Email Address *

Organisation Name *

Industry Sector *

Number of Employees *

Regulatory regime(s) that apply (select all that apply)

FCA regulated ICO registered / GDPR obligations NHS / CQC oversight SRA (Solicitors Regulation Authority) None currently Unsure

Section 1 of 7

AI Inventory & Classification

Identifying AI systems in scope and establishing potential regulatory exposure.

1.1Does your organisation maintain an up-to-date inventory of all AI systems currently in use — including third-party AI tools integrated into business processes?

Yes — fully maintained and reviewed at least annually Partially — some systems documented but not comprehensively No formal inventory exists Don’t know

1.2Which of the following categories apply to your AI systems?

These categories align with EU AI Act Annex III high-risk classifications. Select all that apply — selections affect your exposure score.

Automated decision support affecting individuals Customer profiling or segmentation Customer eligibility or credit scoring HR or recruitment support Biometric or identity verification Health or safety related outputs None of the above — AI is used only for internal operational tasks

1.3Have your AI systems been formally assessed against legal and regulatory requirements specific to your sector?

Yes — documented assessment, reviewed within the last 12 months Yes — informally reviewed but not documented No — not yet assessed Unsure whether this is required for our AI use

1.4Does your organisation have a documented process for onboarding new AI systems — including a risk assessment before deployment?

Yes — formal onboarding process with documented risk gate Partially — some review occurs but not consistently applied No — AI systems are adopted without structured review Not applicable — we have not adopted any new AI systems recently

Section 2 of 7

Governance, Leadership & Accountability

Assessing the maturity of internal ownership and oversight structures.

2.1Is there a formally appointed individual or function responsible for AI governance — with defined, documented responsibilities and a clear reporting line?

Yes — named individual or function with documented scope and board-level reporting Yes — but informally arranged with no documented mandate No — responsibility is unclear or distributed without accountability

2.2Are AI systems formally classified by risk level within your organisation?

Yes — with a written classification framework applied consistently Partially — some classification exists but inconsistently applied No formal classification in place Not yet required at our current stage of AI adoption

2.3Does executive leadership receive regular, documented reporting on AI risk, performance, and governance status?

Yes — at least quarterly, with documented minutes or records Yes — occasionally, but not on a regular schedule No — AI risk is not reported to executive or board level

2.4Are documented policies in place governing the acceptable and prohibited use of AI systems across your organisation?

Yes — comprehensive AI use policy, reviewed within 12 months Partially — some guidance exists but not a comprehensive policy No policies in place

2.5Are roles and responsibilities for AI oversight explicitly defined across risk, compliance, legal, and technical functions?

Yes — clearly defined in writing with named role holders Partially — some functions have defined roles but others do not No — roles are assumed rather than assigned

2.6Is AI awareness or literacy training provided to staff who interact with, rely upon, or are affected by AI-generated outputs?

Yes — mandatory training with completion records maintained Yes — available but voluntary, no completion tracking Planned but not yet implemented No training in place

Section 3 of 7

Data Quality, Lineage & Management

Confirming that your AI systems are supported by clear, auditable data practices.

3.1Is the origin and source of data used by AI systems documented and accessible — including how it is collected, processed, and updated?

i.e. where data comes from, how it is collected and processed

Fully documented and accessible to relevant staff Partially documented — some sources recorded but not comprehensively Not documented

3.2Do you maintain records of data lineage for core AI systems?

Sources, transformations applied, and version history

Yes — comprehensive lineage records maintained and version-controlled Partially — some lineage tracked but not consistently Limited records — ad-hoc rather than systematic No lineage records maintained

3.3Do you perform regular data quality assessments for inputs feeding AI decisions — covering completeness, accuracy, and representativeness?

Yes — scheduled assessments with documented results Yes — but ad-hoc and undocumented No assessments performed

3.4Is there a documented process for identifying, escalating, and resolving data quality issues that affect AI system inputs or outputs?

Yes — formal documented process with escalation path Yes — informal process exists but not documented No process exists

Section 4 of 7

Human Oversight & Decision Controls

Evaluating how human judgement integrates with AI-driven decisions.

4.1Do AI decision processes include human review for high-impact outcomes — where the AI output materially affects an individual’s rights, access to services, or financial position?

Yes — human review is mandatory for all high-impact outcomes, with documented protocols Yes — conditionally, based on a defined risk threshold Rarely — review occurs informally but is not systematic No — AI outputs are acted upon without human review

4.2Are override protocols formally documented for circumstances where a human reviewer disagrees with or wishes to countermand an AI-driven outcome?

Yes — formally documented, with records of overrides maintained Understood informally but not documented Planned but not yet in place No

4.3Do staff responsible for reviewing AI-assisted decisions receive adequate, documented training — covering both the system’s capabilities and its known limitations?

Yes — mandatory training with completion records and periodic refresh Partially — some training exists but inconsistent or undocumented No formal training in place

4.4Are escalation pathways defined and documented for AI-assisted decisions that require additional scrutiny, challenge, or senior review?

Yes — clearly documented with named escalation contacts and timescales Informal pathways are understood but not documented No escalation pathways defined

Section 5 of 7

Explainability & Transparency

Assessing whether AI-assisted decisions are explainable, traceable, and defensible.

5.1Can your organisation provide a clear, meaningful explanation for AI-assisted decisions when required — by an individual, a regulator, or in a legal context?

Yes — consistently, with a documented explanation methodology In most cases — explanations possible but not always documented Only in limited circumstances — depends on system and context No — explanations cannot be produced

5.2Do you maintain logs of AI input features, decision outputs, and confidence or probability scores where applicable?

Yes — detailed logs retained for a defined period, accessible for audit Partially — some logging exists but incomplete or inconsistently retained No logging in place

5.3Are decision logic, model versions, and model change history recorded and accessible for internal audit and regulatory examination?

Yes — all versions documented with change rationale, accessible on request Partially — some version information recorded but not comprehensively No — model versioning is not tracked

5.4Can a specific AI-assisted decision be traced back to its source inputs, the model version that produced it, and the logic applied — for any decision made in the past 12 months?

Always — full traceability across all AI-assisted decisions In most cases — some decisions can be traced but not all Rarely — traceability possible only in limited circumstances Never — decisions cannot be reconstructed

5.5Are AI systems tested for bias, fairness, or discriminatory outputs — before deployment and on an ongoing basis — with results documented?

Yes — formal testing methodology, documented results, periodic re-testing schedule Some testing conducted but not systematic or documented No formal testing for bias or fairness Not applicable — our AI systems do not produce outputs affecting individuals

Section 6 of 7

Compliance & Legal Alignment

Confirming awareness and active alignment with UK and EU legal obligations.

6.1Has your organisation conducted a formal Data Protection Impact Assessment (DPIA) for AI systems that process personal data — and has it been reviewed within the last 12 months?

Yes — completed, reviewed within 12 months, and documented Yes — completed but not reviewed recently (more than 12 months ago) Planned but not yet completed No DPIA has been conducted Not required — our AI systems do not process personal data

6.2Are individuals informed — at the point of interaction or decision — when automated or AI-assisted processes are used in ways that materially affect them?

Yes — always, with documented transparency notices Partially — in some contexts but not comprehensively No — individuals are not informed

6.3Is there a documented process allowing individuals to request human review of, or formally challenge, an AI-assisted decision that affects them?

Yes — formally documented, with defined timescales and named responsible function Limited process exists — requests can be made but the process is not documented No mechanism exists

6.4Has your organisation assessed which of its AI systems fall within the scope of the EU AI Act — including any that may qualify as high-risk under Annex III?

Yes — formal scope assessment conducted, documented, and kept under review Partially — some systems assessed but not comprehensively No — EU AI Act scope has not been formally assessed Unsure whether the EU AI Act applies to our organisation

6.5Are individuals able to exercise their data rights in relation to AI-assisted decisions — including the right to explanation, objection, and erasure?

Yes — all applicable rights supported with documented processes and response timescales Partially — some rights accommodated but not all, or processes are informal No — rights requests relating to AI decisions are not formally handled

Section 7 of 7

Operational Controls & Resilience

Assessing the robustness of risk controls, third-party management, and operational resilience around AI systems.

7.1Are AI systems included in your organisation’s formal risk and control self-assessment (RCSA) or equivalent risk register?

Yes — all AI systems are explicitly included in the risk framework Partially — some AI systems are included but not comprehensively No — AI is not included in formal risk assessments

7.2Do third-party AI providers and AI-enabled services undergo structured due diligence — covering data handling, contractual obligations, and ongoing performance review?

Yes — formal due diligence with documented outputs and contractual controls Partially — some review occurs but not systematically No structured review of third-party AI providers We do not use third-party AI providers

7.3Are cybersecurity and adversarial vulnerabilities assessed for AI systems?

e.g. prompt injection, model manipulation, data poisoning — these are AI-specific and not captured by standard cybersecurity assessments

Yes — AI-specific security testing formally conducted Partially — some assessment conducted but not AI-specific No — standard cybersecurity applies but AI-specific risks not assessed Not currently applicable to our scale or AI use

7.4Do you monitor AI model performance on an ongoing basis — tracking accuracy, drift, and degradation — with defined thresholds that trigger review?

Yes — automated monitoring with defined thresholds and documented review process Yes — manual monitoring, periodically reviewed Partially — some monitoring but without defined thresholds or process No monitoring in place

7.5Does your organisation have a defined incident response process specifically for AI system failures, harmful outputs, or unexpected behaviour?

Yes — formally documented, tested, and includes AI-specific scenarios Yes — general incident response applies but AI-specific scenarios not addressed No formal incident response process for AI failures