AI Compliance Readiness Assessment
Evaluate organizational readiness for AI governance regulations and generate an actionable compliance roadmap.
When to Use
- - Assessing AI compliance posture before an audit
- Preparing for EU AI Act (Aug 2026), HHS AI mandates, NIST AI RMF
- Building a governance roadmap for AI deployments
- Evaluating risk exposure from current AI usage
How to Use
When asked to assess AI compliance readiness, gather these inputs:
Required Inputs
- 1. Industry (legal, healthcare, financial-services, insurance, construction, manufacturing, government, other)
- Company size (employees or revenue range)
- AI systems in use (list: chatbots, document review, fraud detection, hiring tools, customer service, analytics, other)
- Jurisdictions (US-only, EU-exposed, both, global)
Optional Inputs
- - Current governance framework (if any)
- Upcoming audit dates
- Existing compliance certifications (SOC2, ISO 27001, HIPAA, etc.)
- Number of AI vendors/tools in use
Assessment Framework
Score each dimension 1-5 (1=no controls, 5=mature):
8 Dimensions
- 1. Risk Classification — Have you categorized AI systems by risk level per EU AI Act / NIST?
- Documentation — Technical docs, model cards, data lineage for each AI system?
- Human Oversight — Defined human-in-the-loop processes for high-risk decisions?
- Bias & Fairness — Regular bias audits, fairness metrics, disparate impact testing?
- Data Governance — Training data provenance, consent, retention, and deletion policies?
- Incident Response — AI-specific incident playbook, reporting procedures, rollback plans?
- Vendor Management — AI vendor risk assessments, contractual AI governance requirements?
- Audit Trail — Logging, explainability, decision traceability for AI-assisted outputs?
Scoring
- - 35-40: Compliance-ready — minor gaps to address
- 25-34: Partially prepared — significant work needed in specific areas
- 15-24: High risk — major gaps across multiple dimensions
- 8-14: Critical — immediate action required before any regulatory review
Output Format
Generate a report with:
- 1. Executive Summary — Overall score, risk level, top 3 gaps
- Dimension Scores — Table with score, evidence, and gap description per dimension
- Regulatory Exposure — Which regulations apply and key deadlines:
- EU AI Act: Aug 2, 2026 (high-risk system requirements)
- HHS AI Transparency: April 3, 2026 (healthcare)
- NIST AI RMF: Ongoing (federal contractors + best practice)
- State bar AI rules: Varies (legal industry)
AI合规就绪评估
评估组织对AI治理法规的合规就绪程度,并生成可执行的合规路线图。
使用场景
- - 在审计前评估AI合规状况
- 为欧盟AI法案(2026年8月)、HHS AI指令、NIST AI风险管理框架做准备
- 为AI部署构建治理路线图
- 评估当前AI使用带来的风险敞口
使用方法
当被要求评估AI合规就绪度时,收集以下输入信息:
必填输入
- 1. 行业(法律、医疗、金融服务、保险、建筑、制造、政府、其他)
- 公司规模(员工人数或收入范围)
- 使用中的AI系统(列举:聊天机器人、文档审查、欺诈检测、招聘工具、客户服务、分析工具、其他)
- 管辖区域(仅美国、涉及欧盟、两者兼有、全球)
可选输入
- - 当前治理框架(如有)
- 即将到来的审计日期
- 现有合规认证(SOC2、ISO 27001、HIPAA等)
- 使用中的AI供应商/工具数量
评估框架
对每个维度按1-5分评分(1=无管控,5=成熟完善):
8个维度
- 1. 风险分类 — 是否已根据欧盟AI法案/NIST对AI系统进行风险等级分类?
- 文档记录 — 每个AI系统的技术文档、模型卡片、数据溯源是否完备?
- 人工监督 — 是否针对高风险决策定义了人机协同流程?
- 偏见与公平性 — 是否定期进行偏见审计、公平性指标评估和差异性影响测试?
- 数据治理 — 训练数据来源、同意授权、保留和删除策略是否完善?
- 事件响应 — 是否具备AI特定事件处理手册、报告程序和回滚方案?
- 供应商管理 — 是否进行AI供应商风险评估并制定合同中的AI治理要求?
- 审计追踪 — AI辅助输出的日志记录、可解释性和决策可追溯性是否完备?
评分标准
- - 35-40分:合规就绪 — 存在少量待改进项
- 25-34分:部分准备 — 特定领域需大量工作
- 15-24分:高风险 — 多个维度存在重大差距
- 8-14分:危急 — 在任何监管审查前需立即采取行动
输出格式
生成包含以下内容的报告:
- 1. 执行摘要 — 总体评分、风险等级、三大主要差距
- 维度评分 — 包含每个维度的评分、证据和差距描述的表格
- 监管风险敞口 — 适用的法规及关键截止日期:
- 欧盟AI法案:2026年8月2日(高风险系统要求)
- HHS AI透明度:2026年4月3日(医疗行业)
- NIST AI风险管理框架:持续进行中(联邦承包商+最佳实践)
- 州律师协会AI规则:因州而异(法律行业)
