ISO 42001 Free AI Governance Readiness Checklist

Tell us about your environment

A few details to tailor your AI governance roadmap. Required fields are marked *.

Organisation name *

Your name *

Email (where to send your PDF copy) *

Primary sector *

Organisation size (FTE) *

What is driving this assessment? *

Target timeline for ISO 42001 certification

How does your organisation use AI?

1.AIMS Governance0/4 2.Risk & Impact Assessment0/3 3.Design, Controls & Oversight0/3 4.Operations & Monitoring0/3 5.Suppliers & Transparency0/2 6.Evidence & Improvement0/3

🤖

AIMS Governance

Scope, roles, policy set and AI objectives.

Progress

0/4

We have clearly defined which AI systems, use cases and business functions are in scope for our AI governance program.

Scope defines what is covered by governance and what is explicitly out of scope.

View evidence examples ->

A documented scope statement listing AI use cases (e.g. clinical decision support, chatbots, analytics models).
Systems and models in scope — vendor AI, internally developed models, GenAI tools.
Geographic and regulatory boundaries (e.g. Australia-only deployment; GDPR-relevant use cases).

AI governance roles and accountability are defined — including who owns each AI system and how decisions are escalated.

Clear accountability for AI decisions, oversight and escalation must be documented.

View evidence examples ->

Named AIMS owner, AI risk owner, and individual model or use-case owners.
A defined governance or ethics review committee with terms of reference.
RACI covering design, approval, monitoring, incident handling and retirement of AI systems.

We have an approved AI policy set covering acceptable use, risk tolerance, data sourcing, transparency and disclosure.

Policies guide safe, ethical and compliant AI use across the organisation.

View evidence examples ->

AI Acceptable Use Policy covering staff and contractor use of AI tools.
AI Risk Management or AI Governance Policy aligned to ISO 42001.
Transparency and disclosure policy for customers or end users.

We track AI performance objectives and KPIs — such as accuracy, safety incidents or bias indicators — and review them with leadership.

Leadership should see whether AI is delivering value safely and within defined risk tolerance.

View evidence examples ->

Defined KPIs such as model accuracy, false positives, bias indicators or incident rates.
Targets and thresholds approved by leadership.
Periodic review of AI performance and risk metrics reported to the board or executive.

⚠️

Risk & Impact Assessment

AI inventory, impact assessment methodology and data ethics.

Progress

0/3

We maintain an up-to-date inventory of all AI use cases and models — including purpose, owner, associated data and risk classification.

A single source of truth for all AI systems enables consistent risk management.

View evidence examples ->

An AI inventory or register with each use case, business owner and technical owner.
Associated datasets, model types and deployment environments documented.
Initial risk classification (low / medium / high impact) assigned for each AI system.

We use a defined methodology to assess AI risks and impacts before deployment and when significant changes occur.

A consistent method for AI Impact and Risk Assessment (AIRA) ensures material risks are identified and treated.

View evidence examples ->

A documented AIRA or AI Impact Assessment template applied to each AI use case.
Assessment criteria covering safety, bias, legal, ethical and reputational risks.
Completed AIRA records for each material AI use case, reviewed and approved.

Training and input data is assessed for bias, representativeness, provenance and lawful basis before use.

Data quality and ethics are foundational to responsible AI.

View evidence examples ->

Bias and representativeness assessments for training datasets.
Documented data provenance and sourcing decisions.
Confirmation of consent, licensing or lawful basis for training or input data.

🔐

Design, Controls & Oversight

Preventative controls, human oversight and evaluation.

Progress

0/3

Preventative controls are built into AI systems — such as output filters, PII minimisation and security hardening.

Design-level controls reduce harm and misuse before problems occur.

View evidence examples ->

Prompt filtering, output moderation or content safety controls for generative AI.
PII detection, masking or minimisation in prompts and model outputs.
Security controls protecting models, APIs and inference endpoints.

Human oversight is defined for high-risk AI decisions — including review thresholds, escalation paths and the ability to override or disable AI.

Humans must remain accountable for impactful AI outcomes.

View evidence examples ->

Defined thresholds requiring human review before an AI-driven action is taken.
Clear escalation paths for unsafe, unexpected or disputed outputs.
A documented ability to disable, pause or override AI systems when required.

AI systems are evaluated for fairness, robustness and potential misuse before release and after significant changes.

Testing AI before and after release ensures it behaves as expected.

View evidence examples ->

Pre-deployment testing for accuracy, bias and robustness documented.
Adversarial or red-teaming exercises for misuse and edge-case scenarios.
Test results and go/no-go decisions recorded and retained.

🔍

Operations & Monitoring

Runtime monitoring, incident handling and records.

Progress

0/3

AI systems are monitored in production for quality degradation, drift, misuse and policy violations — with alerts and logs retained.

Monitoring AI behaviour in production detects degradation and misuse early.

View evidence examples ->

Monitoring for model drift, performance drops or abnormal output patterns.
Logging of prompts, outputs and key decisions (within applicable privacy limits).
Alerts for misuse, abuse patterns or outputs that breach policy thresholds.

AI-related incidents — including bias harms, hallucinations and misuse — are formally managed with post-incident reviews and corrective actions.

AI issues are treated as formal incidents with documented learning outcomes.

View evidence examples ->

AI incident categories included in the organisation's incident response plan.
Documented handling of bias events, harmful outputs or hallucination incidents.
Post-incident reviews with corrective actions tracked to closure.

AI documentation is maintained — including dataset versions, model configurations, approval decisions and change history.

Traceability for how AI systems were designed and operated is essential for audits.

View evidence examples ->

Version history of models, prompts, configurations and datasets.
Decision logs for approvals, changes and risk acceptances.
Records retained with defined periods aligned to regulatory and audit requirements.

🏭

Suppliers & Transparency

Third-party AI due diligence and user transparency.

Progress

0/2

Third-party AI providers are assessed for risk — including review of model cards, data handling and contractual controls.

External AI providers introduce risk that must be managed through due diligence and contracts.

View evidence examples ->

Vendor due diligence covering security, privacy, bias and explainability.
Review of model cards, SOC/ISO reports or published assurance statements.
Contractual controls: usage limits, data handling, breach notification and liability.

Users and stakeholders are informed when AI is used to make or support decisions, and can access a human review or opt out where applicable.

Transparency builds trust and meets regulatory expectations in many jurisdictions.

View evidence examples ->

User-facing disclosures explaining AI purpose, data used and limitations.
Clear contact points for human review, complaints or escalation.
Documented opt-out or alternative pathways where AI decisions are material.

📊

Evidence & Improvement

Evidence management, audits and management reviews.

Progress

0/3

AIMS evidence — policies, assessments, logs, test results — is centralised, version-controlled and retrievable for audit.

Audit-ready evidence must be organised, retained and accessible.

View evidence examples ->

An AIMS evidence library in SharePoint or equivalent with version control.
Monitoring logs and incident records retained in a governed system.
Retention policies applied to AI governance records.

Internal AI governance audits or assurance reviews are performed, with findings tracked through to verified closure.

Regular assurance confirms that AI governance controls are operating as intended.

View evidence examples ->

Internal AI governance or AIMS audits aligned to ISO 42001 requirements.
Findings logged with corrective actions, owners and due dates.
Evidence of verification that corrective actions were completed.

Leadership conducts regular reviews of AIMS performance — covering AI risks, incidents, KPIs and improvement opportunities.

Management reviews ensure ongoing accountability and strategic direction for AI governance.

View evidence examples ->

Management review minutes covering AI risks, incidents and performance KPIs.
Decisions on risk acceptance, resourcing and policy updates.
Tracked actions arising from AIMS management reviews.

Overall readiness

Answer questions to score

AIMS Governance -

Risk & Impact Assessment -

Design, Controls & Oversight -

Operations & Monitoring -

Suppliers & Transparency -

Evidence & Improvement -

0 of 18 questions answered

Available once all questions are answered

ISO 42001 AI Governance Readiness Checklist

Tell us about your environment

AIMS Governance

Risk & Impact Assessment

Design, Controls & Oversight

Operations & Monitoring

Suppliers & Transparency

Evidence & Improvement

Your report is ready