content.layout.tocMobileLabel
The 12 items
- Written scope: which teams and systems are in scope for AI governance this quarter.
- Inventory of AI tools — approved and discovered shadow AI.
- Data classification rules: what must never enter public models.
- Owner (RACI) for approving new AI pilots.
- Human oversight defined for decisions that affect people.
- Vendor list with DPAs or equivalent for AI sub-processors.
- Incident path when AI output causes harm or exposure.
- Training: short module + where to read the policy.
- Link to privacy / security programs (27001, SOC 2, PIPEDA) where relevant.
- Evidence folder: decisions, approvals, and review dates.
- Executive summary one pager for board or key customer.
- Review cadence (at least every 6 months).
Next step
Pair this list with a shadow AI discovery pass and an AI risk assessment. The portal on aigrc.app (also iso42001.co, ai-grc.app) branches by your answers and highlights ISO 42001 / EU AI Act gaps in about 15 minutes.
Need a facilitated program? ISO 42001 consulting (international) · Israel ISO 42001 services.
content.layout.faqHeading
content.layout.faqCountIs this an ISO 42001 certification checklist?
No. It is an operational readiness list for security and GRC leads. For AIMS structure and Annex A mapping, see our ISO 42001 guide and the portal assessment.
How often should we rerun this?
At least every six months, or after a major AI launch, vendor change, or customer audit request.
content.layout.ctaBadge
content.layout.ctaDefaultTitle
content.layout.ctaDefaultSubtitle
content.layout.contactTitle
content.layout.contactBadgecontent.layout.contactBody
content.topicsMap.eyebrow
content.topicsMap.headingTemplate
content.topicsMap.legendHint
רגולציהתקניםמסגרתתפעול
content.layout.clusterLabel תפעול