Checklist · 30 controls
The 2026 AI compliance checklist
Thirty controls covering governance, vendors, data, models and monitoring. Use it for an internal review or hand it to your auditor.
Governance
- Named AI compliance owner (not 'everyone in the leadership team')
- Written AI usage policy reviewed in the last 12 months
- Board-level reporting cadence for AI risk
- Generative AI policy distributed to all staff and contractors
Vendor & supply chain
- Vendor risk register listing every AI provider and sub-processor
- Signed DPA with each US-based AI vendor
- Documented model provider and version per use case
- Review of vendor incident history before onboarding
Data
- Data flow diagram showing what data leaves your perimeter
- PII scrubbing or redaction before sending to third-party models
- Documented retention policy for prompts and outputs
- Lawful basis recorded for each AI-processed personal data set
Models & outputs
- Model cards for every internally fine-tuned model
- Bias and fairness testing on high-risk decisions
- Disclosure language in AI-generated client deliverables
- Rollback plan for model version changes
Human oversight
- Human-in-the-loop policy for high-risk outputs
- Documented review thresholds (confidence, dollar value, customer impact)
- Training records for staff using AI tools
- Escalation path for AI-related complaints
Monitoring & incident response
- Continuous monitoring of vendor security posture
- Audit log of prompt and configuration changes
- Defined AI incident classification and severity scale
- Tested incident response runbook with named owners
Audit readiness
- Evidence pack exportable on demand (not assembled in a panic)
- Mapping from internal controls to EU AI Act articles
- Mapping to NIST AI RMF GOVERN/MAP/MEASURE/MANAGE
- Mapping to ISO/IEC 42001 clauses
- Quarterly attestation by compliance owner
- Annual third-party review of high-risk systems