Pillar: AI Infrastructure
Service: Audit Services

AI Governance Assessment

CLAIMED GOVERNANCE POSTURE VS. DEMONSTRABLE GOVERNANCE EVIDENCE.

AI governance assessment maturity control tower — AIG tier model

The pace of AI adoption inside enterprise infrastructure has outrun the governance architecture surrounding it. Platforms are deployed. Integrations are live. Data flows into and out of systems that may have no named owner, no audit trail, and no documented policy controlling their operation.

AI governance assessment measures the difference between claimed governance posture and demonstrable governance evidence. That gap — between what an organization says it governs and what it can actually prove — is where AI risk lives.

The AI Governance Assessment was built to close that measurement gap. Six domains. Five maturity tiers. A standardized output that is citable in board presentations, vendor risk reviews, and audit documentation.

>_ Six Assessment Domains

D1 — Governance & Accountability · 20%

Named ownership, policy documentation, board and executive visibility, AI governance authority assignment.

D2 — Data Governance · 20%

Data classification applied to AI inputs and outputs, PII controls, residency compliance, retention policy enforcement.

D3 — Security Controls · 20%

RBAC enforcement, privileged access governance, private network isolation, audit logging enablement and immutability.

D4 — Operational Controls · 15%

AI-specific incident response, change approval for model updates, operational monitoring, agentic failure mode documentation.

D5 — Vendor Oversight · 10%

SaaS AI dependency inventory, DPA coverage, vendor exit readiness, contract controls on third-party AI data use.

D6 — Monitoring & Assurance · 15%

Continuous monitoring active on AI platforms, alerting for anomalous usage, audit trail completeness, governance evidence producible on request.

AI governance assessment does not assess model accuracy, output quality, prompt engineering, or AI product roadmap maturity. The scope is the governance and control architecture surrounding AI platforms — the layer where enterprise risk concentrates when adoption moves faster than accountability.

AIGA framework — maturity assessment

>_ AIG Maturity Tiers

AIG-1
Ad Hoc

No consistent AI governance. Deployments are individual decisions. No policy, no inventory, no audit trail. Governance depends entirely on individual awareness.

AIG-2
Emerging

Governance awareness exists but is inconsistently applied. Some policies are documented. Ownership is informal. Audit trails are partial or unreliable.

AIG-3
Defined

Governance is formally documented and consistently applied. Named ownership exists. Core controls are in place. Evidence is producible but not continuous.

AIG-4
Managed

Governance is measured and monitored continuously. Controls are verified, not assumed. Evidence is automated and available on demand across all six domains.

AIG-5
Optimized

Governance is embedded in architecture and operational process. Controls adapt to new AI deployments automatically. Evidence production requires no manual reconstruction.

>_ Governance Kill Switches

Certain foundational controls cannot be compensated for by strong performance in other domains. Organizations missing AI platform inventory, deployment approval controls, audit logging, data classification, or accountable governance ownership may have their maturity tier capped regardless of overall score.

AIGA is not a weighted questionnaire. Kill switch findings are surfaced separately in every assessment output, including the free analyzer.

AIGA framework — claims vs evidence governance gap

AI Governance Assessment Scorecard

The AIGA Scorecard is the primary output artifact produced for every assessment tier — free analyzer through full engagement. One page. Executive-ready. Designed to be shared without the full report.

The scorecard provides a standardized measurement of AI governance maturity across six domains. Results include domain-level scoring, maturity tier assignment, identified governance gaps, and kill-switch findings where applicable.

>_ Scorecard Use Cases

01 Board and executive reporting — AIG tier and domain breakdown in a format leadership can read without interpretation
02 Vendor risk reviews — provide standardized governance posture evidence without exposing internal control details
03 Internal governance programs — a baseline measurement for tracking maturity progression across assessment cycles
04 Audit preparation — documented governance posture with domain evidence traceable to assessment findings
05 AI policy development — gap summary drives policy prioritization; tier assignment provides external reference point

The scorecard citation format is standardized: Organization assessed at AIG-3 (Defined) — June 2026. Both AIG designation and public label appear in every citation. Governance posture is a point-in-time measurement; annual reassessment is recommended.

>_ AI Governance Assessment Options

AIGA Analyzer
Free

Self-service governance maturity check. Instant result. No consulting.

What You Get
  • AIG maturity tier assignment
  • Domain-level scores across all six domains
  • Governance gap summary
  • Kill switch findings where triggered
  • AIGA Scorecard
Run the Analyzer →
Evidence Review
$499

Independent governance assessment. Written findings. Five business day turnaround from receipt of complete evidence package.

What You Get
  • Independent scoring validation against submitted evidence
  • Governance gap analysis across all six domains
  • Kill switch evaluation and documentation
  • 4–6 page findings report
  • AIGA Scorecard
Request Evidence Review →
Full Assessment
$3,500–$5,000

Complete AIGA engagement. Discovery session, evidence collection, independent findings, and executive briefing.

What You Get
  • Discovery session with technology leadership
  • Evidence review and scoring validation
  • AI platform inventory (Governed / Partially Governed / Uncontrolled)
  • Governance gap matrix with risk ratings
  • Remediation roadmap — 0–30 / 30–90 / 90–180 day horizons
  • Executive summary (8–12 pages)
  • AIGA Scorecard
Talk to an Architect →

For paid assessment tiers, AIGA follows a three-phase process. The clock starts at evidence delivery, not at initial contact.

Discovery — An intake call establishes scope, AI platform inventory, and the evidence collection plan. For the Full Assessment, this includes a structured session with technology leadership to map the governance state across all six domains before collection begins.

Analysis — Evidence is reviewed against the AIGA scoring model. Each domain is scored independently. Kill switch conditions are evaluated. The scoring model is deterministic — results are not subject to interpretation drift between assessments.

Findings — Outputs are delivered as specified by assessment tier. The AIGA Scorecard is delivered first in all cases — the one-page executive artifact that precedes the full report package and can be shared independently.

>_ Get Started

Run the free AIGA Analyzer to get your governance maturity tier in minutes. Or reach out directly to discuss a paid engagement.

Run the Free Analyzer → Talk to an Architect →

AI Governance Assessment incorporates governance concepts developed across the Rack2Cloud framework portfolio, including operational autonomy maturity, observability authority, governance investment failure patterns, and evidence-based assessment methodologies. The AI Governance Assurance Gap — the measurable distance between claimed governance posture and demonstrable control state — is the proprietary framework at the center of every AIGA engagement.