Do you have a formal register of every AI model deployed in production?
Does each model record include the model's purpose and the decisions it makes or influences?
Has every model been assigned a risk tier (High / Medium / Low)?
Does each model record identify a named business owner and a named technical owner?
Is model version history maintained for every model in production?
Does the inventory include all AI systems — not just the primary model — including pre-screening classifiers and segmentation models?
Is the inventory reviewed and updated when new models are deployed or existing models are updated?
Can you produce the complete inventory within one hour of a regulator's request?
Does the inventory note the date each model was first deployed to production?
Does the inventory record the status of the most recent risk assessment for each model?
Has every High-risk model completed a formal risk assessment before going live?
Has every Medium-risk model completed a formal risk assessment before going live?
Does each assessment document the decision scope — what decisions the model makes and who is affected?
Does each assessment document the model's known failure modes?
Does each assessment document the human oversight mechanism in place?
Has each assessment been signed off by a technical reviewer who did not build the model?
Has each assessment been signed off by a business approver at appropriate seniority?
Are completed assessments stored as retrievable PDF artifacts?
Do assessments for models live before January 2026 exist on file?
Is there a defined process for triggering a new assessment when a model is significantly updated?
Is there a documented oversight mechanism for every High-risk model in production?
Are the conditions that trigger mandatory human review explicitly defined per model?
Is the name of the person responsible for human review recorded for each model?
Is every human review logged with the reviewer's name, timestamp, outcome, and rationale?
Is override rate calculated and monitored for each model?
Is there a defined escalation path when human review is unavailable or inconclusive?
Does every High and Medium risk model's decisions feed into a searchable audit log?
Can the audit log be searched by customer ID to return all decisions about a specific individual?
Are audit log records tamper-evident — with controls preventing deletion or modification?
Can you export a formatted audit log for a specified model and date range within two hours?
Is model performance monitored in production on a defined cadence?
Is feature drift monitored using a metric such as PSI?
Is there a defined threshold for drift that triggers model revalidation?
Is volume anomaly monitoring in place for each production model?
Are bias testing results documented at least annually for each High-risk model?
Is there a formal incident management process for AI model failures?
Have all open model incidents been documented with root cause and remediation?
Is there a defined revalidation cadence for each model (at minimum annual for High-risk)?
Are model performance metrics compared to baseline at each review?
Is there a process for notifying senior management when a model's performance deteriorates materially?
Does your board receive a formal AI risk report at least quarterly?
Does the board report cover the model inventory, override rates, open incidents, and compliance status?
Is a named senior manager accountable for AI governance across the institution?
Does the board understand the risk tier of each model in production?
Is your AI governance framework documented at board level and reviewed at least annually?
For every third-party AI vendor, does your contract include explicit audit rights?
Do third-party AI vendor contracts include an immediate cessation clause?
Have you assessed the data residency practices of every third-party AI vendor?
Do you receive model validation documentation from third-party AI vendors on request?
Has the board approved the AI risk tolerance level for your institution?