{"skill":{"slug":"afrexai-ai-governance","displayName":"AI Governance Policy Builder","summary":"Framework to establish AI governance, assess AI maturity, manage algorithmic risks, conduct impact assessments, classify AI system risk, and ensure regulator...","description":"# AI Governance Policy Builder\n\nBuild internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.\n\n## When to Use\n- Writing or reviewing internal AI acceptable use policies\n- Establishing AI governance committees or review boards\n- Mapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)\n- Evaluating vendor AI terms and liability clauses\n- Preparing board-level AI governance reports\n\n## Governance Policy Framework\n\n### 1. Acceptable Use Policy (AUP)\n\nEvery organization running AI needs a written AUP covering:\n\n**Permitted Uses**\n- List approved AI tools by department and function\n- Define data classification tiers (public, internal, confidential, restricted)\n- Map which data tiers can enter which AI systems\n- Specify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)\n\n**Prohibited Uses**\n- Customer PII in non-SOC2 models without anonymization\n- Autonomous financial decisions above $[threshold] without human review\n- HR screening/scoring without bias audit documentation\n- Any use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)\n\n**Shadow AI Detection**\n| Signal | Risk Level | Action |\n|--------|-----------|--------|\n| API calls to unknown AI endpoints | HIGH | Block + investigate |\n| Browser extensions with AI features | MEDIUM | Audit + approve/deny |\n| Personal accounts on company devices | MEDIUM | Policy reminder + monitor |\n| Exported data to AI training sets | CRITICAL | Immediate review |\n\n### 2. AI Model Selection & Procurement\n\n**Evaluation Scorecard (100 points)**\n\n| Criteria | Weight | What to Check |\n|----------|--------|---------------|\n| Data residency & sovereignty | 20 | Where is data processed? Stored? Can you choose region? |\n| Security certifications | 20 | SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP |\n| Model transparency | 15 | Training data provenance, bias testing, version control |\n| Contract terms | 15 | Data usage rights, indemnification, SLA, exit clauses |\n| Performance & cost | 15 | Latency, accuracy benchmarks, token pricing, rate limits |\n| Integration & support | 15 | API stability, documentation quality, support SLA |\n\n**Minimum score for production deployment: 70/100**\n\n**Red Flags (automatic disqualification):**\n- Vendor trains on your data without opt-out\n- No data processing agreement (DPA) available\n- Indemnification excluded for AI outputs\n- No incident response SLA\n\n### 3. Data Handling & Classification\n\n**AI Data Flow Audit Template**\n\nFor each AI integration, document:\n1. **Input data**: What goes in? Classification tier? PII present?\n2. **Processing**: Where? Which model? Hosted or API? Region?\n3. **Output data**: What comes out? Stored where? Retention period?\n4. **Training**: Does vendor use your data for training? Opt-out confirmed?\n5. **Logging**: Are prompts/responses logged? Where? Who has access?\n6. **Deletion**: Can you request data deletion? Verified how?\n\n**Data Minimization Checklist**\n- [ ] Only send minimum necessary data to AI systems\n- [ ] Strip PII before processing where possible\n- [ ] Use synthetic data for testing and development\n- [ ] Implement input sanitization for prompt injection prevention\n- [ ] Audit output for data leakage (model regurgitating training data)\n\n### 4. Regulatory Compliance Mapping\n\n**EU AI Act (effective Aug 2025, enforcement Feb 2025)**\n\n| Risk Category | Examples | Requirements |\n|--------------|----------|-------------|\n| Unacceptable | Social scoring, real-time biometric ID (most cases) | Banned |\n| High-risk | HR screening, credit scoring, medical devices | Conformity assessment, human oversight, transparency |\n| Limited | Chatbots, deepfakes | Transparency obligations (disclose AI use) |\n| Minimal | Spam filters, game AI | No requirements |\n\n**NIST AI RMF (Risk Management Framework)**\n- Map: Identify AI systems in use\n- Measure: Quantify risks per system\n- Manage: Implement controls proportional to risk\n- Govern: Establish oversight structure and accountability\n\n**ISO 42001 (AI Management System)**\n- Useful for organizations wanting certified AI governance\n- Aligns with ISO 27001 (already have it? Easier path)\n- Covers: AI policy, risk assessment, objectives, competence, documentation\n\n### 5. AI Governance Committee Structure\n\n**Recommended Composition**\n- Chair: CTO or Chief AI Officer\n- Legal: 1 representative (contracts, compliance)\n- Security: CISO or delegate (data protection, incident response)\n- Business: 1-2 department heads (use case prioritization)\n- Ethics: External advisor or designated internal role\n- Finance: CFO delegate (budget, ROI tracking)\n\n**Meeting Cadence**\n- Monthly: Review new AI use cases, vendor changes, incidents\n- Quarterly: Policy updates, compliance audit, budget review\n- Annually: Full governance framework review, board report\n\n**Decision Authority**\n| Decision | Authority Level |\n|----------|----------------|\n| New AI tool (< $5K/year) | Department head + security review |\n| New AI tool (> $5K/year) | Governance committee approval |\n| Customer-facing AI | Committee + legal + CEO sign-off |\n| AI incident response | Security lead (immediate) → Committee (48h review) |\n\n### 6. Vendor Contract Checklist\n\nBefore signing any AI vendor contract, confirm:\n\n- [ ] Data processing agreement (DPA) signed\n- [ ] Your data is NOT used for model training (or explicit opt-out confirmed)\n- [ ] Data residency requirements met (specify regions)\n- [ ] Indemnification clause covers AI-generated output liability\n- [ ] SLA includes uptime, latency, and support response time\n- [ ] Exit clause: data export format, deletion timeline, transition support\n- [ ] Security certifications current and verified (not expired)\n- [ ] Incident notification timeline specified (72h or less)\n- [ ] Subprocessor list provided with change notification rights\n- [ ] Insurance coverage for AI-specific risks confirmed\n- [ ] Price lock or cap on increases for contract duration\n- [ ] Right to audit (or audit report access)\n\n### 7. Board Reporting Template\n\n**Quarterly AI Governance Report**\n\n```\nAI GOVERNANCE REPORT — Q[X] [YEAR]\n\n1. AI PORTFOLIO SUMMARY\n   - Active AI systems: [count]\n   - New deployments this quarter: [count]\n   - Retired/replaced: [count]\n   - Total AI spend: $[amount] (vs budget: $[amount])\n\n2. RISK DASHBOARD\n   - High-risk systems: [count] — all compliant: [Y/N]\n   - Open incidents: [count] — resolved this quarter: [count]\n   - Shadow AI detections: [count] — remediated: [count]\n   - Compliance gaps: [list]\n\n3. VALUE DELIVERED\n   - Hours saved: [estimate]\n   - Revenue attributed to AI: $[amount]\n   - Cost reduction: $[amount]\n   - Customer satisfaction impact: [metric]\n\n4. KEY DECISIONS NEEDED\n   - [Decision 1: context + recommendation]\n   - [Decision 2: context + recommendation]\n\n5. NEXT QUARTER PRIORITIES\n   - [Priority 1]\n   - [Priority 2]\n```\n\n### 8. Incident Response for AI Systems\n\n**AI-Specific Incident Categories**\n\n| Category | Example | Response Time |\n|----------|---------|---------------|\n| Data breach via AI | Model leaks PII in output | Immediate — invoke security IR plan |\n| Hallucination causing harm | Wrong medical/legal/financial advice acted on | 4h — document, notify affected parties |\n| Bias detected | Discriminatory output in hiring/lending | 24h — suspend system, audit, remediate |\n| Prompt injection | Attacker manipulates AI behavior | Immediate — block vector, patch |\n| Cost overrun | Runaway API calls | 4h — rate limit, investigate, cap |\n| Vendor incident | Provider breach or outage | Per vendor SLA — activate backup |\n\n**Post-Incident Review Template**\n1. What happened (factual timeline)\n2. Impact (who/what affected, cost, duration)\n3. Root cause (not blame — systems thinking)\n4. Fixes applied (immediate + permanent)\n5. Policy/process changes needed\n6. Board notification required? (Y/N + rationale)\n\n## Cost of NOT Having AI Governance\n\n| Company Size | Annual Risk Without Governance |\n|-------------|-------------------------------|\n| 15-50 employees | $50K-$200K (shadow AI waste, compliance fines) |\n| 50-200 employees | $200K-$800K (data incidents, vendor lock-in, redundant tools) |\n| 200-1000 employees | $800K-$3M (regulatory penalties, IP exposure, audit failures) |\n| 1000+ employees | $3M-$15M+ (class action, regulatory enforcement, reputational damage) |\n\n## 90-Day Implementation Roadmap\n\n**Month 1: Foundation**\n- Draft acceptable use policy\n- Inventory all AI systems in use (including shadow AI)\n- Classify data flowing through each system\n- Identify governance committee members\n\n**Month 2: Controls**\n- Finalize and distribute AUP\n- Implement vendor evaluation scorecard for new purchases\n- Set up AI incident response procedures\n- Begin regulatory compliance mapping\n\n**Month 3: Operationalize**\n- First governance committee meeting\n- Deliver first board report\n- Establish monitoring for shadow AI\n- Schedule quarterly policy review cycle\n\n---\n\n*Built by AfrexAI — AI operations infrastructure for mid-market companies.*\n\nGet the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/\n\nCalculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/\n\nSet up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/\n\nNeed all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7\n","topics":["Policy"],"tags":{"ai-safety":"1.1.0","compliance":"1.1.0","enterprise":"1.1.0","eu-ai-act":"1.1.0","governance":"1.1.0","latest":"1.1.0","nist":"1.1.0","policy":"1.1.0","ai":"1.0.0","ethics":"1.0.0","responsible-ai":"1.0.0"},"stats":{"comments":0,"downloads":967,"installsAllTime":36,"installsCurrent":1,"stars":0,"versions":2},"createdAt":1771611941589,"updatedAt":1778491594064},"latestVersion":{"version":"1.1.0","createdAt":1771715668963,"changelog":"**Summary:** Major update focusing on practical policy templates and governance structures for organizational AI.\n\n- Introduces a comprehensive AI policy builder, including Acceptable Use Policy, procurement scorecards, and board-level governance reporting.\n- Adds clear frameworks for data handling, regulatory mapping (EU AI Act, NIST, ISO 42001), and vendor contract review.\n- Replaces prior theoretical/maturity model content with practical checklists, templates, and committee structures.\n- Provides actionable risk controls for shadow AI, incident response, and compliance tracking.\n- Delivers concise, real-world tools for organizations establishing or updating internal AI governance programs.","license":null},"metadata":null,"owner":{"handle":"1kalin","userId":"s17e1q0nx23qnh4n429zzqc05x83hvsw","displayName":"1kalin","image":"https://avatars.githubusercontent.com/u/15705344?v=4"},"moderation":null}