AI Posture Check Take the Check
Dimension · 5 questions

Governance.

AI policy, accountable owner, inventory, framework alignment.

Why this dimension matters

Governance is the foundation of every AI security program. The Govern function in NIST AI RMF and clauses 4 through 6 of ISO 42001 both prioritize the same things: a written AI policy, a named accountable executive, an inventory of AI systems, and documented framework alignment. Without governance, every other dimension drifts. Engineering teams adopt AI tools faster than security can review them. Vendors get onboarded without contracts. Shadow AI grows without discovery. The Posture Check measures governance maturity across five questions covering policy, accountability, inventory, framework mapping, and shadow-AI discovery. Each question maps to a specific NIST AI RMF subcategory, and the score band on this dimension determines whether your AI program is best served by foundational policy work, ISO 42001 readiness, or external validation.

Posture Check questions for governance

  1. Does your organization have a written AI use policy that has been approved by leadership?
    • 0 No policy exists
    • 1 Identified the need, no action
    • 2 Draft policy in progress
    • 3 Approved policy in operation
  2. Is there a named individual accountable for AI risk at executive level?
    • 0 No
    • 1 Identified, not assigned
    • 2 Assigned, not yet integrated into risk-management
    • 3 Named owner with signed-off accountability
  3. Do you maintain an inventory of AI systems in use across the organization, including both internally-built and SaaS-delivered AI?
    • 0 No inventory
    • 1 Partial inventory of internally-built systems only
    • 2 Inventory in progress
    • 3 Continuously maintained inventory of internal and SaaS AI
  4. Have you mapped your AI use to a recognized framework such as NIST AI RMF, ISO 42001, or the EU AI Act?
    • 0 No mapping
    • 1 Identified relevant frameworks
    • 2 Mapping in progress
    • 3 Documented mapping with regular reviews
  5. Does your AI governance include a process for shadow / unsanctioned AI deployments to be discovered and brought into governance?
    • 0 No process
    • 1 Discovered through reactive incidents
    • 2 Periodic discovery process
    • 3 Continuous monitoring with documented response process

Score yourself on governance.

The free 30-question Posture Check measures all six dimensions. Get a per-dimension breakdown plus prioritized recommendations.

Take the AI Posture Check
Need help here?

Get a Standard Audit on your governance controls.

A senior CWS engineer reviews your specific deployments, runs adversarial tests where applicable, and produces a remediation roadmap.

Schedule a Discovery Call