Core evidence
- AI use inventory: where AI is used, by whom, for what purpose and with what data.
- AI vendor register: tools, models, subprocessors, data-handling notes, contract owner and renewal date.
- Risk classification: low, moderate or high scrutiny based on customer impact, sensitive data and automation level.
- Internal AI use policy: what staff may and may not put into AI tools.
- Customer-facing AI trust statement: plain explanation of how AI is used and controlled.
- Due-diligence answer bank: prepared answers for recurring customer questionnaires.
- Evidence folder: one organised location for policies, registers, reviews, vendor documents and control notes.
Fast self-audit
| Question | Pass condition |
|---|---|
| Can you list every AI tool your company uses? | Named owner, use case and data type for each tool. |
| Can you explain whether customer data enters AI tools? | Documented rule, not informal memory. |
| Can you answer a buyer asking how AI affects your product or service? | Reusable customer-facing statement. |
| Can you show who reviews AI vendors? | Vendor register with review status. |