Flagship assessment

AI Applicability & Decision-Control Assessment

Most AI governance programs start with a framework. This assessment starts with applicability. For each AI use case, we determine which requirements apply, what decision the system influences, who is affected, which controls are required, and what evidence is needed for review, audit, examination, procurement, or oversight.

Who this is for

For regulated, public-sector, and consequential-decision environments.

  • Banks
  • Credit unions
  • Fintech lenders
  • AI vendors serving regulated buyers
  • Federal contractors
  • State agencies
  • Federal agencies
  • Public-sector vendors
  • Healthcare, benefits, employment, housing, or procurement decision systems
  • Organizations using generative AI, LLMs, or agentic AI in regulated workflows

The problem

AI requirements do not apply evenly.

  • One source may apply only to large banking organizations.
  • Another may apply only to federal agencies.
  • Another may apply only to vendors in a procurement context.
  • Another may apply only to credit decisions, consumer notices, high-impact AI, ADMT, or EU-exposed systems.
  • Another may be withdrawn but still useful as regulatory signal.
  • Another may be pre-effective but operationally urgent.

If the organization skips applicability, the control map will be wrong.

What we evaluate

For each organization and use case.

Organization facts

  • Institution type
  • Primary regulator
  • Asset size
  • Jurisdictions
  • Federal/state contracting exposure
  • Public-sector exposure
  • Consumer-facing activity
  • Credit, employment, housing, healthcare, benefits, or procurement activity
  • Third-party AI usage
  • Generative AI / LLM / agentic AI usage
  • EU exposure

Use case facts

  • AI system type
  • Vendor or internal status
  • Business decision influenced
  • Affected party
  • Autonomy level
  • Human role
  • Whether the system materially influences a consequential decision
  • Whether the system is credit-related
  • Whether adverse action may result
  • Whether consumer or citizen notice may be required
  • Whether monitoring, appeal, or correction processes are needed

Source facts

  • Binding law
  • Regulation
  • Federal policy
  • Supervisory expectation
  • Contractually relevant guidance
  • Management-system standard
  • Voluntary framework
  • Archived regulatory signal
  • Superseded source
  • Pre-effective source
  • Reference-only source

Method

Applicability → Decision → Risk → Control → Evidence

Applicability
We determine which sources apply directly, indirectly, by analogy, contractually, or not at all.
Decision
We map the AI system to the business or public-sector decision it influences.
Risk
We identify who is affected and what can go wrong.
Control
We map applicable obligations to specific governance controls.
Evidence
We define the artifacts needed to prove the controls exist and function.

Deliverables

Ten artifacts. One review-ready evidence file.

  1. 01

    Organization Applicability Profile

    A structured profile of the organization's regulatory identity, thresholds, jurisdictions, AI exposure, and relevant decision domains.

  2. 02

    AI Use Case Inventory

    A use-case-level inventory focused on decisions, affected parties, AI system type, owner, vendor, autonomy level, and risk tier.

  3. 03

    Source Applicability Matrix

    A source-by-source determination showing applicable, not applicable, excluded from scope, applicable by analogy, contractually relevant, withdrawn but signal, superseded historical, pre-effective prepare, or monitor only.

  4. 04

    Decision-Control Map

    A map connecting each AI use case to business decision, affected party, risk, applicable sources, obligations, required controls, required evidence, and owners.

  5. 05

    Required Controls Register

    A control register for applicable use cases, including control family, control owner, implementation status, test procedure, and mapped source.

  6. 06

    Evidence Checklist

    A practical evidence list showing what the organization has, what is missing, what is stale, and what would satisfy review.

  7. 07

    Governance Gap Register

    A prioritized list of gaps, including source of concern, severity, affected use case, recommended action, and owner.

  8. 08

    Monitoring Queue

    A list of source changes, pending guidance, rulemaking, enforcement shifts, or effective dates that could change the applicability determination.

  9. 09

    90-Day Remediation Roadmap

    A practical action plan for closing the most important gaps first.

  10. 10

    Executive Readout

    A clear summary for executives, boards, governance committees, procurement leaders, or oversight stakeholders.

Example use cases

What applicability looks like in practice.

AI-assisted loan underwriting

Decision
Approve, deny, price, or route credit application
Affected party
Borrower / applicant
Likely controls
Applicability assessment, validation, fair lending review, adverse action reason mapping, monitoring, vendor review
Likely evidence
Applicability memo, validation report, fair lending analysis, reason-code mapping, monitoring dashboard, vendor packet

Bank employee GenAI policy copilot

Decision
Internal answer or policy interpretation
Affected party
Staff directly, customers indirectly
Likely controls
GenAI risk assessment, access control, data leakage controls, human oversight, output testing, incident handling
Likely evidence
Prompt/output testing, acceptable use policy, monitoring log, escalation playbook, vendor model card

State agency benefits eligibility screening

Decision
Prioritize, recommend, screen, or determine eligibility
Affected party
Citizen / applicant
Likely controls
High-impact classification, human review, notice/disclosure, appeal and correction process, monitoring, procurement controls
Likely evidence
Impact assessment, eligibility decision map, vendor documentation, appeal process, monitoring log

The outcome

At the end of the assessment, the organization can answer.

  • Which AI requirements apply to each use case?
  • Why do they apply?
  • Which sources are not applicable?
  • Which sources matter only by analogy, signal, or contract?
  • Which decisions are being influenced?
  • Who is affected?
  • Which controls are required?
  • What evidence exists?
  • What evidence is missing?
  • What should be monitored?

That is the foundation of defensible AI governance.

Next step

Start with applicability.

If your organization is using AI in regulated, consequential, or public-sector decisions, the first conversation is an applicability conversation.

Book an Applicability Call