Flagship assessment
AI Applicability & Decision-Control Assessment
Most AI governance programs start with a framework. This assessment starts with applicability. For each AI use case, we determine which requirements apply, what decision the system influences, who is affected, which controls are required, and what evidence is needed for review, audit, examination, procurement, or oversight.
Who this is for
For regulated, public-sector, and consequential-decision environments.
- — Banks
- — Credit unions
- — Fintech lenders
- — AI vendors serving regulated buyers
- — Federal contractors
- — State agencies
- — Federal agencies
- — Public-sector vendors
- — Healthcare, benefits, employment, housing, or procurement decision systems
- — Organizations using generative AI, LLMs, or agentic AI in regulated workflows
The problem
AI requirements do not apply evenly.
- One source may apply only to large banking organizations.
- Another may apply only to federal agencies.
- Another may apply only to vendors in a procurement context.
- Another may apply only to credit decisions, consumer notices, high-impact AI, ADMT, or EU-exposed systems.
- Another may be withdrawn but still useful as regulatory signal.
- Another may be pre-effective but operationally urgent.
If the organization skips applicability, the control map will be wrong.
What we evaluate
For each organization and use case.
Organization facts
- — Institution type
- — Primary regulator
- — Asset size
- — Jurisdictions
- — Federal/state contracting exposure
- — Public-sector exposure
- — Consumer-facing activity
- — Credit, employment, housing, healthcare, benefits, or procurement activity
- — Third-party AI usage
- — Generative AI / LLM / agentic AI usage
- — EU exposure
Use case facts
- — AI system type
- — Vendor or internal status
- — Business decision influenced
- — Affected party
- — Autonomy level
- — Human role
- — Whether the system materially influences a consequential decision
- — Whether the system is credit-related
- — Whether adverse action may result
- — Whether consumer or citizen notice may be required
- — Whether monitoring, appeal, or correction processes are needed
Source facts
- — Binding law
- — Regulation
- — Federal policy
- — Supervisory expectation
- — Contractually relevant guidance
- — Management-system standard
- — Voluntary framework
- — Archived regulatory signal
- — Superseded source
- — Pre-effective source
- — Reference-only source
Method
Applicability → Decision → Risk → Control → Evidence
- Applicability
- We determine which sources apply directly, indirectly, by analogy, contractually, or not at all.
- Decision
- We map the AI system to the business or public-sector decision it influences.
- Risk
- We identify who is affected and what can go wrong.
- Control
- We map applicable obligations to specific governance controls.
- Evidence
- We define the artifacts needed to prove the controls exist and function.
Deliverables
Ten artifacts. One review-ready evidence file.
- 01
Organization Applicability Profile
A structured profile of the organization's regulatory identity, thresholds, jurisdictions, AI exposure, and relevant decision domains.
- 02
AI Use Case Inventory
A use-case-level inventory focused on decisions, affected parties, AI system type, owner, vendor, autonomy level, and risk tier.
- 03
Source Applicability Matrix
A source-by-source determination showing applicable, not applicable, excluded from scope, applicable by analogy, contractually relevant, withdrawn but signal, superseded historical, pre-effective prepare, or monitor only.
- 04
Decision-Control Map
A map connecting each AI use case to business decision, affected party, risk, applicable sources, obligations, required controls, required evidence, and owners.
- 05
Required Controls Register
A control register for applicable use cases, including control family, control owner, implementation status, test procedure, and mapped source.
- 06
Evidence Checklist
A practical evidence list showing what the organization has, what is missing, what is stale, and what would satisfy review.
- 07
Governance Gap Register
A prioritized list of gaps, including source of concern, severity, affected use case, recommended action, and owner.
- 08
Monitoring Queue
A list of source changes, pending guidance, rulemaking, enforcement shifts, or effective dates that could change the applicability determination.
- 09
90-Day Remediation Roadmap
A practical action plan for closing the most important gaps first.
- 10
Executive Readout
A clear summary for executives, boards, governance committees, procurement leaders, or oversight stakeholders.
Example use cases
What applicability looks like in practice.
AI-assisted loan underwriting
- Decision
- Approve, deny, price, or route credit application
- Affected party
- Borrower / applicant
- Likely controls
- Applicability assessment, validation, fair lending review, adverse action reason mapping, monitoring, vendor review
- Likely evidence
- Applicability memo, validation report, fair lending analysis, reason-code mapping, monitoring dashboard, vendor packet
Bank employee GenAI policy copilot
- Decision
- Internal answer or policy interpretation
- Affected party
- Staff directly, customers indirectly
- Likely controls
- GenAI risk assessment, access control, data leakage controls, human oversight, output testing, incident handling
- Likely evidence
- Prompt/output testing, acceptable use policy, monitoring log, escalation playbook, vendor model card
State agency benefits eligibility screening
- Decision
- Prioritize, recommend, screen, or determine eligibility
- Affected party
- Citizen / applicant
- Likely controls
- High-impact classification, human review, notice/disclosure, appeal and correction process, monitoring, procurement controls
- Likely evidence
- Impact assessment, eligibility decision map, vendor documentation, appeal process, monitoring log
The outcome
At the end of the assessment, the organization can answer.
- Which AI requirements apply to each use case?
- Why do they apply?
- Which sources are not applicable?
- Which sources matter only by analogy, signal, or contract?
- Which decisions are being influenced?
- Who is affected?
- Which controls are required?
- What evidence exists?
- What evidence is missing?
- What should be monitored?
That is the foundation of defensible AI governance.
Next step
Start with applicability.
If your organization is using AI in regulated, consequential, or public-sector decisions, the first conversation is an applicability conversation.
Book an Applicability Call