The Method
Applicability → Decision → Risk → Control → Evidence
Most AI governance programs start with a framework. We start with applicability. Before an organization can govern AI, it has to know which requirements apply to which systems, decisions, vendors, jurisdictions, and affected parties. That requires more than a policy review — it requires a threshold-aware, source-status-aware method for turning AI use into reviewable control evidence.
Applicability
We determine which requirements, expectations, and source materials apply — and which do not.
Includes
- — Institution type
- — Asset thresholds
- — Primary regulator
- — Jurisdiction
- — Federal or state contracting exposure
- — Actor role
- — AI system type
- — Vendor relationship
- — Decision type
- — Consumer, citizen, borrower, employee, applicant, or public-service impact
- — Whether a source is active, under revision, withdrawn, superseded, pre-effective, or reference-only
Output
- — Organization applicability profile
- — Source applicability matrix
- — Applicability determination memo
- — Monitoring queue for unstable or changing sources
Decision
AI governance should not be tool-centered. It should be decision-centered. We identify the business or public-sector decision the AI system influences.
Includes
- — Approve or deny a loan
- — Price or route an application
- — Prioritize fraud alerts
- — Recommend benefits eligibility
- — Rank procurement proposals
- — Draft customer or citizen responses
- — Screen applicants
- — Summarize policy for staff
- — Escalate complaints or cases
Output
- — AI use case inventory
- — Business decision map
- — Decision owner assignment
- — Affected-party profile
Risk
Once the decision is clear, we assess what can go wrong and who can be harmed.
Includes
- — Fair lending or discrimination risk
- — Inaccurate or unsupported decision reasons
- — Model drift or performance degradation
- — Vendor opacity
- — Data leakage
- — Weak human oversight
- — Hallucinated or unsupported outputs
- — Lack of appeal or correction path
- — Poor monitoring
- — Incomplete recordkeeping
- — Procurement or contract gaps
Output
- — Risk assessment
- — Governance gap register
- — Use-case risk tier
- — High-impact / consequential-decision classification where applicable
Control
We map applicable obligations and expectations to specific controls — each tied to a source, a decision, and an owner.
Includes
- — AI inventory and use case intake
- — Business decision mapping and owner assignment
- — Applicability and jurisdiction assessment
- — Risk tiering and high-impact classification
- — Data lineage and suitability
- — Pre-deployment validation
- — Model and system documentation
- — Fairness and discrimination review
- — Adverse action reason mapping
- — Explainability and notice support
- — Human oversight
- — Vendor AI due diligence and procurement review
- — Monitoring, drift review, and incident response
- — Recordkeeping and evidence retention
- — Consumer or citizen disclosure
- — Appeal, correction, and human review process
Output
- — Required control register
- — Control owner mapping
- — Control implementation status
- — Test procedures
- — Remediation priorities
Evidence
Evidence is the product. A policy says what should happen. Evidence shows what did happen, who approved it, what was tested, what was monitored, and what reviewers can inspect.
Includes
- — Applicability determination memo
- — AI use case intake form
- — AI inventory
- — Risk assessment
- — Model and system card
- — Validation report
- — Fair lending or bias analysis
- — Adverse action reason mapping
- — Vendor due diligence packet
- — Data lineage record
- — Monitoring dashboard and review notes
- — Incident log
- — Board or executive report
- — Impact assessment
- — Consumer or citizen notice
- — Appeal and correction process documentation
Output
- — Evidence checklist
- — Evidence sufficiency review
- — Missing-evidence findings
- — 90-day remediation roadmap
- — Review-ready evidence file
Engagement modes
Assure. Deploy. Build.
The applicability-first method supports three engagement modes, depending on where the organization is.
Assure
For organizations that already have AI in production and need to know whether it is governed, controlled, and defensible.
Typical outputs
- — Applicability assessment
- — Use case inventory
- — Evidence gap review
- — Executive readout
- — Remediation roadmap
Deploy
For organizations preparing to launch AI systems and needing governance before production.
Typical outputs
- — Use case intake
- — Risk tiering
- — Pre-deployment control checklist
- — Vendor review
- — Monitoring plan
- — Approval evidence
Build
For organizations building an AI governance program, internal operating model, or source/control/evidence library.
Typical outputs
- — Governance architecture
- — Control library
- — Evidence library
- — Source monitoring queue
- — Decision-control templates
- — Operating cadence
Why this method works
AI governance fails when it starts with generic frameworks and ends with vague policy.
Regulated organizations need something more concrete. The method asks, and answers, six questions:
- What applies?
- To which use case?
- Because of what source?
- Under which threshold?
- Requiring what control?
- Proven by what evidence?
Next step
Start with applicability.
If your organization is using AI in regulated, consequential, or public-sector decisions, the first conversation is an applicability conversation.
Book an Applicability Call