The Method

Applicability → Decision → Risk → Control → Evidence

Most AI governance programs start with a framework. We start with applicability. Before an organization can govern AI, it has to know which requirements apply to which systems, decisions, vendors, jurisdictions, and affected parties. That requires more than a policy review — it requires a threshold-aware, source-status-aware method for turning AI use into reviewable control evidence.

01

Applicability

We determine which requirements, expectations, and source materials apply — and which do not.

Includes

  • Institution type
  • Asset thresholds
  • Primary regulator
  • Jurisdiction
  • Federal or state contracting exposure
  • Actor role
  • AI system type
  • Vendor relationship
  • Decision type
  • Consumer, citizen, borrower, employee, applicant, or public-service impact
  • Whether a source is active, under revision, withdrawn, superseded, pre-effective, or reference-only

Output

  • Organization applicability profile
  • Source applicability matrix
  • Applicability determination memo
  • Monitoring queue for unstable or changing sources
02

Decision

AI governance should not be tool-centered. It should be decision-centered. We identify the business or public-sector decision the AI system influences.

Includes

  • Approve or deny a loan
  • Price or route an application
  • Prioritize fraud alerts
  • Recommend benefits eligibility
  • Rank procurement proposals
  • Draft customer or citizen responses
  • Screen applicants
  • Summarize policy for staff
  • Escalate complaints or cases

Output

  • AI use case inventory
  • Business decision map
  • Decision owner assignment
  • Affected-party profile
03

Risk

Once the decision is clear, we assess what can go wrong and who can be harmed.

Includes

  • Fair lending or discrimination risk
  • Inaccurate or unsupported decision reasons
  • Model drift or performance degradation
  • Vendor opacity
  • Data leakage
  • Weak human oversight
  • Hallucinated or unsupported outputs
  • Lack of appeal or correction path
  • Poor monitoring
  • Incomplete recordkeeping
  • Procurement or contract gaps

Output

  • Risk assessment
  • Governance gap register
  • Use-case risk tier
  • High-impact / consequential-decision classification where applicable
04

Control

We map applicable obligations and expectations to specific controls — each tied to a source, a decision, and an owner.

Includes

  • AI inventory and use case intake
  • Business decision mapping and owner assignment
  • Applicability and jurisdiction assessment
  • Risk tiering and high-impact classification
  • Data lineage and suitability
  • Pre-deployment validation
  • Model and system documentation
  • Fairness and discrimination review
  • Adverse action reason mapping
  • Explainability and notice support
  • Human oversight
  • Vendor AI due diligence and procurement review
  • Monitoring, drift review, and incident response
  • Recordkeeping and evidence retention
  • Consumer or citizen disclosure
  • Appeal, correction, and human review process

Output

  • Required control register
  • Control owner mapping
  • Control implementation status
  • Test procedures
  • Remediation priorities
05

Evidence

Evidence is the product. A policy says what should happen. Evidence shows what did happen, who approved it, what was tested, what was monitored, and what reviewers can inspect.

Includes

  • Applicability determination memo
  • AI use case intake form
  • AI inventory
  • Risk assessment
  • Model and system card
  • Validation report
  • Fair lending or bias analysis
  • Adverse action reason mapping
  • Vendor due diligence packet
  • Data lineage record
  • Monitoring dashboard and review notes
  • Incident log
  • Board or executive report
  • Impact assessment
  • Consumer or citizen notice
  • Appeal and correction process documentation

Output

  • Evidence checklist
  • Evidence sufficiency review
  • Missing-evidence findings
  • 90-day remediation roadmap
  • Review-ready evidence file

Engagement modes

Assure. Deploy. Build.

The applicability-first method supports three engagement modes, depending on where the organization is.

Assure

For organizations that already have AI in production and need to know whether it is governed, controlled, and defensible.

Typical outputs

  • Applicability assessment
  • Use case inventory
  • Evidence gap review
  • Executive readout
  • Remediation roadmap

Deploy

For organizations preparing to launch AI systems and needing governance before production.

Typical outputs

  • Use case intake
  • Risk tiering
  • Pre-deployment control checklist
  • Vendor review
  • Monitoring plan
  • Approval evidence

Build

For organizations building an AI governance program, internal operating model, or source/control/evidence library.

Typical outputs

  • Governance architecture
  • Control library
  • Evidence library
  • Source monitoring queue
  • Decision-control templates
  • Operating cadence

Why this method works

AI governance fails when it starts with generic frameworks and ends with vague policy.

Regulated organizations need something more concrete. The method asks, and answers, six questions:

  • What applies?
  • To which use case?
  • Because of what source?
  • Under which threshold?
  • Requiring what control?
  • Proven by what evidence?

Next step

Start with applicability.

If your organization is using AI in regulated, consequential, or public-sector decisions, the first conversation is an applicability conversation.

Book an Applicability Call