HFI
HARVEST & FORT
INDUSTRIES

For auditors · GRC practitioners · security professionals

Your clients are shipping AI-built apps. Can you audit them?

The audit framework, checklist, and practitioner community for security professionals and GRC practitioners adding AI governance to their practice.

AI-assisted development has compressed the build-to-customer timeline. Your assessment playbook was not designed for systems where the model behavior changes between deployments, where prompts are the new attack surface, and where vendor lists include foundation-model providers. This is the practitioner-side framework for catching up.

Get the free audit checklistVisit ai-governance.zip

From “they built it” to “you can sign off on it.”

The gap

Your existing playbook does not know what to ask yet.

You can run a SOC 2 assessment. You can write a SAR. You can develop a POA&M. None of that goes away. But when the system in scope is an AI-built application, the standard control catalog has visible gaps:

  • Which controls apply to prompt management?
  • How do you verify model output handling?
  • What evidence proves the AI vendor is in scope?
  • How are foundation-model changes treated under CM?
  • Who owns AI use-case approval?
  • What does “explainability” look like in an SSP?
  • How do you document data flow into a hosted LLM?
  • What is the right finding severity for a prompt-injection risk?

The questions are not impossible. The frameworks exist (NIST AI RMF, ISO 42001, NIST SP 800-53 Rev 5 augmented). What practitioners need is a working set of audit prompts, evidence patterns, and tier mappings that translate framework language into actual engagement work. That is what this checklist and community provide.

What’s inside

Twenty-five questions mapped to five audit categories.

Run the checklist standalone or fold it into an existing engagement. Each question is paired with an evidence prompt and a finding template you can adapt.

01

System & boundary

AI components, scope definition, hosting topology, prompt/output ownership.

02

Data handling

Sensitive data inputs, prompt logging, output retention, training data lineage.

03

Access & admin

MFA, admin sprawl, API key management, model deployment authority, kill-switch.

04

Vendors & supply chain

Foundation-model providers, RAG infrastructure, terms review, sub-processors.

05

Evidence & operations

Logging, monitoring, incident response, change management, audit-ready artifacts.

Tier mapping

Score the engagement against four tiers — Audit-Ready, Defensible, Emerging, Ad Hoc. Maps to finding severity language you already use.

Who this is for

Built for practitioners. Not for the builders themselves.

Built for

  • Auditors and assessors adding AI to their engagement scope
  • GRC practitioners building AI controls into existing programs
  • Security engineers reviewing AI app deployments
  • Compliance and risk leads navigating NIST AI RMF, ISO 42001, EU AI Act
  • HFI GRC Practitioner Program alumni extending their training into AI
  • Consultants advising founders shipping AI products

Not for

  • Builders themselves shipping their first AI product (use Vibe-Coded to Compliant instead)
  • AI researchers focused on model safety
  • Policy analysts working on regulation drafting
  • Pure technical model evaluation (red-teaming, jailbreak testing)

Building yourself? See the Vibe-Coded to Compliant track.

Beyond the checklist

Join the AI Governance Practitioner Network.

The checklist is a starting point. The practitioner network is where the working artifacts live — control crosswalks, evidence templates, finding language, framework interpretations, and the ongoing conversation between practitioners encountering AI audits in real engagements.

Aysha runs ai-governance.zip as the public reference and the practitioner network as the working community behind it. Together they are the practitioner-side counterpart to HFI’s GRC Practitioner Program — for people already in the field who need to add AI governance to their practice.

Visit ai-governance.zipAsk about joining

For HFI GRC Practitioner Program alumni

If you took Bruce’s class, this is the next step.

Bruce’s training built the foundation: how to do real GRC work, write defensible SARs, develop POA&Ms, run continuous monitoring. AI governance is a natural extension of that practice. The checklist is built to map onto the artifacts you already know how to produce.

Get the audit checklistSee alumni stories

Ready to start auditing AI?

Twenty-five questions, evidence-anchored, mapped to your existing artifact taxonomy. One email. No spam.

Get the free audit checklist

Ready to Strengthen Your Compliance,
Governance, or Workforce Strategy?

SCHEDULE A CONSULTATIONREQUEST CAPABILITIES STATEMENT