HFI
HARVEST & FORT
INDUSTRIES

For practitioners · 25 questions

AI App Audit Checklist.

25 questions to run when an AI-built app lands in your assessment scope. Check what is already in place. The unchecked items are your finding queue.

How to use this: Run alongside your standard SCA/SAR workflow. Each question maps to evidence prompts you can drop into a finding template, a control implementation statement, or a POA&M entry.

Engagement score

0 / 25

Readiness tier

Ad Hoc (0–8)

No defensible AI governance posture yet. Standard SOC 2 / RMF artifacts may exist for the rest of the system, but the AI surface is uncontrolled. Expect high finding density.

01

System & boundary

Is the AI scope defined?

Before any finding has weight, the boundary has to be drawn. AI-built apps blur the standard system boundary because foundation models live outside the auth zone. Confirm what is actually in scope.

02

Data handling

What touches the model?

AI data handling is where most findings cluster. Sensitive data flowing into prompts, output retention, and human-review gates are the standard failure points.

03

Access & admin

Who can move the model?

AI deployments add a new privilege surface: who can change the model, the prompts, the system message, the API key. Access controls need to map to those new actions, not just user-data access.

04

Vendors & supply chain

Where does the AI come from?

Foundation-model providers, fine-tuning vendors, RAG infrastructure, embedding services — every AI vendor is part of the supply chain. The supply-chain control catalog needs to cover them.

05

Evidence & operations

Can they prove the controls work?

AI-specific evidence is the gap most engagements close last. Prompt logs, output samples, incident records, model-version artifacts — these belong in the evidence repository alongside standard control artifacts.

First five moves

From checklist to engagement deliverables.

  1. 01Map each unchecked item to your client’s existing control catalog. Identify which framework (NIST 800-53, ISO 27001, SOC 2) the gap belongs to.
  2. 02Categorize unchecked items by finding severity (Critical / High / Moderate / Low) using the tier guidance above.
  3. 03Pull evidence prompts from each section into your engagement evidence-request list before kickoff.
  4. 04Draft SAR language for the top 3–5 findings before the close-out meeting.
  5. 05Use your engagement score to set expectations for the client’s remediation timeline.

Want the practitioner community behind this?

ai-governance.zip is the public reference. The AI Governance Practitioner Network is the working community of auditors and GRC pros doing this work in real engagements.

Learn more about the practitioner track

Ready to Strengthen Your Compliance,
Governance, or Workforce Strategy?

SCHEDULE A CONSULTATIONREQUEST CAPABILITIES STATEMENT