For practitioners · 2026AI Governance for Practitioners. The audit framework for AI-built apps.Learn more

Free checklist · AI app audit framework

The framework for auditing AI-built apps.

Your clients are shipping AI-built apps faster than your assessment playbook was designed for. This 25-question checklist surfaces the AI-specific risks your standard SAR template may not catch yet, mapped to evidence prompts you can drop into a SAR or POA&M.

Send me the checklist

25 questions. One email. No spam.

You’ll get the checklist as a printable page right away. Built to run alongside your existing assessment workflow.

What’s inside

The 25 questions cover what auditors actually need to ask.

Run it as part of an SCA, an AI-specific add-on to an existing assessment, or as pre-engagement reconnaissance. Five categories, evidence-anchored, mapped to standard artifact types.

System & boundary

What is actually in scope?

AI components, data flow, hosting boundary, who controls prompts and outputs.

Data handling

What touches the model?

Sensitive data inputs, prompt logging, output retention, human-in-loop review.

Access & admin

Who can move the model?

MFA, admin sprawl, API key management, model deployment authority.

Vendors & supply chain

Where does the AI come from?

Foundation model providers, fine-tuning vendors, RAG infrastructure, terms.

Evidence & operations

Can they prove the controls work?

Logging, monitoring, incident response, change management, audit-ready artifacts.

★

Audit-ready scoring

Four tiers, one verdict.

Score the engagement across the five categories. Tiers map to your existing assessment vocabulary — gap analysis, control deficiency, finding severity.

Not auditing — building? See the builder-side checklist framed for founders and product teams shipping with AI.