Step one complete
Your audit checklist is on the way.
Open it before your next engagement. The 25 questions are designed to run alongside your existing assessment workflow, with evidence prompts you can drop straight into a SAR or POA&M.
While you wait
Five moves to make this useful on your next engagement.
The checklist is not a substitute for your existing methodology. It is a structured prompt set that surfaces AI-specific risks your standard playbook may not catch yet.
- 01Map the AI components in scope before your kickoff: what the model is, where it runs, who controls prompts.
- 02Identify which checklist questions map to controls already in your client’s SSP — and which expose gaps.
- 03Run the data-flow questions early. AI data handling is where most findings live.
- 04Capture evidence using your existing artifact taxonomy — SAR, POA&M, control implementation statements.
- 05Score the engagement at the end against the four readiness tiers and use that in your debrief.
Practitioner community
Join the AI Governance Practitioner Network.
Aysha runs a working community for security professionals, GRC practitioners, and auditors building AI governance into their practice. Frameworks, artifact templates, field discussions, and the practitioner-side of every conversation you read about on ai-governance.zip.
New to GRC practice?
Bruce’s HFI GRC Practitioner Program is the foundation track.
If you’re newer to the practice side and want the structured track that gets you from IT operations or security ops into the GRC field, the HFI GRC Practitioner Program is the structured version of the work Bruce has been doing as an embedded mentor since 2014.
Learn about the programYou’re on the practitioner / auditor side. Building an AI-powered app yourself? See the builder-side version.
The email confirmation may take a minute or two. If it does not arrive, check spam, or email info@harvestandfort.com directly.