Education & Guidance (EG)

Processes Domain - HAIAMM v3.0


Practice Overview

Objective: Build the AI-assurance workforce literacy every process owner, product manager, operations manager, and business analyst touching AI-embedded workflows needs and the practitioner skills the smaller population performing FRIA composition, HITL design assessment, process intake review, and workflow-archetype threat modeling must have, with shadow-AI-in-processes awareness as the primary L1 cultural outcome.

Description: EG-Processes covers two audiences. The first is the workforce population, every person who touches AI-embedded business workflows across HR, Finance, Legal, Customer Support, Sales, Engineering, and Operations. They need AI-process literacy: what the seven Processes-domain archetypes are, what EU AI Act Art. 26 deployer duties and Art. 14 human oversight mean for the workflows they run, what GDPR Art. 22 automated-decisioning safeguards require, what HITL design standards mean in practice, how to recognize when a workflow step carries enough AI output integrity risk to escalate, and how to submit intake or disclose prior shadow AI use. The second is the practitioner population, AppSec reviewers, Privacy and Legal counsel, Compliance officers, and business-unit representatives who perform FRIA composition, HITL design assessment, workflow-archetype intake review, and fairness/bias-indicator review where they intersect with security and legal obligations. EG-Processes defines the outcomes the program must produce and how the organization measures whether those outcomes are actually reached.

Context: AI-embedded business workflows create exposure points that classic security and compliance training does not cover. A process owner who has only taken the org's data-privacy course will not recognize that their AI-assisted HR screening workflow may require a FRIA, an annual bias audit under NYC Local Law 144, and EEOC adverse-impact analysis. A compliance officer who has only reviewed static policy documents will not know how to assess whether a loan-decision pipeline's "human review" step is substantive enough to satisfy Art. 22 rights or rubber-stamp enough to fail Art. 14 oversight. A customer support operations manager who approved an AI-drafted-response workflow without reading the HITL Standards Policy will not know that the 45-second review SLA makes substantive review impossible. Without deliberate EG practice targeted at these gaps, AI-process compliance surfaces late, at regulatory inquiry, in enforcement actions, or when a customer exercises their Art. 22 right to explanation and the org cannot provide one. L1 EG-Processes ships the minimum viable literacy for everyone running AI-embedded workflows and the minimum viable practitioner track for those who review and govern them. L2 extends into scenario-based reviewer training, sector-specific tracks (HR-AI, FinAI, ClinAI), and seasonal shadow-AI campaigns. L3 externalizes the curriculum and contributes to emerging AI-process-officer and AI-deployment-officer certification pathways.


Maturity Level 1

Objective: Deliver foundational AI-process literacy to ≥90% of the workforce touching AI-embedded business workflows and role-based practitioner training to 100% of the reviewer population, with an active shadow-AI-in-processes awareness campaign

At this level, the organization ensures that every process owner and function-team member touching AI-embedded workflows can identify AI-process risks and navigate the program's policies and intake gate, and that the practitioner population can perform consistent FRIA composition, HITL design assessment, and workflow-archetype intake review.

Dependencies

  • PC-Processes L1 (required): the three priority policies (AI-in-Business-Process Policy, HITL Standards Policy, AI-Process Intake / Sanction Gate) and the priority compliance map are the primary teaching object, training without published policies is hollow. EG-Processes L1 cannot precede PC-Processes L1.
  • SM-Processes L1 (required): the AI/HAI process inventory and workflow-archetype taxonomy define what the training is about and which archetypes process owners will encounter.
  • Alignment (not a hard dependency): enterprise LMS and existing compliance-awareness program, extend rather than duplicate; function-head all-hands cadence for shadow-AI-in-processes campaign launch.
  • Supports / unblocks: every downstream practice, reviewers who cannot distinguish a decision pipeline from a back-office augmentation workflow will not produce useful threat models (TA), requirements (SR), design reviews (DR), implementation reviews (IR), or HITL assessments.

Desired Outcomes

  • Any process owner or function-team member touching an AI-embedded workflow can name the workflow archetypes the org sanctions, cite the two or three HITL Standards rules most relevant to their workflow, describe one AI-process risk relevant to their archetype, and submit an intake ticket or disclose prior unsanctioned AI use in under 5 minutes.
  • The practitioner population (AppSec reviewers, Privacy/Legal counsel, Compliance officers, business-unit review representatives) produces consistent, evidence-backed reviews, two practitioners independently reviewing the same decision-pipeline intake arrive at the same tier assignment, the same FRIA assessment, and the same HITL design gap list.
  • Shadow AI in processes disclosures increase in the first two quarters after the campaign launches (awareness working), then decrease as the sanctioned-workflow program grows (adoption working).
  • EU AI Act Art. 26 deployer duties, Art. 14 human oversight, and GDPR Art. 22 automated-decisioning safeguards are not abstract, every process owner can map their AI-embedded workflow to the oversight obligation, disclosure requirement, and HITL standard it triggers.
  • Training content is owned, dated, and updated within 30 days of any change to the AI-in-Business-Process Policy, HITL Standards Policy, intake policy, archetype list, or priority compliance map.

Activities

A) Ship workforce AI-process literacy training

A single short course (≤25 minutes) every function head, process owner, product manager, operations manager, and business analyst touching AI-embedded workflows takes on first exposure and refreshes annually, tied to the AI-in-Business-Process Policy attestation from PC-Processes L1.

Content (minimum): - What the seven AI-embedded workflow archetypes are, the seven archetypes sanctioned by the org (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow). Concrete examples from the org's own inventory. - EU AI Act Art. 26 deployer duties in plain language, the organization that deploys an AI system is the deployer; deployer duties include assigning human oversight, monitoring the system, informing affected persons, and keeping logs for high-risk systems; a decision pipeline the finance team runs is a deployment, not a tool purchase. - EU AI Act Art. 14 human oversight in plain language, human oversight means the human can meaningfully understand, can exercise judgment independently, can override, and is not rubber-stamping; what a 45-second review SLA with a 200-item queue means for whether oversight is real. - GDPR Art. 22 automated decision-making in plain language, when AI output materially drives a decision with legal or significant effect on a person, that person has rights: the right to a human review, the right to an explanation, the right to contest; the org must have a mechanism for each right before the workflow goes live. - HITL design: substantive vs. rubber-stamp, what makes a human review substantive (enough time, access to reasoning, real override path, no disincentive to override) vs. rubber-stamp (SLA too short, no override training, override rate not tracked); one concrete example of each from a workflow archetype the trainee's function operates. - The AI-Process intake gate, how to submit intake, what the per-archetype artifacts checklist requires, what "provisional approval" means, and how the amnesty path works. - When to escalate to a FRIA, EU AI Act Annex III use categories that trigger a Fundamental Rights Impact Assessment (employment, credit, education, biometric, critical infrastructure, law enforcement, immigration, justice, essential services); a 30-second check: "does my workflow affect one of these categories?" → submit intake, flag Annex III, wait for FRIA assessment. - Shadow-AI-in-processes disclosure, why disclosing existing AI-embedded workflow steps carries no penalty (amnesty window); how to disclose in under 5 minutes; what happens after disclosure (intake review, not enforcement). - Before-you-deploy decision aid, a 10-second check: is this workflow archetype in the inventory? Does it affect persons' legal or financial status? Does it reach customers without a disclosure mechanism? Does it need intake approval?

Delivery: LMS module + 1-page reference card pinned in function-team Slack/Teams + brief at function all-hands when the program launches. All function-team members touching AI-embedded workflows take the same workforce-level module; no role gating.

B) Deliver role-based practitioner training for the reviewer population

A deeper module (~2.5 hours) for the practitioner population only: AppSec reviewers performing TA and SR intake reviews, Privacy / Legal counsel performing Art. 22 lawful-basis analysis and FRIA composition, Compliance officers reviewing HITL design and sector-specific obligations, and business-unit representatives participating in intake review panels. Completion is a prerequisite to approving intakes, not optional.

Content (minimum): - Workflow-archetype threat walkthrough, for each of the seven archetypes: what is the AI output integrity risk (output used to make a decision without the person being able to contest it), what are the HAI TTP exposure points (EA, AI step acts beyond intended scope; AGH, workflow inputs redirect the AI recommendation; TM, tool calls in the AI step are misused; RA, long-running AI pipelines drift from intended behavior), and what is the regulatory-scope assessment (which archetype patterns trigger Annex III, Art. 22, sector rules). - FRIA composition, what a Fundamental Rights Impact Assessment must cover for each Annex III use category; the seven FRIA sections (workflow description, affected population, decision effects and reversibility, fundamental rights assessment, human oversight design, residual risks, sign-off); how to assess whether a submitted FRIA is substantive or superficial; practitioner judgment on FRIA adequacy. - HITL design assessment, how to evaluate whether the human-oversight design in a submitted workflow satisfies Art. 14 (capacity for meaningful oversight, not rubber-stamp); review-SLA calculation relative to queue size and item complexity; override-rate target ranges by archetype; anchoring-prevention assessment (is the AI recommendation presented in a way that prevents independent human judgment?); escalation-path adequacy. - Art. 22 lawful-basis analysis, three lawful bases under Art. 22 (explicit consent, contractual necessity, Union or Member State law); how to assess which basis applies to the workflow in review; what safeguards must be present for each basis; right-to-explanation mechanism adequacy. - Fairness and bias indicators at the intersection with security and legal obligations, not a full fairness curriculum; the scope is: indicators that an AI-embedded decision pipeline may carry disparate impact that creates EEOC liability, FCRA adverse-action exposure, or EU AI Act Art. 9(7) data-quality obligations; how to flag these as compliance issues for the business-unit representative and Legal, not for the security reviewer to resolve independently. - Sector-specific deep-dives, a minimum of three sector modules: HR-AI (EEOC AI employment guidance, NYC Local Law 144 bias audit, OFCCP contractor AI obligations); FinAI (FCRA adverse-action, CFPB AI credit-decision guidance, FINRA model-risk documentation requirements, CO SB-21-169 insurance AI); ClinAI (HIPAA clinical AI workflow, ONC clinical decision-support, FDA AI/SaMD where applicable). Trainees complete the sector module(s) applicable to their review role. - Priority compliance map in practice, given a workflow archetype and sector, which requirements from PC's map apply, where the evidence lives in the go-live gate record, and what a regulator will ask. - Calibration exercise, three sample workflow intakes (e.g., an AI-assisted hiring screening pipeline, a customer-facing AI-drafted response flow, an AI-driven credit pre-approval routing) scored independently; facilitated debrief on tier assignment, FRIA assessment, HITL design adequacy, and SR gap list.

Delivery: instructor-led or recorded workshop + role-specific reference job aids (one per archetype: "what to look for in a [decision-pipeline / customer-facing flow / HITL chain] intake") + sector-specific checklist cards + quarterly calibration session. Completion gated on intake-approval permissions.

C) Run the shadow-AI-in-processes awareness campaign

An always-on communications program making it easy to disclose existing AI-embedded workflow steps and uncomfortable to operate them outside the program. L1 target is a sustainable, lightweight cadence.

Campaign elements: - Launch moment, executive sponsor message (CISO + COO / CRO co-signed) naming shadow AI in processes, announcing the amnesty window, and publishing the sanctioned-archetype catalog. Explicit framing: disclosing is safe; not disclosing creates regulatory exposure for the function team. - Recurring short content, monthly one-paragraph pieces for function-team channels: a fast-track win (intake to provisional approval in 3 BD for a back-office augmentation workflow), an anonymized example of an Art. 22 safeguard that was caught at intake review, an external enforcement action (CFPB credit AI, FTC AI hiring) reframed as "what would we find if we checked our own inventory?", a new sector HITL-design resource published. - "Is this a decision pipeline?" series, periodic call-outs of workflow patterns that may cross the Art. 22 threshold (AI-assisted loan decisions, AI-scored job applications, AI-routed benefit eligibility), with clear instruction on how to submit for an intake assessment. - Amnesty visibility, the path to disclose prior unsanctioned AI-embedded workflow steps is linked from the AI-in-Business-Process Policy, the intake form, and the function-team Slack/Teams channel pins. Amnesty is prominent, not buried. - Feedback channel, a visible channel for process owners and operations managers to ask "does this workflow need intake?" and receive a response within 5 BD; low-threshold entry to the program. - Deployer-duty micro-content, short explainers for teams running customer-facing or decision-affecting workflows: what Art. 26 human-oversight assignment means in practice for their archetype, what the disclosure mechanism looks like for a customer-facing AI flow, what happens when a customer invokes Art. 22 rights and what the process owner must provide.

Measurement: campaign channel links tagged so attribution of intake submissions and amnesty disclosures to campaign touchpoints is tracked.

Outcome Metrics (L1)

Metric Baseline L1 Target Source
% of workforce touching AI-embedded workflows with current-year AI-process literacy completion measure ≥90% LMS / HR attestation
% intake reviewers with completed practitioner training measure 100% LMS + intake-approval permissions
Reviewer calibration drift (avg tier and FRIA/HITL-assessment delta across reviewers on shared samples) measure ≤1 tier step and ≤2 FRIA/HITL assessment mismatches per sample Quarterly calibration exercise
Shadow-AI-in-processes disclosures per quarter (amnesty path) measure rises Q1–Q2, then trends down Intake queue tagged "amnesty"
Intake submissions attributable to campaign channels measure ≥25% of net-new intakes Tagged campaign URLs / form referrer

Process Metrics (leading)

  • Workforce training content reviewed quarterly; updated within 30 days of any change to the AI-in-Business-Process Policy, HITL Standards Policy, archetype list, or priority compliance map.
  • New function-team member coverage SLA, AI-process literacy completed within 30 days of taking on responsibility for an AI-embedded workflow.
  • Reviewer calibration cadence, at least once per quarter; drift trends reported to the program sponsor.
  • Campaign content cadence, at least one piece of shadow-AI-in-processes content published per month.

Effectiveness Metrics (business value)

  • Reviewer throughput, intakes closed per reviewer per week should rise after practitioner training lands without sacrificing calibration quality (drift stays in target).
  • Sanctioned-archetype adoption, % of new AI-embedded workflows using a sanctioned reference archetype rather than an informal workaround; rising adoption signals literacy plus catalog together reducing shadow AI.
  • Avoided-incident stories, documented cases where practitioner training enabled a reviewer to catch an Art. 22 violation risk, an inadequate HITL design, or an Annex III FRIA obligation at intake rather than at regulatory inquiry.

Success Criteria

  • Workforce AI-process literacy module launched; ≥90% current-year completion sustained across function teams.
  • Practitioner training launched, completion gated on intake-approval permissions, and calibration drift inside target for two consecutive quarters.
  • Shadow-AI-in-processes awareness campaign running with at least monthly content cadence and measurable attribution of intake submissions and amnesty disclosures to campaign channels.
  • Deployer-duty micro-content deployed for every customer-facing or decision-affecting AI-embedded archetype active in the inventory.
  • Training content owner named; content updated within 30 days of any change to the policies, archetype list, or compliance map.

Maturity Level 2

Objective: Deepen practitioner skill through scenario-based training from real intake cases, deliver sector-specific tracks (HR-AI, FinAI, ClinAI) calibrated to SM-Processes L2 risk tiers, and run seasonal shadow-AI-in-processes campaigns tied to business planning and regulatory release cycles

At this level, training stops being one-size-fits-all. Reviewer skill deepens through scenario-based exercises built from anonymized real intakes from the org's own queue. Business-unit and compliance teams in specific sectors (HR, Finance, Clinical, Legal, Customer Support) receive tracks aligned to the workflow archetypes they actually operate and the sector-specific rules that apply. Shadow-AI campaigns become behavior-driven and seasonal rather than standing background noise.

Dependencies

  • EG-Processes L1 (required): workforce literacy and base practitioner training must be in place.
  • SM-Processes L2 (required): the risk-tier rubric defines which workflow archetypes go to which reviewer track depth and at what cadence.
  • TA-Processes L2 (required for Critical-tier scenarios): per-workflow deep threat models provide the scenario source material for Critical-tier reviewer exercises.
  • Supports / unblocks: PC-Processes L2 (tier-calibrated reviewers enforce tier-specific policies and FRIA gate requirements); SA-Processes L2 (sector-track trainees learn the reference patterns they will implement); DR-Processes L2 (scenario-trained reviewers produce faster, more consistent DR decisions).

Desired Outcomes

  • Reviewer calibration on Critical-tier decision-pipeline and customer-facing-flow scenarios is visibly tighter than at L1, the practitioner investment is measurable in calibration drift data.
  • Business-unit teams operating HR-AI, FinAI, and ClinAI workflows can independently identify the HITL design deficiencies, regulatory scope triggers, and FRIA requirements relevant to their specific workflow archetype.
  • Shadow-AI campaigns run on a behavior-driven, seasonal cadence (Q1 OKR planning, major product releases, post-sector-enforcement-action moments, hiring surges) with pre-measured behavior targets and post-campaign measurement.
  • Training content refreshes from real program telemetry, real calibration drifts, real intake anomalies, real FRIA findings, not from annual curriculum reviews.

Activities

A) Scenario-based reviewer training from real intakes

  • Scenario library built from anonymized real intakes from the org's own queue: each scenario includes the as-submitted workflow description, the original reviewer decisions (tier, FRIA assessment, HITL design adequacy, Art. 22 lawful-basis analysis, SR gaps), any reviewer disagreement, and the resolved outcome after calibration or post-launch review.
  • Scenarios organized per archetype (decision-pipeline scenarios, customer-facing-flow scenarios, HITL-chain scenarios, back-office augmentation scenarios) and per compliance cluster (Annex III FRIA scenarios, Art. 22 automated-decisioning scenarios, HITL rubber-stamp scenarios, sector-specific scenarios).
  • Paired calibration exercises: two reviewers independently score the same scenario; instructor-facilitated debrief on tier delta, FRIA adequacy assessment, HITL design gap list, and SR requirement mismatches.
  • Tier-weighted curriculum: Critical-tier decision-pipeline and customer-facing-flow scenarios dominate the advanced modules; Medium/Low back-office augmentation scenarios streamlined to fast-track calibration.
  • Capstone: practitioners graduate the advanced module by running three live intakes end-to-end with a senior-reviewer shadow and producing a passing TA snapshot, SR REM, FRIA assessment, and HITL design assessment.

B) Sector-specific tracks for HR-AI, FinAI, and ClinAI

  • Distinct training tracks for the three primary high-regulatory-exposure sectors operating AI-embedded workflows:
  • HR-AI track, employment-AI decision pipelines (AI-assisted resume screening, interview scoring, promotion scoring); EEOC adverse-impact analysis in the context of AI screening tools; NYC Local Law 144 bias audit requirement and annual reporting; OFCCP contractor AI obligations; HITL design for employment decisions (what "substantive review" means when 150 resumes are reviewed per hour); FRIA composition for employment Annex III use cases; Art. 22 lawful-basis analysis for employment decisions (contract vs. explicit consent vs. Member State law).
  • FinAI track, credit and lending decision pipelines; AI-assisted financial advice workflows; FCRA adverse-action notice requirements for AI-driven credit decisions; CFPB AI credit guidance (explanation requirements, disparate impact); FINRA model-risk documentation for automated advice; CO SB-21-169 insurance AI anti-discrimination and explainability requirements; HITL design for high-volume financial decisions; FRIA for credit Annex III use cases.
  • ClinAI track, clinical decision-support AI workflows; AI-assisted triage, diagnostics, and treatment recommendation; HIPAA PHI in clinical AI (BAA with AI providers, minimum-necessary PHI, audit-log requirements); ONC clinical decision-support guidance (when clinical DSS triggers FDA regulation); FDA AI/SaMD applicable scope; HITL design for clinical decisions (clinical human-oversight standards and the distinction from administrative HITL); documentation of AI-assisted clinical decisions for malpractice and regulatory audit purposes.
  • Each track is paired with the SA reference pattern for the relevant archetype, the training teaches the "green path" the team will implement and defend in DR.
  • Required for any team owning a Critical or High-tier workflow in the applicable sector; target ≥1 trained practitioner per workflow.
  • Sector-track content reviewed quarterly; updated within 30 days of sector-specific enforcement actions or regulatory guidance updates.

C) Seasonal, behavior-driven shadow-AI-in-processes campaigns

  • Campaigns tied to observed shadow-AI risk windows in the business-planning and regulatory cycle: Q1 OKR planning (teams add AI to workflow roadmaps without intake), major product releases (new customer-facing AI features embedded in workflows), post-sector-enforcement-action moments (a public EEOC action against an AI hiring tool, a CFPB enforcement on AI credit decisions, a FTC AI action creates a teachable window), hiring surges (new operations staff arrive with pre-existing habits), regulatory effective dates (NYC LL144 compliance deadline, CO SB-21-169 effective date).
  • Each campaign has a pre-measured behavior target (e.g., "increase decision-pipeline intake submissions before Q2 OKR sign-off by 40%," "reduce undisclosed HR-AI screening steps by 60% in Q3") and a post-campaign measurement.
  • Amnesty windows run alongside campaigns; disclosure volume and source attributed to campaign channels.
  • Campaign effectiveness reviewed by the program sponsor; campaigns that miss behavior targets by >20% are redesigned.

Outcome Metrics (L2)

Metric Baseline L2 Target Source
Reviewer calibration drift on Critical-tier scenarios measure ≤1 tier step and ≤1 FRIA/HITL mismatch per sample Quarterly calibration exercise
% Critical/High-tier workflows with ≥1 team member trained on the applicable sector track measure 100% LMS × SM-Processes inventory
Shadow-AI campaign behavior-target achievement rate measure ≥70% of campaigns hit behavior target Campaign post-measurement
% training content refreshed in last 90 days measure ≥80% Content change log
% workforce literacy completion maintained measure ≥90% LMS

Process Metrics (leading)

  • Scenario library freshness, scenarios reviewed quarterly; retired when intake patterns make them obsolete.
  • Sector-track attendance tracked per workflow in the inventory monthly.
  • Campaign pipeline, always ≥1 campaign in-flight tied to a measurable behavior target.
  • Calibration debrief findings routed back to the scenario library within 30 days.

Effectiveness Metrics (business value)

  • Reduction in intake submissions missing FRIA assessment, HITL design documentation, or sector-specific compliance checklist at first submission, rising practitioner-coaching quality catches issues before they reach the queue.
  • Sector-track-trained teams' workflows require fewer DR re-submissions vs. untrained teams.
  • Sanctioned-archetype reuse rate for trained sectors rises vs. control group (trained teams reach for the reference pattern and HITL design standard; untrained teams invent their own).

Success Criteria

  • Scenario library of ≥25 real-sourced scenarios across workflow archetypes in use; reviewer calibration drift inside target for two consecutive quarters.
  • Sector-specific tracks (HR-AI, FinAI, ClinAI) delivered; ≥1 trained practitioner per Critical/High-tier workflow.
  • ≥2 behavior-driven campaigns run in the last 12 months with measured outcomes.
  • Training content refresh cadence met; ≥80% of content updated in last 90 days.

Maturity Level 3

Objective: Operate continuous calibration at scale, externalize the AI-process curriculum and HITL design reviewer rubric as industry-shared artifacts, and contribute to emerging AI-deployment-officer and AI-process-officer certification pathways

At this level, the organization's AI-process training posture is visible outside its own walls. The practitioner curriculum, scenario library, FRIA methodology guide, and HITL design reviewer rubric are published externally through CSA AI Safety Initiative, ISO/IEC 42005 community, OECD, or sector ISACs. The program contributes to the emerging AI-deployment-officer and AI-process-officer certification pathways as they solidify in financial services, healthcare, HR, and public sector. Internally, calibration is continuous and live rather than quarterly.

Dependencies

  • EG-Processes L2 (required): scenario library, sector-specific tracks, and behavior-driven campaigns must be in place.
  • PC-Processes L3 (required for regulatory-track content): continuous attestation and FRIA review infrastructure provides the real compliance scenarios the external curriculum demonstrates.
  • SM-Processes L3 (required): automated inventory and tier data feed the continuous calibration exercises with current workflow examples.

Desired Outcomes

  • External practitioners recognize and use the program's curriculum, FRIA methodology guide, and HITL design rubric; citations and adoption are tracked.
  • AI-deployment-officer or AI-process-officer certification (internal or external, where credentials have emerged) is held by a majority of the org's Critical-tier workflow reviewers.
  • Monthly live calibration, reviewers re-calibrated against anonymized real intakes from the live queue each month; drift trends are a managed metric.
  • Training content evolution is auditable and evidence-driven (HITL validation signals from ML-Processes, FRIA outcome data, IM-Processes incident learnings, and regulatory motion feed the curriculum rather than annual scheduled reviews).
  • HITL design patterns and FRIA methodologies observed in own-operated AI-embedded workflows are contributed back to ISO/IEC 42005 and OECD as real-world implementation experience.

Activities

A) Externalize the curriculum, scenario library, FRIA methodology guide, and HITL design rubric

  • Publish the following under a permissive license or as a consortium deliverable through CSA AI Safety Initiative, ISO/IEC 42005 community, OECD AI practitioners network, or applicable sector ISAC (FS-ISAC FinAI working group, H-ISAC ClinAI working group, SHRM HR-AI initiative):
  • Workforce AI-process literacy module (learning objectives, assessment questions, reference-card template).
  • Practitioner role-based training curriculum (module outlines, sector-track coverage matrix, per-archetype reviewer job aids).
  • Anonymized scenario library (scenario format, per-archetype examples, calibration debrief format).
  • FRIA methodology guide for each Annex III use category (employment, credit, clinical, education, biometric): structure, scope, key fundamental-rights dimensions, sign-off requirements, review frequency.
  • HITL design reviewer rubric (substantive vs. rubber-stamp taxonomy, review-SLA calculation, override-rate benchmarks by archetype, anchoring-prevention assessment criteria, escalation-path adequacy scoring).
  • Community contributions accepted; changes to the external artifact flow back into the internal content within 30 days.
  • Adoption tracked: citations in external publications, standards-body reference, downloads, direct adoption acknowledgment from other organizations.

B) Continuous live calibration

  • Monthly calibration round: a current anonymized intake sampled from the program's live queue is shared with the reviewer cohort; each reviewer independently scores tier, FRIA adequacy, HITL design adequacy, and top 3 SR gaps; drift reported to the program sponsor.
  • Individual reviewer drift is a development signal, not a performance metric; reviewers with persistent drift on specific sector types or FRIA composition receive targeted coaching and additional scenario exposure.
  • Calibration results feed the scenario library directly, new scenarios drawn from intakes where calibration revealed drift are added within 30 days.

C) AI-deployment-officer / AI-process-officer certification contribution

  • Contribute to AI-deployment-officer and AI-process-officer certification pathways as they emerge: sector-specific ISAC credentials (FS-ISAC AI Risk Certification, H-ISAC AI Safety Certification), OECD AI Practitioners framework, ISO/IEC AI management system implementer credentials, ISACA AI Audit and AI Risk certificates, emerging public-sector AI-deployment credentials.
  • Align the org's practitioner capstone with certification-grade rubrics where credentials exist; support reviewers pursuing external credentials.
  • Contribute FRIA methodology real-world experience (how many FRIAs completed, what outcome patterns emerged, what gaps in ISO/IEC 42005 guidance the program encountered) to the ISO/IEC 42005 community at least once per year.
  • Target: ≥2 substantive contributions per year to industry curriculum or certification working groups.

Outcome Metrics (L3)

Metric Baseline L3 Target Source
External adoption, citations, forks, downloads of curriculum / scenario library / FRIA methodology / HITL rubric artifacts 0 tracked, trending up External telemetry
% Critical-tier reviewers holding an external AI-deployment-officer or AI-process-governance credential 0 ≥50% by year 2 of L3 (where credential exists) HR / credential registry
Monthly live calibration cadence met measure monthly, on calendar Calibration log
ISO/IEC 42005 / OECD FRIA methodology contributions per year 0 ≥1 where real-world experience justifies Contribution log
Contributions to industry certification / curriculum working groups per year 0 ≥2 substantive Contribution log

Process Metrics (leading)

  • Curriculum refresh pipeline: ≥1 change per quarter driven by HITL validation signals, IM/ML telemetry, or regulatory update.
  • Reviewer certification pathway participation tracked per reviewer.
  • External outreach: ≥2 conference or working-group engagements per year on AI-process governance and AI-process education topics.
  • Calibration debrief findings fed to scenario library within 30 days.

Effectiveness Metrics (business value)

  • Talent acquisition, the program is a named draw for AI-process governance specialists, compliance practitioners with AI-deployment experience, and business-unit leads who want to operate AI workflows within a mature governance program.
  • Reduced on-boarding time for new reviewers who arrive with external credentials and sector-specific certifications.
  • Industry recognition, program cited by regulators, standards bodies, or peer organizations as a reference for AI-process governance education and HITL design standards.
  • Internal re-submission rate for workflow intakes continues to decline as external curriculum adoption provides pre-trained practitioners from outside the org.

Success Criteria

  • Curriculum, scenario library, FRIA methodology guide, and HITL design rubric published externally with documented adoption.
  • Monthly live calibration operating; drift inside target for two consecutive quarters.
  • ≥50% of Critical-tier reviewers credentialed (where credentials exist).
  • ≥2 substantive contributions to industry certification / curriculum per year.
  • ≥1 ISO/IEC 42005 / OECD FRIA methodology contribution per year where real-world experience justifies.

Key Success Indicators

Level 1: - Workforce AI-process literacy module launched; ≥90% current-year completion across process owners, product managers, operations managers, and business analysts touching AI-embedded workflows; content tied to the AI-in-Business-Process Policy attestation. - Practitioner role-based training launched, gated on intake-approval permissions, covering workflow-archetype threat walkthrough, FRIA composition, HITL design assessment, Art. 22 lawful-basis analysis, fairness/bias indicators at the compliance intersection, and sector-specific deep-dives (HR-AI, FinAI, ClinAI). - Reviewer calibration drift inside target (≤1 tier step and ≤2 FRIA/HITL assessment mismatches per sample) for two consecutive quarters. - Shadow-AI-in-processes awareness campaign running with monthly content cadence; amnesty disclosures attributable to campaign channels rising in Q1–Q2 then declining as the sanctioned-workflow catalog grows. - Training content owner named; content updated within 30 days of any change to policies, archetypes, or compliance map.

Level 2: - Scenario library of ≥25 anonymized real-sourced intakes powering reviewer training across workflow archetypes; Critical-tier calibration drift inside target. - Sector-specific tracks (HR-AI, FinAI, ClinAI) delivered; ≥1 trained practitioner per Critical/High-tier workflow. - ≥2 behavior-driven shadow-AI campaigns run in the last 12 months with measured outcomes; ≥70% of campaigns hit pre-set behavior target. - Training content refreshed in last 90 days for ≥80% of modules.

Level 3: - Curriculum, scenario library, FRIA methodology guide, and HITL design rubric published externally (CSA / ISO/IEC 42005 / OECD / sector ISAC) with documented adoption or citation. - ≥50% of Critical-tier reviewers hold an external AI-deployment-officer or AI-process-governance credential (where one exists). - Monthly live calibration operating with drift inside target; calibration results feeding the scenario library continuously. - ≥2 substantive contributions to industry AI-process certification or curriculum working groups per year; ≥1 FRIA methodology / HITL design contribution to ISO/IEC 42005 or OECD per year where real-world experience justifies.


Common Pitfalls

Level 1: - ❌ Workforce training covers data privacy basics but not EU AI Act Art. 26 deployer duties, Art. 14 human oversight, or GDPR Art. 22 automated-decisioning safeguards, process owners run Annex III workflows without knowing what a FRIA is or that they are responsible for one. - ❌ Practitioner training is a one-hour "AI ethics overview" rather than a hands-on module covering FRIA composition, HITL design assessment, Art. 22 lawful-basis analysis, and calibration exercises against real workflow intake scenarios. - ❌ Reviewer training is optional, intake-approval permissions granted without training completion; calibration drift is never measured; two reviewers regularly arrive at different FRIA and HITL assessments for the same workflow. - ❌ Shadow-AI campaign launches once with an executive message, then goes silent, no monthly content, no amnesty attribution, no sector-specific call-outs; function teams never hear about it again. - ❌ Training is archetype-agnostic, "AI in business processes" without distinguishing between a decision pipeline (Annex III / Art. 22 triggers apply) and a back-office augmentation workflow (Art. 22 does not apply); practitioners apply the wrong compliance lens. - ❌ Deployer-duty micro-content never ships for customer-facing decision workflows, process owners running AI-driven credit, employment, or benefit workflows have no mental model for Art. 26 or Art. 22 at the operational level. - ❌ Training content owner is unnamed, content goes stale within a quarter; process owners find outdated HITL Standards references and stop trusting the module.

Level 2: - ❌ Scenario library is built from invented examples rather than anonymized real intakes, reviewers learn the shape of a "good" intake but not the actual edge cases (rubber-stamp HITL patterns, Annex III scope ambiguities, sector-specific compliance gaps) that surface in the org's queue. - ❌ Sector tracks are optional; teams skip them and then produce workflow designs in DR that do not account for FCRA adverse-action obligations or NYC LL144 bias audit requirements; DR catches the gaps late. - ❌ Campaigns are launched without a pre-measured behavior target, "shadow-AI awareness" claimed as a success without data on whether undisclosed decision pipelines decreased or amnesty disclosures increased. - ❌ Content "refreshes" are cosmetic, module covers get updated but FRIA methodology and HITL design rubric go stale while real intake patterns and sector enforcement actions change. - ❌ Calibration drift is measured but not acted on, reviewers with persistent FRIA or HITL assessment drift never receive coaching; the calibration exercise becomes a box-check.

Level 3: - ❌ External publication without ongoing maintenance, other organizations find a stale FRIA methodology guide or an outdated HITL design rubric and stop trusting the program; citations dry up. - ❌ Credentialing becomes performative, reviewers pursue credentials that do not map to the org's actual tier-treatment rubric and FRIA gate requirements; credential acquisition is celebrated but calibration drift stays unchanged. - ❌ Live calibration becomes a gotcha rather than a development signal, reviewers learn to game the monthly exercise without improving their actual intake quality. - ❌ Contributions to ISO/IEC 42005 / OECD loop do not feed back internally, what is published externally drifts from what reviewers use internally; practitioners cite the external FRIA methodology and contradict the internal rubric. - ❌ HITL design benchmarks contributed externally reflect the org's own under-developed early L1 practice, publishing override-rate benchmarks from before HITL validation was mature misleads other organizations.


Practice Maturity Questions

Level 1: 1. Have all process owners, product managers, operations managers, and business analysts touching AI-embedded workflows completed a current-year AI-process literacy course covering the seven workflow archetypes, EU AI Act Art. 26 deployer duties / Art. 14 human oversight / Art. 50 transparency, GDPR Art. 22 automated-decisioning safeguards, HITL design (substantive vs. rubber-stamp), how to recognize Annex III FRIA triggers, and the intake gate process, with ≥90% completion and content updated within 30 days of any policy or archetype change? 2. Has the practitioner population (AppSec reviewers, Privacy/Legal counsel, Compliance officers, business-unit review representatives) completed role-based training covering workflow-archetype threat walkthrough, FRIA composition for Annex III use categories, HITL design assessment (substantive review SLA, override-rate targets, anchoring-prevention criteria), Art. 22 lawful-basis analysis, fairness/bias-at-compliance-intersection indicators, and sector-specific deep-dives (HR-AI, FinAI, ClinAI), with completion gated on intake-approval permissions and calibration drift ≤1 tier step and ≤2 FRIA/HITL mismatches per sample for two consecutive quarters? 3. Is a shadow-AI-in-processes awareness campaign running with at least monthly content, a visible amnesty path linked from the AI-in-Business-Process Policy and intake form, and measurable attribution of intake submissions and amnesty disclosures to campaign channels, with disclosures rising in Q1–Q2 after launch then declining as the sanctioned-workflow program grows?

Level 2: 1. Is there a scenario library of ≥25 anonymized real intake cases powering practitioner training across the org's in-scope workflow archetypes, with paired calibration exercises showing Critical-tier drift ≤1 tier step and ≤1 FRIA/HITL mismatch per sample for two consecutive quarters? 2. Have sector-specific tracks (HR-AI, FinAI, ClinAI) been delivered to ≥1 practitioner per Critical/High-tier workflow in each applicable sector, with team-level training coverage tracked in the SM-Processes inventory, and are campaigns running on a seasonal, behavior-driven cadence with pre-set behavior targets? 3. Is ≥80% of training content updated in the last 90 days, including FRIA methodology, HITL design rubric, and sector-specific compliance content, and are ≥70% of campaigns hitting their pre-set behavior target?

Level 3: 1. Have the practitioner curriculum, anonymized scenario library, FRIA methodology guide (for each Annex III use category), and HITL design reviewer rubric been published externally (CSA, ISO/IEC 42005 community, OECD, or sector ISAC) with documented adoption, citations, standards-body reference, or direct acknowledgment, and do contributions loop back into internal content within 30 days? 2. Is a monthly live calibration cadence operating (anonymized intake from the live queue, independent reviewer scoring, drift reported to sponsor), with calibration results feeding the scenario library within 30 days, and do ≥50% of Critical-tier reviewers hold an external AI-deployment-officer or AI-process-governance credential where one exists? 3. Does the program contribute ≥2 substantive artifacts per year to industry AI-process certification or curriculum working groups, and ≥1 FRIA methodology or HITL design contribution to ISO/IEC 42005 or OECD per year where real-world experience from the org's own FRIA and HITL practice justifies a contribution?


Document Version: HAIAMM v3.0 Practice: Education & Guidance (EG) Domain: Processes Last Updated: 2026-05-14 Author: Verifhai

☑ Interactive Self-Assessment

Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.