Policy & Compliance (PC) - Processes Assessment

Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.

Policy & Compliance (PC) - Processes Domain

HAIAMM Assessment Questionnaire v3.0

Canonical source-of-truth: ../practices/PC-Processes-OnePager.md. The canonical v3.0 model: ../HAIAMM-v3.0-Framing.md.


Practice: Policy & Compliance (PC) Domain: Processes Purpose: Publish the priority policies and compliance map that make the AI/HAI Process Assurance program enforceable, so every AI-embedded business workflow the organization operates is governed by a documented set of rules, gated before it goes live, and defensible to auditors, regulators, and affected individuals. Scoring Model: Evidence + Outcome Metrics


Instructions

  • Current, implemented practices only.
  • Evidence + Outcome Metrics per question.
  • 4-tier scoring: Fully Mature (1.0), Implemented (0.67), Partial (0.33), Not Implemented (0.0).
  • Answer progressively. Achieve all L(N) questions before L(N+1).

Scoring Methodology

Tier Score Criteria
Fully Mature 1.0 Evidence complete + ≥3 outcome metrics meet targets
Implemented 0.67 Evidence complete + 2 outcome metrics meet targets
Partial 0.33 Evidence partially complete + <2 outcome metrics meet targets
Not Implemented 0.0 No substantive evidence

Practice maturity level achieved = highest level where all 3 questions score ≥ 0.67.


Maturity Level 1

Objective: Publish the three priority AI/HAI process policies, map them to the priority compliance requirements, and operate the AI-Process Intake / Sanction Gate that prevents ungated AI-embedded workflows from going live.

Question 1: Publish the three priority AI/HAI process policies

Q1.1: Have you published and formally approved all three AI/HAI process policies, AI-in-Business-Process Policy, HITL Standards Policy, and AI-Process Intake / Sanction Gate Policy, with archetype-specific oversight requirements, HITL standards distinguishing substantive review from rubber-stamp, and a deployer-duty owner requirement?

Evidence Required: - [ ] AI-in-Business-Process Policy approved by Legal/Privacy and Security, covering permitted workflow archetypes and required human-oversight model per archetype (decision pipeline, customer-facing flow, HITL collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow), required disclosure to affected persons, and prohibited actions without named sign-off - [ ] HITL Standards Policy defining substantive review vs. rubber-stamp review, minimum review SLA per archetype (not less than 2 minutes per legally significant decision), override authority requirements, AI output integrity requirements (human reviewer must have access to AI output, confidence score, key inputs, and basis, not just the final recommendation), and escalation path criteria - [ ] AI-Process Intake / Sanction Gate Policy defining required go-live artifacts by archetype including FRIA commissioning and Art. 22 safeguards for decision pipelines, amnesty path, and go-live gate authority with permanent logging of decisions - [ ] Deployer-duty owner is a required artifact for all customer-facing and decision-affecting workflows; HITL standards must be documented and confirmed at intake for these archetypes - [ ] All three policies are accessible to every function head and process owner; policies require annual acknowledgment; violations routed through program sponsor and Legal - [ ] Amnesty path for previously ungated workflows is linked from the intake form and the AI-in-Business-Process Policy

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % function heads and process owners with acknowledged AI-in-Business-Process Policy (current-year) | measure | ___ | ≥90% | ☐ | | | Priority compliance map published and reviewed in last 12 months | n/a | ___ | Yes | ☐ | | | Three priority policies approved by Legal/Privacy and Security | n/a | ___ | Yes (all three) | ☐ | | | AI-Process Intake / Sanction Gate Policy includes per-archetype required-artifacts checklist | n/a | ___ | Yes | ☐ | |

Metric Collection Guidance: - Policy acknowledgment rate: Query HR/LMS for current-year AI-in-Business-Process Policy acknowledgment completions divided by total function heads and process owners; run quarterly. - Compliance map publication: Verify the one-page compliance map is in the document registry with an approval date within the last 12 months and is linked from each policy. - Policy approvals: Verify Legal/Privacy and Security sign-off records exist for all three policies in the document management system. - Per-archetype checklist: Confirm the Intake/Gate policy document contains separate artifact lists for each workflow archetype, with decision-pipeline-specific controls (FRIA commissioning, Art. 22 safeguards checklist, HITL standards documentation) explicitly required.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 2: Map the three policies to the priority compliance requirements

Q1.2: Is there a published one-page priority compliance map that traces each priority requirement, EU AI Act Art. 26/50/Annex III/Art. 9/Art. 14, GDPR Art. 22, ISO/IEC 42001, NIST AI RMF, and applicable sector-specific obligations (HIPAA, FCRA, FINRA, EEOC, NYC LL144, CO SB-21-169, FRT), to the specific AI/HAI Process policy that carries it?

Evidence Required: - [ ] One-page compliance map exists in the document registry, linked from each of the three policies, covering all priority requirements - [ ] EU AI Act Art. 14 human oversight row traces to HITL Standards Policy (substantive review definition, override authority, escalation path, SLA, anchoring-prevention requirements) - [ ] EU AI Act Art. 26 deployer duties row traces to AI-in-Business-Process Policy (oversight model, disclosure requirement, deployer-duty owner) and Intake Gate (go-live artifact checklist, logged decision) - [ ] EU AI Act Annex III high-risk systems row traces to Intake Gate (Annex III high-risk use assessment required at go-live; FRIA gate for decision pipelines) - [ ] GDPR Art. 22 automated decision-making row traces to AI-in-Business-Process Policy (Art. 22 safeguards required for decision pipelines), HITL Standards (substantive review satisfies right to human review), and Intake Gate (safeguards checklist at go-live) - [ ] Sector-specific rows (HIPAA clinical workflow, FCRA credit, FINRA model risk, EEOC AI employment, NYC Local Law 144 AI hiring, CO SB-21-169 insurance, FRT) are mapped to the specific policy and artifact that carries them; compliance map has a documented review frequency and was reviewed within the last 12 months

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Priority compliance map published and reviewed in last 12 months | n/a | ___ | Yes | ☐ | | | % AI-embedded workflows in production with a named deployer-duty owner | measure | ___ | 100% for customer-facing and decision-affecting workflows | ☐ | | | Retroactive intake amnesty records opened and tracked as IM findings | measure | ___ | trending down QoQ (coverage increasing) | ☐ | | | Regulatory-evidence turnaround for Art. 22 safeguards inquiry | measure | ___ | satisfied within 5 BD (last 12 months) | ☐ | |

Metric Collection Guidance: - Compliance map review: Check document registry for version date and approval record within the past 12 months; verify all priority requirement rows are present including sector-specific rows. - Deployer-duty owner coverage: Query SM-Processes inventory for customer-facing and decision-affecting workflows; verify each has a named deployer-duty owner field populated. - Amnesty trend: Pull intake queue records tagged "amnesty" grouped by quarter; verify QoQ count is decreasing. - Auditor turnaround: Review any compliance or external audit requests in the last 12 months; confirm the team produced a gate record within 5 business days.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 3: Operate the intake gate and track foundational compliance outcomes

Q1.3: Is the AI-Process intake gate operational with a published intake SLA, a per-archetype artifacts checklist (including FRIA commissioning and Art. 22 safeguards for decision pipelines), and an amnesty path, and does ≥80% of AI-embedded workflows going live in the last 12 months have a gate record (100% for Critical/High-tier)?

Evidence Required: - [ ] Single intake ticket queue exists with a published SLA (triage ≤5 BD, provisional approval ≤10 BD for Low-tier archetypes with no regulated data, no customer exposure, and full human review) - [ ] Per-archetype artifacts checklists are published and keyed to each workflow archetype; decision-pipeline-specific controls are explicitly required (GDPR Art. 22 safeguards checklist, EU AI Act Annex III high-risk use assessment, FRIA commissioned or confirmed not-required with documented rationale, HITL standards documented and confirmed substantive) - [ ] Amnesty path is linked from the intake form, the AI-in-Business-Process Policy, and function-head communications; retroactive intake records exist for previously ungated workflows - [ ] Gate approval creates or updates the SM-Processes inventory record with artifact links; go-live gate authority (program sponsor or delegated Compliance/AppSec lead) issues logged decisions - [ ] Exceptions are logged with owner, rationale, and review date; no exception open longer than 90 days without re-review - [ ] SM-Processes inventory and intake queue can be queried to confirm gate-coverage rate for the last 12 months

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % AI-embedded workflows going live that passed the intake gate | measure | ___ | ≥80% within 12 months; 100% for Critical/High archetypes | ☐ | | | Intake SLA adherence (triaged within 5 BD) | measure | ___ | ≥90% | ☐ | | | Policy exception aging, exceptions open >90 days | measure | ___ | 0 exceptions past expiry | ☐ | | | Function-team cycle-time impact (intake-to-provisional-approval time) | measure | ___ | not increasing QoQ | ☐ | |

Metric Collection Guidance: - Gate coverage rate: Divide workflows with a gate record in the last 12 months by total new AI-embedded workflows in the SM-Processes inventory for the same period; split Critical/High separately. - SLA adherence: From the intake ticket queue, calculate the % of tickets where triage timestamp minus submission timestamp is ≤5 BD. - Exception aging: Query the exception register for open entries where review-due date is in the past; target is zero. - Cycle-time trend: Track median days from intake submission to provisional approval by quarter; confirm the median is not increasing.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Maturity Level 2

Objective: Deepen policy controls and compliance evidence per AI-embedded workflow risk tier, automate artifact assembly from the SM-Processes tier rubric, and operate the FRIA gate for EU AI Act Annex III workflows continuously.

Question 1: Tier-calibrated policy depth and sign-off requirements

Q2.1: Have the three priority policies been extended with tier-specific addenda using the SM-Processes L2 tier rubric, and do Critical workflows require explicit executive (CISO or COO) and DPO/CPO sign-off, a completed FRIA on file before production, HITL validation evidence (override rates and review-time data), and sector-specific compliance checklists (FCRA, NYC LL144, CO SB-21-169, HIPAA, FINRA, EEOC as applicable)?

Evidence Required: - [ ] Tier-specific addenda exist for Critical, High, Medium, and Low workflow tiers, referencing the SM-Processes L2 rubric tier definitions - [ ] Critical tier requires: full SR pack with REM, executive (CISO or COO) and DPO/CPO sign-off before go-live, EU AI Act Annex III high-risk assessment reviewed by Legal, FRIA commissioned and completed before production, GDPR Art. 22 safeguards reviewed by Privacy, HITL standards validated with override-rate data and review-time confirmation, Art. 26 disclosure mechanism confirmed and tested, sector-specific compliance checklist completed as applicable - [ ] Critical tier requires re-review within 14 days of any material change (new AI tool, new decision population, new data class, scope expansion) - [ ] High tier requires CISO-delegated AppSec/Compliance lead sign-off; FRIA required if Art. 22 applies and scale exceeds threshold; HITL model documented; re-review on material change within 30 days - [ ] Policy-exception framework requires named owner, compensating control description, Legal/Compliance reviewer acknowledgment, and expiry date (max 12 months); Critical-tier missing go-live artifacts are blocking IM findings with no amnesty post-L2 - [ ] Gate records show executive and DPO/CPO sign-off for Critical workflows in the last 12 months

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | FRIA completion rate for all Annex III workflows | measure | ___ | 100% before production | ☐ | | | % Critical workflows with explicit executive + DPO/CPO sign-off at go-live | measure | ___ | 100% | ☐ | | | % Critical/High AI-embedded workflows with complete compliance evidence bundle | measure | ___ | ≥95% | ☐ | | | Regulatory inquiry turnaround (evidence bundle within 5 BD) | measure | ___ | Yes (last 12 months) | ☐ | |

Metric Collection Guidance: - FRIA completion: Query the FRIA register for all Annex III workflows; verify each has a completed FRIA with a date prior to first production go-live date. - Critical sign-off rate: Query gate records in SM-Processes inventory for Critical-tier workflows in the last 12 months; verify each has both executive (CISO/COO) and DPO/CPO sign-off timestamps. - Evidence bundle completeness: For each Critical/High workflow, check that all required bundle elements (TA snapshot, SR REM, SA confirmation, DR decision, IR attestation, ST evidence, ML logging-baseline, deployer-duty record, HITL validation evidence, FRIA status, sector-specific compliance checklist) are present and within refresh windows. - Auditor turnaround: Review any regulatory or auditor inquiries in the last 12 months; confirm each was answered within 5 business days.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 2: Continuous compliance evidence assembly and HITL validation tracking

Q2.2: Is a compliance evidence bundle continuously maintained for every Critical and High AI-embedded workflow, including TA snapshot, SR REM, SA pattern confirmation, DR decision, IR attestation, ST evidence, ML logging-baseline, deployer-duty record, HITL validation evidence, and FRIA status, with staleness inside tier-specific targets?

Evidence Required: - [ ] Evidence bundle structure is defined and implemented; bundle elements include: current TA snapshot, SR REM with gap status and owner, SA reference-pattern confirmation or DR-approved deviation, latest DR decision, latest IR attestation, ST evidence (output-integrity test battery, HITL bypass test, input-injection probe), ML logging-baseline confirmation, deployer-duty record (named human-oversight owner, Art. 26 disclosure mechanism confirmation), HITL validation evidence (override rate last 90 days, average review time per item, escalation rate, most recent HITL standards review date), FRIA status with last-review date for Annex III workflows, sector-specific compliance checklist status - [ ] Staleness rules are defined and enforced for Critical tier: TA snapshot ≤90 days, IR attestation ≤6 months, ST evidence ≤30 days, HITL validation data ≤30 days, FRIA review ≤12 months or on material change; staleness triggers a PC-Processes finding routed to IM - [ ] HITL validation evidence is independently sourced from HITL event logs, not self-reported by the business function - [ ] The evidence bundle is the primary artifact delivered to regulators or auditors; a completed bundle can be assembled for any Critical/High workflow without specialist intervention - [ ] Evidence registry is queryable to report median staleness and HITL validation currency across Critical workflow bundle elements - [ ] HITL override rates are reviewed monthly; workflows with override rates outside healthy range are flagged for HITL quality review

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | % Critical/High AI-embedded workflows with complete compliance evidence bundle | measure | ___ | ≥95% | ☐ | | | Median staleness of evidence-bundle elements for Critical workflows | measure | ___ | ≤30 days past refresh window | ☐ | | | HITL validation evidence present and current for all Critical/High workflows | measure | ___ | 100% | ☐ | | | Sector-specific evidence bundle completeness for in-scope workflows | measure | ___ | 100% | ☐ | |

Metric Collection Guidance: - Bundle completeness: For each Critical/High workflow, check each required element is present and within its refresh window; count workflows where all elements are current; divide by total Critical/High workflows. - Median staleness: For each Critical workflow's evidence bundle, calculate days since each element's last refresh; compute median across all Critical workflows. - HITL validation currency: For each Critical/High workflow, verify the HITL validation data (override rate, review time, escalation rate) is ≤30 days old for Critical and ≤60 days for High; count workflows where HITL validation is current; compute %. - Sector bundle completeness: For each workflow in scope of FCRA, NYC LL144, CO SB-21-169, HIPAA, FINRA, or EEOC, verify the corresponding sector evidence bundle is assembled with all required documents present and current.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 3: FRIA gate operation and sector-specific compliance bundle management

Q2.3: Is the FRIA gate operational for 100% of EU AI Act Annex III workflows, is an exception register operated with named owners and expiry dates reviewed monthly, and are sector-specific evidence bundles (FCRA / NYC LL144 / CO SB-21-169 / HIPAA / FINRA / EEOC as applicable) complete for in-scope workflows?

Evidence Required: - [ ] FRIA gate is a mandatory step in the intake process for all Annex III workflows; FRIA scope includes: workflow archetype and AI system, population affected, decision effects and reversibility, fundamental rights assessment, human oversight design and HITL validation, regulatory scope, residual risks and mitigations, named FRIA author and reviewer - [ ] FRIA completion is tracked in the compliance evidence bundle and in SM-Processes inventory; FRIA review schedule is enforced (Critical-tier annually and on material change, High-tier on material change) - [ ] Exception register is integrated with the intake gate; no exception is approved without tier-appropriate compensating control and expiry date; monthly exception aging review is scheduled and conducted - [ ] Critical-tier workflows with missing go-live artifacts are routing as blocking IM findings, no amnesty applies post-L2 - [ ] Sector-specific evidence bundles are generated and tracked: FCRA bundle (adverse-action notice process, AI-model documentation, accuracy-rate tracking, dispute-handling path), NYC LL144 bundle (annual bias audit on file, candidate notice mechanism confirmed, audit publication confirmed), CO SB-21-169 bundle (anti-discrimination evidence, explainability documentation, state reporting compliance), HIPAA clinical bundle (BAA with AI provider, PHI-in-workflow documentation, human-oversight of AI-assisted clinical decisions), FINRA model risk bundle (model documentation, validation evidence, ongoing monitoring plan), EEOC employment AI bundle (adverse-impact analysis, explanation mechanism, override-rate tracking) - [ ] FRIA review schedule is current; zero Annex III workflows are overdue for FRIA review

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | FRIA completion rate for all Annex III workflows | measure | ___ | 100% before production | ☐ | | | Exception register: % exceptions with named owner, compensating control, and expiry | measure | ___ | 100% | ☐ | | | Sector-specific evidence bundle completeness for in-scope workflows | measure | ___ | 100% | ☐ | | | HITL override rate in healthy range for Critical/High workflows | measure | ___ | trending toward healthy range (not zero, not excessive) | ☐ | |

Metric Collection Guidance: - FRIA gate completeness: Query FRIA register for all Annex III workflows; verify each has a completed FRIA with a date prior to the first production go-live date; check FRIA review schedule for workflows past their review date. - Exception register completeness: Audit every entry; each must have a named owner, compensating control description with reviewer acknowledgment, and a documented expiry date. - Sector bundle completeness: For each workflow in scope of FCRA, NYC LL144, CO SB-21-169, HIPAA, FINRA, or EEOC, verify the corresponding bundle is assembled and all documents are present and current. - HITL override rate: From HITL event logs, calculate the override rate for each Critical/High workflow over the last 90 days; flag workflows where override rate is zero (rubber-stamp risk) or above the expected range (AI output unreliable).

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Maturity Level 3

Objective: Automate compliance attestation from workflow-execution telemetry and BPM signals; drive policy updates from monitoring signals, HITL validation data, and regulatory motion; and contribute to AI-process-governance and Art. 14 / Art. 22 implementation standards.

Question 1: Continuous compliance attestation from BPM and HITL telemetry

Q3.1: Does a continuous attestation pipeline auto-update evidence bundles from BPM events, HITL event logs, override-rate data, AI-step output logs, and FRIA review schedule triggers, with an attestation currency SLO of ≤24 hours and ≤3 BD on-demand pack generation?

Evidence Required: - [ ] Evidence bundles auto-update from: BPM platform go-live events (artifact checklist attached to workflow version record), HITL event logs (override rates, review times, escalation events updated in real time), AI-step output logs (output-integrity test results, logging-baseline confirmation), workflow-version change events (new AI step auto-opens a PC finding if workflow not yet in inventory), FRIA review schedule triggers (Annex III workflow reaching annual FRIA review date auto-opens review task), sector-specific renewal triggers (NYC LL144 annual bias audit due date, CO SB-21-169 annual report due date) - [ ] Attestation-generation pipeline is implemented: any regulatory or auditor request produces a provenance-complete evidence pack, regulation-keyed (EU AI Act Art. 26/Art. 14 deployer-duty pack, GDPR Art. 22 pack, sector-specific pack) or workflow-keyed, within 3 business days - [ ] Attestation currency SLO is ≤24 hours latency after a triggering event; completeness SLO is ≥99% of active Critical/High workflows continuously attested - [ ] FRIA review schedule is current; zero Annex III workflows overdue for FRIA review; on-call paging is configured when evidence-pipeline feed staleness thresholds are exceeded - [ ] SLA performance (≤3 BD on-demand pack generation) is documented and met in the last 12 months - [ ] Policy-refresh cycle is on calendar with zero missed cycles in the last 12 months

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Attestation-pack generation SLA for regulator / auditor | measure | ___ | ≤3 business days | ☐ | | | Attestation currency SLO for Critical/High workflows | measure | ___ | ≤24h latency post-triggering event | ☐ | | | % Critical/High workflows continuously attested | measure | ___ | ≥99% of active Critical/High workflows | ☐ | | | Material audit findings on AI-embedded workflow controls in last 12 months | measure | ___ | 0 | ☐ | |

Metric Collection Guidance: - Pack generation SLA: From evidence-ops telemetry, measure time from regulator/auditor request to evidence pack delivery; compute % of requests met within 3 BD. - Attestation currency SLO: From evidence pipeline telemetry, measure time between a triggering event (BPM go-live event, HITL event log update) and the evidence bundle update; compute % of events where latency is ≤24 hours. - Continuous attestation completeness: Divide Critical/High workflows with a fresh evidence bundle (within SLO) by total active Critical/High workflows. - Material audit findings: Review the last completed compliance or external audit report; count findings designated as material or high-severity related to AI-embedded workflow controls.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 2: Telemetry-driven policy refresh and regulatory-motion tracking

Q3.2: Does the program operate a quarterly, telemetry-driven policy-refresh cycle, drawing from ML-Processes detection trends, IM-Processes incident learnings, HITL validation signals, and a regulatory-motion tracker, with a versioned changelog where 100% of changes are traceable to a named signal or regulatory update?

Evidence Required: - [ ] Quarterly policy-refresh cycle is on calendar and has been executed without a missed cycle in the last 12 months - [ ] Refresh inputs are documented per cycle: ML-Processes detection trends (workflow-integrity violation classes rising), IM-Processes incident learnings (policy gaps that created incident conditions), HITL validation signals (archetypes showing rubber-stamp patterns requiring HITL Standards Policy tightening), tier-movement data (workflow archetypes growing fastest), external regulatory updates (EU AI Act Art. 14/Art. 26 implementing acts, GDPR EDPB Art. 22 guidance, OECD AI Policy Observatory guidance, FTC/CFPB/EEOC AI enforcement actions, state AI laws, sector-specific guidance) - [ ] Versioned changelog exists for each of the three policies; each change entry cites the specific signal or regulatory update that prompted the change - [ ] EG-Processes training content is updated within 30 days of any policy change; SM-Processes inventory archetypes and tier rubric are reviewed for needed updates - [ ] Regulatory-motion tracker is maintained: a log of open regulatory instruments (state AI laws, sector-specific AI rules, EU AI Act implementing acts) with expected effective dates, mapped to the policy they will affect, reviewed quarterly by the working group - [ ] 100% of policy changes in the last 12 months are traceable to named signals or regulatory updates in the changelog

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Policy refresh cadence met | measure | ___ | quarterly, on calendar | ☐ | | | % policy changes traceable to ML/IM telemetry, HITL validation signals, or named regulatory update | measure | ___ | 100% | ☐ | | | FRIA review schedule current, Annex III workflows overdue | measure | ___ | 0 | ☐ | | | HITL quality problems and workflow-integrity violations reduced by targeted policy changes | measure | ___ | trending down | ☐ | |

Metric Collection Guidance: - Refresh cadence: Verify quarterly policy-review meeting minutes exist for each of the last four quarters; confirm no cycle was skipped. - Traceability: Review the policy changelog; for each change entry, verify it cites either a specific ML/IM signal or HITL validation signal (with date and source) or a named regulatory update (with citation and effective date). - FRIA review schedule: Query the FRIA register for all Annex III workflows; verify each has a FRIA review date that is not past due. - Incident/HITL improvement: Compare the count of HITL quality incidents and workflow-integrity violations per quarter over the last four quarters; verify that classes targeted by policy changes are not recurring.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Question 3: Standards contribution and external engagement

Q3.3: Does the program contribute at least two substantive public comments or standards artifacts per year on AI-process governance and Art. 14 / Art. 22 implementation topics, including HITL design standards, FRIA methodology templates, or compliance evidence bundle schemas, with documented external recognition?

Evidence Required: - [ ] Contribution log exists tracking all public comments, standards submissions, and forum participations with dates, submitting body, and topic - [ ] At least 2 substantive contributions per year submitted to relevant forums: EU AI Act Art. 14/Art. 26 deployer-guidance consultations, GDPR EDPB Art. 22 implementation guidance rounds, ISO/IEC 42005 AI impact assessment working groups, OECD AI Policy Observatory practitioners network, sector regulators (CFPB credit AI guidance, EEOC AI employment guidance, FINRA/OCC model-risk, NYC/CO state AI law implementation, HHS clinical AI guidance) - [ ] Contributions are technical artifacts implementing bodies can use, HITL design standards (substantive vs. rubber-stamp taxonomy, review-SLA calculation methodology, override-rate benchmarks), FRIA methodology templates for each Annex III use category (employment, credit, education, clinical), compliance evidence bundle schemas for Art. 22/Art. 26, workflow-archetype policy addendum patterns, not deadline-only comment letters - [ ] Contributed artifacts are maintained and versioned; override-rate benchmarks are updated to reflect current sector practice - [ ] External recognition is documented: citations in published guidance, standards-body acknowledgment, sector-regulator reference, or working-group invitations

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |---|---|---|---|---|---| | Public regulatory / standards contributions per year | 0 | ___ | ≥2 | ☐ | | | External recognition (citations, adoptions, invitations) | 0 | ___ | tracked, trending up | ☐ | | | Contributed HITL design standards and FRIA templates maintained and current | measure | ___ | Yes (≤12 months since last update) | ☐ | | | Regulator / auditor / customer feedback on Art. 22 / Art. 26 attestation posture | measure | ___ | explicitly positive | ☐ | |

Metric Collection Guidance: - Contribution count: Review the contribution log; count entries for the current year where the contribution is a substantive technical artifact submitted to a named standards body or regulatory forum. - External recognition: Check the contribution log for documented acknowledgments, citations in published guidance, standards-body acknowledgment, sector-regulator reference, or working-group invitations. - Artifact maintenance: Review the last-updated dates for all contributed artifacts, especially HITL override-rate benchmarks and FRIA templates; verify none are more than 12 months stale. - Regulator feedback: Review any written feedback from regulators, auditors, or customers in the last 12 months; note whether Art. 22/Art. 26 attestation posture is characterized positively.

Answer: - ☐ Fully Mature (Evidence complete + ≥3 outcome metrics meet targets) - ☐ Implemented (Evidence complete + 2 outcome metrics meet targets) - ☐ Partial (Evidence partially complete + <2 outcome metrics meet targets) - ☐ Not Implemented (No substantive evidence)

Evidence Location: ___ Metric Validation Date: ___ Notes: ___


Summary Scorecard

Level Q1 Q2 Q3 Avg Achieved?
L1 __ __ __ __
L2 __ __ __ __
L3 __ __ __ __

Practice maturity level achieved: ___ (highest level where all 3 questions score ≥ 0.67)


Document Version: HAIAMM v3.0 Practice: Policy & Compliance (PC) Domain: Processes Last Updated: 2026-05-15 Author: Verifhai

Instructions:

  • Answer based on current practices, not plans
  • “Yes” requires documented evidence
  • Complete all Level 1 questions before Level 2
  • Partial implementation = “No”

↓ Download as Markdown