# AI Assurance Readiness Checklist

A practical checklist to assess whether your organization can show its AI is trustworthy. Organized by the five layers of the AI risk stack. Work top to bottom; the lower layers are foundational. Offered under CC BY 4.0 by AI Risk Atlas (airiskatlas.com).

## 1. Model risk (the AI itself)

- [ ] Every AI system has a documented evaluation covering accuracy, bias, and known failure modes
- [ ] You red-team systems for prompt injection, jailbreaks, and unsafe outputs before deployment
- [ ] You test against a recognized catalog of model failure modes (for example the OWASP Top 10 for LLM Applications)
- [ ] You re-evaluate on a schedule, not only at launch, to catch model drift
- [ ] Runtime guardrails filter or block unsafe inputs and outputs in production

## 2. Operational risk (the AI inside a process)

- [ ] Each AI system has an owner and a defined business process it sits in
- [ ] You monitor live behavior and have alerting for anomalies
- [ ] You have an incident response plan specific to AI failures
- [ ] You track which foundation-model providers you depend on and your concentration risk
- [ ] Human-in-the-loop checks exist where automation operates at scale

## 3. Governance risk (the organization)

- [ ] There is a named accountable owner for AI governance
- [ ] You maintain an inventory or register of AI systems in use
- [ ] AI use is covered by written policy mapped to the regulations that apply to you
- [ ] You are aligned to, or certified against, a recognized standard (ISO/IEC 42001 or the NIST AI RMF)
- [ ] Leadership receives regular reporting on AI risk

## 4. Liability and legal risk

- [ ] Contracts with model providers, integrators, and customers allocate responsibility for AI harm
- [ ] You retain documentation and assurance evidence sufficient to defend a claim
- [ ] You have assessed regulatory exposure (for example the EU AI Act) for the markets you serve
- [ ] You have considered intellectual-property risk in AI outputs

## 5. Reputation and trust risk

- [ ] You can detect and respond to a visible AI failure quickly
- [ ] You disclose AI use where appropriate and where regulation requires it
- [ ] You have prepared communications for an AI incident
- [ ] You understand that the cheapest protection for trust is strong controls in the layers above

## Using this checklist

A gap low in the stack (model and operational) usually matters more than a gap high in it, because risk flows upward. The same evidence that closes these gaps is what insurers increasingly want to see when pricing AI cover.

Read more: airiskatlas.com/learn/what-is-ai-assurance and airiskatlas.com/learn/the-ai-risk-stack