Building an AI audit framework: where to start

By Adesanya AI Advisory · Dublin · ~6 min read

Ask most organisations to show their AI governance and you will be handed a policy document. It will say the right things about fairness, transparency and accountability. It will also, more often than not, describe a process that nobody actually follows. A policy PDF is not a governance framework. A framework is an operating model — a set of repeatable activities, with owners, that you can evidence when a regulator, a board, or a customer asks.

Here is where to start building one that works.

Begin with an inventory, not a policy

You cannot govern what you have not catalogued. The first artefact in any credible framework is a register of the AI systems in use across the organisation — built in-house and bought in, including AI features embedded in tools you already license. For each entry, capture the purpose, the owner, the data it uses, its risk classification, and its lifecycle stage.

The inventory is the spine of the whole framework. Everything else hangs off it.

Classify and triage by risk

Not every AI system deserves the same scrutiny. A model that drafts internal marketing copy is not a hiring-decision system. Classify each entry by risk — both regulatory (the EU AI Act's tiers) and your own operational and reputational risk — so that effort flows to where the stakes are highest. This triage is what makes the framework proportionate rather than paralysing.

Borrow the structure that already exists

You do not need to invent a framework from first principles. Two reference points do most of the work:

ISO/IEC 42001 — the first certifiable AI management-system standard, built on the familiar plan-do-check-act cycle. It gives you an auditable structure for governance.
The NIST AI Risk Management Framework — its Govern, Map, Measure, Manage functions are a clear, practical way to think about what activities your framework needs.

Mapping your obligations onto an established standard means you are speaking a language auditors, customers and regulators already recognise.

Put the core controls in place

A working framework operationalises a handful of controls. At minimum:

Intake and approval — a gate so new AI systems are assessed before deployment, not after.
Risk assessment — a documented assessment for higher-risk systems, including impact on individuals.
Human oversight — defined points where a person can review, override or stop the system.
Monitoring — ongoing checks on performance, drift and unintended outcomes.
Incident response — a route to detect, report and remediate when an AI system causes harm or fails.
Documentation — the technical and decision records you will need to evidence all of the above.

A 90-day starting plan

Weeks 1–3: stand up the AI inventory; assign system owners.
Weeks 4–6: classify systems by risk; pick a reference standard (ISO 42001 / NIST).
Weeks 7–10: design intake, risk-assessment and human-oversight controls.
Weeks 11–13: pilot on one high-risk system; set up monitoring and incident reporting; report to the board.

Make it evidenced, and make it live

The difference between governance that protects you and governance that does not is evidence. When something goes wrong — or when a regulator asks — you want to point to a documented process that was actually operating, with named owners and a trail of decisions. That is also exactly what the EU AI Act expects of high-risk systems, and what ISO/IEC 42001 certification tests. Build the framework so that producing that evidence is a by-product of normal operation, not a special project you scramble to assemble under pressure.

Standing up AI governance from scratch?

See our AI Governance Programme →

This article is provided for general information only. It is not legal advice and does not create a lawyer–client relationship. Governance frameworks should be tailored to your organisation, sector and risk profile; obtain qualified advice for your circumstances.