Free Resource · 2025 Edition

AI Governance Checklist

A 12-step checklist for building an AI governance program that satisfies TRAIGA, EU AI Act, and NIST AI RMF requirements. Each step maps to specific statutory provisions.

12 Actionable Steps4 Regulatory Frameworks80+ Checklist Sub-itemsFree to Use
Use Risk Meridian to Complete This Checklist →Jump to Checklist ↓

Why You Need an AI Governance Checklist Right Now

AI governance has moved from a best practice to a legal requirement. The Texas Responsible AI Governance Act (TRAIGA) imposes structured governance obligations on any organization using AI in consequential decisions. The EU AI Act creates binding requirements for high-risk AI systems deployed in the EU. And the NIST AI Risk Management Framework is becoming the de-facto compliance standard for U.S. federal contractors.

This checklist translates those regulatory requirements into 12 actionable steps your organization can execute in order. Each step references the specific provision it satisfies so you always know exactly where you stand against the regulations that apply to you.

The checklist is free to use as a guide. If you want software that automates the inventory, risk scoring, control tracking, incident logging, and board reporting — that's what Risk Meridian is built for.

What this checklist covers

Foundation2 steps

Inventory & risk classification

Governance Infrastructure2 steps

Policy & accountability

Risk Management3 steps

Assessments, controls & oversight

Transparency1 step

Disclosures

Monitoring2 steps

Incidents & ongoing monitoring

Board Oversight1 step

Executive reporting

Third-Party1 step

Vendor AI governance

The 12-Step AI Governance Checklist

Work through these steps in order. Steps 1–2 are prerequisites for everything that follows. Each step includes the regulatory provision it satisfies and a detailed sub-item list.

1
FoundationMedium Effort1–2 weeks

Build Your AI System Inventory

Document every AI system your organization deploys, develops, or procures — including third-party tools that make consequential decisions about people.

Why it matters

You cannot govern what you cannot see. Every major AI regulation starts with an inventory requirement. Risk Meridian explicitly requires a written registry of all covered AI systems.

Regulatory basis

Risk Meridian §4(a)EU AI Act Art. 49NIST AI RMF GOVERN 1.1

Checklist sub-items

  • List every AI/ML tool currently in production
  • Include third-party SaaS products with AI decision features
  • Document the vendor, version, and deployment date for each
  • Note which business function and data each system touches
  • Identify the business owner and technical owner for each system
  • Flag systems that make or influence consequential decisions
2
FoundationMedium Effort3–5 days

Classify Each System by Risk Level

Assign a risk tier — High, Moderate, or Low — to every AI system based on the nature of decisions it influences, the populations it affects, and the potential for harm.

Why it matters

Risk classification determines your compliance obligations. High-risk systems require human oversight, impact assessments, and board-level reporting. Low-risk systems need lighter-touch governance.

Regulatory basis

TRAIGA §3EU AI Act Annex IIINIST AI RMF MAP 1.5

Checklist sub-items

  • Apply a consistent risk scoring rubric across all systems
  • Consider: severity of potential harm, number of affected individuals, reversibility of decisions
  • Flag systems touching employment, credit, healthcare, housing, education, or legal processes
  • Document the rationale for each risk classification
  • Have classifications reviewed by legal or compliance counsel
  • Schedule annual re-classification reviews
3
Governance InfrastructureMedium Effort2–4 weeks

Adopt an AI Governance Policy

Draft and ratify a formal AI governance policy that defines your organization's principles, acceptable use standards, prohibited practices, and accountability structure.

Why it matters

A written policy is the foundation regulators and auditors look for first. Without it, you have no baseline against which to measure compliance or investigate incidents.

Regulatory basis

TRAIGA §5(b)EU AI Act Art. 9ISO 42001 §6.2

Checklist sub-items

  • Define the scope of the policy (which systems, which teams)
  • State your organization's AI values and principles
  • List prohibited AI use cases explicitly
  • Define roles: AI owner, AI reviewer, AI ethics officer
  • Include a process for requesting exceptions
  • Obtain board or executive sign-off
  • Publish to all staff and schedule annual review
4
Governance InfrastructureLow Effort1 week

Assign Clear Roles & Accountability

Every AI system must have a named owner who is accountable for its governance — its risk level, controls, incident reporting, and compliance status.

Why it matters

Diffuse accountability is the enemy of governance. Regulators want to know who is responsible when an AI system causes harm. Risk Meridian's enforcement provisions assume named responsible parties.

Regulatory basis

TRAIGA §5(c)EU AI Act Art. 26NIST AI RMF GOVERN 2.2

Checklist sub-items

  • Assign a business owner (accountable) for each AI system
  • Assign a technical owner (responsible) for each AI system
  • Define an AI review committee or governance board
  • Document the escalation path for governance decisions
  • Ensure owners have the authority to pause or retire a system
  • Train owners on their governance responsibilities
5
Risk ManagementHigh Effort2–6 weeks per system

Complete a Risk Assessment for Each High-Risk System

Conduct a structured AI risk assessment — sometimes called an AI Impact Assessment or Algorithmic Impact Assessment — for every system classified as High or Moderate risk.

Why it matters

Risk assessments surface potential harms before they occur. They are required by TRAIGA for high-risk systems and by the EU AI Act for all Annex III systems. They are also evidence of due diligence in litigation.

Regulatory basis

TRAIGA §6EU AI Act Art. 9NIST AI RMF MEASURE 2.5

Checklist sub-items

  • Document the intended purpose and actual deployment context
  • Identify all foreseeable uses and misuses
  • Assess bias and fairness across protected demographic groups
  • Evaluate data quality, provenance, and privacy implications
  • Assess transparency and explainability of outputs
  • Document residual risks and planned mitigations
  • Have assessments reviewed by an independent party
  • Retain assessments for at least 5 years
6
Risk ManagementHigh EffortOngoing

Implement Governance Controls

For each identified risk, implement a specific, trackable control — a technical safeguard, process requirement, or monitoring measure that reduces the risk to an acceptable level.

Why it matters

Controls are how policy becomes practice. Without measurable controls, governance is a paper exercise. Regulators and auditors look for evidence that controls were implemented, tested, and maintained.

Regulatory basis

TRAIGA §7EU AI Act Art. 9(6)ISO 42001 §8.4

Checklist sub-items

  • Map each identified risk to at least one specific control
  • Assign a control owner and implementation deadline
  • Define how each control will be tested or evidenced
  • Track control status: Not Started, In Progress, Complete, Overdue
  • Test controls before high-risk systems go into production
  • Document control exceptions with compensating measures
  • Review control effectiveness at least annually
7
Risk ManagementHigh Effort2–4 weeks per system

Establish Human Oversight Mechanisms

For high-risk AI systems, ensure that humans remain in the loop for consequential decisions — with the ability to review, override, correct, or halt AI outputs.

Why it matters

Human oversight is a core requirement of TRAIGA, the EU AI Act, and virtually every emerging AI regulation. It is also your primary legal defense if an AI system causes harm.

Regulatory basis

TRAIGA §8EU AI Act Art. 14NIST AI RMF MANAGE 4.1

Checklist sub-items

  • Define the human review step for each consequential AI decision
  • Ensure humans have sufficient context to meaningfully review AI outputs
  • Document the override procedure and log all overrides
  • Set thresholds for automatic escalation to human review
  • Train staff on how to critically evaluate AI recommendations
  • Audit human oversight compliance quarterly
8
TransparencyMedium Effort1–2 weeks

Draft Required AI Disclosures

Prepare legally compliant disclosures informing individuals when AI has been used to make a consequential decision about them — and explaining their rights.

Why it matters

TRAIGA requires disclosure when AI is used in consequential decisions. The EU AI Act requires transparency obligations for most AI systems. Disclosures also reduce legal liability by demonstrating good faith.

Regulatory basis

TRAIGA §9EU AI Act Art. 13California SB 1047

Checklist sub-items

  • Identify every customer or employee touchpoint involving AI decisions
  • Draft plain-language disclosure notices for each touchpoint
  • Include: what the AI does, what data it uses, how decisions are made
  • Explain how individuals can request human review
  • Embed disclosures in contracts, privacy notices, and decision letters
  • Have disclosures reviewed by legal counsel
  • Translate disclosures for non-English-speaking populations if applicable
9
Monitoring & Incident ResponseLow Effort1 week

Set Up an AI Incident Log

Create a formal process for reporting, logging, investigating, and remediating incidents involving AI systems — including near-misses, bias events, errors, and third-party vulnerabilities.

Why it matters

Incident logging is required by TRAIGA and the EU AI Act. More importantly, it creates the feedback loop that makes AI governance improve over time. You cannot fix what you do not track.

Regulatory basis

TRAIGA §10EU AI Act Art. 73NIST AI RMF MANAGE 3.2

Checklist sub-items

  • Define what constitutes a reportable AI incident for your organization
  • Create a simple intake form staff can submit in under 5 minutes
  • Assign an incident triage owner for initial severity assessment
  • Establish SLAs for investigation and remediation by severity
  • Log all incidents — even those with no apparent harm
  • Conduct post-mortems on all High and Critical incidents
  • Report serious incidents to regulators as required
10
Monitoring & Incident ResponseHigh Effort2–4 weeks

Implement Ongoing AI Performance Monitoring

Establish automated and manual monitoring of your AI systems' outputs over time to detect model drift, unexpected bias, degraded accuracy, or changed behavior in production.

Why it matters

AI systems degrade over time as the world changes but the model does not. A system that was compliant at launch may violate governance requirements six months later. Ongoing monitoring is non-negotiable.

Regulatory basis

TRAIGA §11EU AI Act Art. 72NIST AI RMF MEASURE 2.7

Checklist sub-items

  • Define key performance and fairness metrics for each high-risk system
  • Set thresholds that trigger a governance review if breached
  • Schedule automated model performance reports (weekly or monthly)
  • Conduct quarterly human reviews of high-risk system outputs
  • Rerun bias audits after any model update or data refresh
  • Document all monitoring results and retain for audit
11
Board & Executive OversightMedium Effort2 weeks

Establish Board-Level AI Reporting

Create a regular AI governance reporting cycle that gives your board or senior leadership visibility into AI risk levels, control status, incidents, and regulatory compliance.

Why it matters

TRAIGA and the EU AI Act both impose liability at the organizational level. Boards that are unaware of AI risks face personal liability exposure. Proactive reporting also demonstrates governance maturity to regulators.

Regulatory basis

TRAIGA §12EU AI Act Art. 5(d)ISO 42001 §9.3

Checklist sub-items

  • Decide on reporting frequency (quarterly is typical for mid-size orgs)
  • Define the core metrics: number of AI systems by risk level, control completion %, open incidents
  • Create a one-page AI governance dashboard for board consumption
  • Include a narrative section on emerging regulatory developments
  • Document board questions and management responses
  • Retain board AI governance minutes for at least 5 years
12
Third-Party & Supply ChainMedium Effort2–4 weeks

Extend Governance to Third-Party AI Vendors

Most organizations use more third-party AI than internally built AI. Your governance program must extend to vendors — through contractual requirements, due diligence questionnaires, and ongoing review.

Why it matters

TRAIGA holds deploying organizations responsible for the AI systems they use — even if built by someone else. A vendor's governance failure is your compliance problem.

Regulatory basis

TRAIGA §13EU AI Act Art. 28NIST AI RMF GOVERN 6.1

Checklist sub-items

  • Inventory all AI tools procured from third-party vendors
  • Add AI governance requirements to vendor contracts and MSAs
  • Send AI due diligence questionnaires to all high-risk AI vendors
  • Require vendors to notify you of model updates or incidents
  • Assess vendor GDPR / HIPAA / data protection compliance
  • Review vendor AI governance certifications annually
  • Maintain the right to audit vendor AI systems affecting your customers

Risk Meridian

Automate this entire checklist with Risk Meridian

Working through this checklist manually in spreadsheets takes months and is hard to keep current. Risk Meridian is purpose-built software that guides you through every step, tracks your progress, and generates audit-ready documentation automatically.

Organizations using Risk Meridian complete their initial governance program in 4–6 weeks instead of 3–6 months — and spend 80% less time on manual documentation.

Start Now →See All Features

AI System Inventory

Structured registry for every AI system you deploy, with risk classification, owner assignment, and status tracking built in.

Risk Assessment Workflows

Guided impact assessment templates that walk your team through every required field — and store evidence automatically.

Control Tracking

Assign controls to systems, track completion status, log evidence, and get overdue alerts before audits catch you off-guard.

Incident Management

Intake forms, severity triage, investigation workflows, and post-mortem templates — all in one place.

Board Reports

One-click PDF governance reports your board can actually read, generated directly from your live data.

Regulatory Mapping

Every control and assessment maps to TRAIGA, EU AI Act, NIST AI RMF, and ISO 42001 — so you never wonder if you're covered.

Frequently Asked Questions

What should be on an AI governance checklist?
A complete AI governance checklist should cover: (1) AI system inventory, (2) risk classification, (3) governance policy, (4) roles and accountability, (5) risk assessments, (6) governance controls, (7) human oversight mechanisms, (8) transparency disclosures, (9) incident logging, (10) ongoing monitoring, (11) board reporting, and (12) third-party vendor governance. Each item maps to at least one regulatory requirement under TRAIGA, the EU AI Act, or NIST AI RMF.
Is an AI governance checklist required by law?
Yes — several AI regulations now require structured governance programs that map to checklist-style requirements. The Texas Responsible AI Governance Act (TRAIGA) requires a written AI system registry, risk assessments for high-risk systems, human oversight mechanisms, and board-level reporting. The EU AI Act requires conformity assessments, technical documentation, and post-market monitoring for high-risk AI. Having a documented checklist demonstrates compliance intent and provides evidence in enforcement actions.
How long does it take to complete an AI governance checklist?
For a typical mid-size organization with 5–20 AI systems, completing a full AI governance program takes 3–6 months. The fastest items (incident log, role assignments) can be done in a week. The most time-intensive items (risk assessments, control implementation, monitoring infrastructure) take weeks to months per system. Using purpose-built AI governance software like Risk Meridian can cut the timeline by 60–70% through automation, templates, and guided workflows.
What is the difference between an AI governance checklist and an AI compliance checklist?
They are closely related but distinct. An AI governance checklist covers the internal program your organization builds — policies, roles, oversight structures, risk management processes. An AI compliance checklist is more externally focused — it maps your program to specific regulatory requirements to verify you meet legal obligations. In practice, a good AI governance checklist naturally produces compliance with major regulations including TRAIGA, EU AI Act, and NIST AI RMF.
Which AI regulations does this checklist cover?
This checklist maps to four major frameworks: the Texas Responsible AI Governance Act (TRAIGA), the EU AI Act, the NIST AI Risk Management Framework (AI RMF), and ISO/IEC 42001. Each checklist item references the specific statutory or framework provision it satisfies, so you can trace your program directly to regulatory requirements.
Do small businesses need an AI governance checklist?
It depends on whether you deploy AI in consequential decisions. TRAIGA applies to organizations that use AI to make decisions affecting employment, credit, housing, healthcare, or education — regardless of company size. If you use an applicant tracking system with AI scoring, an AI credit underwriting tool, or a clinical decision support AI, you are likely subject to governance requirements even as a small business.

Related Resources

Guide

What Is AI Governance?

A complete explainer covering definition, principles, and how governance programs are structured in practice.

Guide

AI Governance Framework Guide

How to choose between NIST AI RMF, ISO 42001, EU AI Act, and TRAIGA as your primary governance framework.

Guide

AI Risk Assessment Guide

How to conduct a structured AI risk assessment — the most important and most often misunderstood step in AI governance.

Template

AI Governance Policy Template

A complete AI governance policy template you can adapt for your organization, with commentary on each section.

Regulation

TRAIGA Compliance Guide

Who must comply with the Texas Responsible AI Governance Act, what it requires, and how to build an audit-ready program.

Regulation

EU AI Act Compliance Guide

Everything you need to know about EU AI Act obligations, timelines, and how to prepare your organization.

Ready to work through this checklist?

Risk Meridian guides you through every step — with templates, automated workflows, and real-time compliance tracking against TRAIGA, EU AI Act, and NIST AI RMF.

Start NowView Pricing

No credit card required · Set up in under 30 minutes