Everything your AI governance program needs — out of the box
From AI system inventory to board-ready reports, Risk Meridian's platform covers every step of the AI governance lifecycle required by TRAIGA — for small & medium businesses, healthcare organizations, enterprises, and government contractors.
Jump to a feature
AI System Inventory
The central registry for every AI system your organization uses or builds.
The AI System Inventory is the foundational module of the Risk Meridian platform. Every governance workflow — risk review, control tracking, disclosure generation, and board reporting — begins with a registered AI system. Without a complete inventory, there is no governance.
Risk Meridian's registry supports internal AI systems, third-party AI tools, vendor-provided AI services, and healthcare clinical AI systems. Each record captures the full governance profile required by the Texas Responsible AI Governance Act: system purpose, ownership, vendor information, deployment type, risk indicators, and healthcare-specific clinical use fields.
The inventory is always current. Status, risk classification, control completion, and next review date are updated in real time as governance activities are completed. Archived systems are retained for audit history but do not consume plan limits.
💡 Most organizations complete their first AI system registration in under 2 minutes.
What's included
AI System Inventory capabilities
- Structured registration for internal, third-party, and clinical AI systems
- 14 risk indicator fields including biometric data, patient-facing, and consequential decision flags
- Healthcare-specific fields: clinical decision support, diagnosis, treatment planning, documentation (no PHI will be entered or retained)
- Owner, department, and vendor contact tracking
- Configurable review frequency per system (Annual / Semi-Annual / Quarterly / Monthly)
- Next review date auto-calculation with email reminders
- Archive / restore with full audit trail
- Plan-enforced active system limits (10 / 20 / 30 / Unlimited)
Risk Scoring Engine
Deterministic, auditable risk classification for every AI system.
The Risk Meridian risk scoring engine performs a structured evaluation of AI system risk factors and produces a deterministic risk classification: LOW, MODERATE, or HIGH. Unlike AI-generated risk assessments, Risk Meridian's scoring is fully auditable — every classification can be traced back to the specific questionnaire answers that produced it.
The questionnaire covers seven risk categories: data sensitivity, decision impact, oversight mechanisms, system maturity, operational context, healthcare-specific factors, and vendor risk. Scores are normalized to a 0–100 scale and mapped to risk bands. Hard floors ensure certain combinations of answers always produce a minimum risk level regardless of other factors.
Risk classification drives everything downstream. The control library is seeded from the risk profile. Disclosure requirements are determined by risk level. Board reporting flags are set automatically for HIGH systems. Regulatory framework readiness indicators are assessed against the risk output.
💡 Risk classification is deterministic and auditable — regulators and auditors can verify every score.
What's included
Risk Scoring Engine capabilities
- Structured 7-category risk questionnaire
- Deterministic scoring — same inputs always produce the same output
- Three risk bands: LOW / MODERATE / HIGH
- Hard floor rules for clinical AI, biometric data, and consequential decisions
- Full audit trail linking each classification to its questionnaire answers
- Risk review history with version comparison
- Re-assessment triggers when system attributes change
- Risk level visible in the AI Systems Registry at a glance
Control Auto-Creation
Governance controls generated automatically from your risk profile.
Manual control mapping is one of the most time-consuming parts of any governance program. Risk Meridian eliminates it. When a risk review is completed, a rules engine evaluates the risk factors and automatically creates the applicable governance controls from the TRAIGA-aligned control library.
Controls are categorized across seven domains: human oversight, data governance, model documentation, incident response, vendor management, disclosure, and executive oversight. Each control includes a description, implementation guidance, evidence requirements, and a target completion date based on risk level.
Compliance users can update control status (Not Started / In Progress / Complete / Waived / Overdue), attach evidence notes, and track completion progress. The dashboard shows aggregate control completion as a percentage. Overdue controls are flagged automatically and surfaced in the governance maturity score calculation.
What's included
Control Auto-Creation capabilities
- Auto-creation of controls from risk review output — no manual mapping
- Seven control categories: human oversight, data governance, model docs, incident response, vendor, disclosure, executive oversight
- Implementation guidance and evidence requirements per control
- Status tracking: Not Started / In Progress / Complete / Waived / Overdue
- Target completion dates based on risk level
- Waiver workflow with documented justification
- Control completion % surfaced on the dashboard
- Overdue controls flagged and included in governance maturity scoring
Disclosure Generator
Auto-generate TRAIGA-compliant AI disclosure statements in seconds.
The Texas Responsible AI Governance Act requires organizations to generate and maintain AI disclosure statements for covered systems. Writing these manually for every AI system is slow, inconsistent, and prone to missing required fields. Risk Meridian's Disclosure Generator automates the entire process.
Disclosure statements are generated from merge-field templates populated with your AI system registry data and risk review outputs. The resulting statements are formatted to meet TRAIGA's disclosure requirements — system purpose, risk classification, oversight mechanisms, contact information, and review date.
Generated disclosures can be exported to PDF, copied to clipboard for embedding in public-facing documentation, or stored as governance artifacts within the platform. Every disclosure is versioned and timestamped as part of the immutable audit trail.
💡 TRAIGA requires public AI disclosures for covered systems. Generate yours in seconds, not days.
What's included
Disclosure Generator capabilities
- Merge-field template populated from registry + risk review data automatically
- TRAIGA-compliant disclosure format out of the box
- Export to PDF or copy to clipboard
- Versioned — every generated disclosure is retained in audit history
- Timestamped creation and approval records
- Supports multiple disclosure types per system
- Included in the Governance Report Pack export
Policy Generator
Generate editable AI governance policies — no starting from scratch.
A complete AI governance program requires documented policies covering data use, model oversight, human review requirements, incident response, and vendor AI management. Writing these from scratch is a governance project in itself. TRAIGA's Policy Generator provides pre-built policy templates that are populated from your registry data and exported as editable documents.
Policy templates cover the core governance domains required by TRAIGA: AI Use Policy, AI Risk Management Policy, AI Incident Response Policy, AI Data Governance Policy, and Vendor AI Policy. Each template includes the required sections, placeholder language for organization-specific details, and guidance notes for compliance teams.
Policies are exportable to PDF for inclusion in your governance documentation package, or shareable as internal governance artifacts. Generated policies are versioned and retained in the audit trail.
What's included
Policy Generator capabilities
- Pre-built templates for 5 core AI governance policy types
- Template language aligned to TRAIGA requirements
- Editable after generation — customize to your organization
- Export to PDF for governance documentation packages
- Version history retained in the audit trail
- Guidance notes for compliance teams embedded in templates
- Included in Governance Report Pack
Incident Log
Track, investigate, and resolve AI incidents with a structured workflow.
AI systems fail in ways that are often invisible until the impact is felt — a model producing biased outputs, a clinical decision tool providing incorrect guidance, a hiring algorithm flagging protected class proxies. The Risk Meridian incident log gives organizations a structured workflow for capturing, investigating, and resolving these events.
Incidents are classified by severity (Critical / High / Medium / Low) and tracked through a defined resolution workflow: Open → Investigating → Resolved → Closed. Each incident record captures the affected AI system, incident description, severity, assigned investigator, resolution notes, and closure date.
The incident log is fully integrated with the AI system registry — every incident is linked to the system that produced it. Incident history informs future risk reviews and is included in governance report exports. Open incidents are surfaced prominently on the governance dashboard.
What's included
Incident Log capabilities
- Structured incident submission linked to registered AI systems
- Four severity levels: Critical / High / Medium / Low
- Workflow: Open → Investigating → Resolved → Closed
- Investigator assignment and resolution notes
- Incident history surfaced during risk re-assessments
- Open incident count on the governance dashboard
- Included in Governance Report Pack exports
- Full audit trail for every status change
Executive Certifications
Formal, timestamped attestations from organizational leadership.
Many AI governance frameworks — including TRAIGA — require formal attestation from organizational leadership that the AI governance program has been reviewed and certified. The Risk Meridian Executive Certifications module provides a structured workflow for collecting, storing, and presenting these attestations.
Certifications capture the certifying executive's name, title, and attestation date. They are stored immutably — once created, a certification record cannot be altered. This immutability is critical for regulatory purposes: it provides a verifiable record that leadership reviewed and approved the governance program at a specific point in time.
Certification status is surfaced on the governance dashboard and included in the Governance Report Pack. The certification module also supports a certification expiry workflow, alerting administrators when re-certification is due based on the configured review cadence.
What's included
Executive Certifications capabilities
- Structured certification workflow for organizational leadership
- Captures certifier name, title, attestation scope, and timestamp
- Immutable records — certifications cannot be altered after creation
- Certification status displayed on the governance dashboard
- Expiry alerts based on configured review cadence
- Included in Governance Report Pack for auditors and regulators
- Supports multiple certifications across review periods
Review Scheduling
Configurable review cadence with automated reminders — no governance gaps.
AI systems are not static. Models change, use cases expand, regulations evolve, and risk profiles shift. Risk Meridian's Review Scheduling module ensures AI systems are re-assessed on a structured cadence — and that nobody misses a due date.
Each AI system has a configurable review frequency: Annual, Semi-Annual, Quarterly, or Monthly. The platform calculates the next review due date automatically when a risk review is completed, and triggers email reminders to the system owner and administrators as the due date approaches.
Systems approaching or past their review due date are surfaced prominently on the governance dashboard. Overdue reviews are flagged in the governance maturity score calculation. The review schedule is also visible in Governance Report Pack exports, demonstrating to regulators that a structured oversight cadence is in place.
What's included
Review Scheduling capabilities
- Per-system review frequency: Annual / Semi-Annual / Quarterly / Monthly
- Auto-calculated next review due date on risk review completion
- Email reminders to system owner and org admins as due date approaches
- Overdue review dashboard alerts
- Review cadence included in Governance Report Pack
- Overdue reviews factored into governance maturity score
- Review history with full version audit trail
Governance Maturity Score
A normalized 0–100 score measuring the completeness of your AI governance program.
Governance programs are hard to measure. The Risk Meridian Governance Maturity Score provides a normalized 0–100 score that reflects the overall completeness of your organization's AI governance program — giving leadership a single number to track over time and benchmark against expectations.
The score is calculated across five dimensions: AI system inventory completeness, risk review coverage, control completion rate, documentation completeness (disclosures, policies, certifications), and incident response timeliness. Each dimension is weighted and contributes proportionally to the composite score.
The Maturity Score is displayed prominently on the governance dashboard and updated in real time as governance activities are completed. Score trends over time help organizations demonstrate continuous improvement — a factor that regulators and auditors increasingly look for alongside point-in-time compliance documentation.
💡 Score trends over time demonstrate continuous improvement — increasingly important to AI regulators.
What's included
Governance Maturity Score capabilities
- Normalized 0–100 composite score
- Five weighted dimensions: inventory, risk reviews, controls, documentation, incidents
- Real-time updates as governance activities are completed
- Score trend over time — track program improvement
- Score interpretation bands: Developing / Established / Mature / Advanced
- Displayed on governance dashboard and in board reports
- Overdue reviews and controls reduce score automatically
Framework Readiness
Per-system readiness indicators across every major AI regulation.
Knowing which regulatory frameworks apply to each AI system — and how ready that system is for governance — is one of the most complex parts of AI governance. Risk Meridian's Framework Readiness module provides per-system readiness indicators across all supported frameworks, so organizations can see their exposure at a glance.
For each AI system, the platform evaluates readiness across TRAIGA, EU AI Act, Colorado AI Act, NIST AI RMF, and ISO 42001. Readiness is determined by comparing the system's documented governance state against each framework's requirements. The result is a traffic-light indicator: Ready, Partial, or Gap.
Framework Readiness indicators are displayed on each AI system's detail page and aggregated in a dashboard widget showing organization-wide readiness across all frameworks. This enables compliance teams to prioritize remediation where gaps exist before a regulator makes the same observation.
What's included
Framework Readiness capabilities
- Per-system readiness indicators: Ready / Partial / Gap
- Five frameworks covered: TRAIGA, EU AI Act, Colorado AI Act, NIST AI RMF, ISO 42001
- Organization-wide readiness summary on the dashboard
- Readiness determined from existing governance data — no extra input required
- Gap identification with remediation guidance
- Framework readiness included in Governance Report Pack
Governance Report Pack
One-click export of your complete AI compliance documentation package.
When a regulator, auditor, or board member asks for your AI governance documentation, you need to be able to produce a complete, organized, and current package immediately. The Risk Meridian Governance Report Pack is that package — generated on demand from the live state of your governance program.
The Report Pack includes: AI System Inventory, Risk Assessment Summary, Control Completion Report, AI Disclosure Statements, Generated Policies, Incident Log, Executive Certifications, Framework Readiness Assessment, Governance Maturity Score, and Audit Trail. Every document is current as of the generation timestamp.
Report Packs are generated as structured PDF bundles, organized with a table of contents for regulator and auditor review. They can be generated at any time — monthly for internal review, quarterly for board reporting, or on-demand for regulatory inquiries.
💡 Produce your complete AI governance documentation package in one click. No manual assembly.
What's included
Governance Report Pack capabilities
- One-click generation from live governance data
- 10 document types in a single organized PDF bundle
- Table of contents for regulator and auditor navigation
- Generation timestamp on every report for currency verification
- Report history retained — past packs are accessible for audit comparison
- Configurable scope: all systems or selected systems
- On-demand generation — no scheduling required
Board AI Governance Report
Non-technical AI governance summaries designed for hospital and enterprise boards.
Hospital boards and enterprise executive committees increasingly have AI oversight responsibilities. Risk Meridian's Board AI Governance Report is a purpose-built, non-technical governance summary that gives boards what they need to fulfill those responsibilities — without requiring them to parse technical documentation.
The report presents governance program status in clear, accessible language: total AI systems by risk level, governance maturity score, open incidents, control completion progress, upcoming review obligations, and framework readiness summary. It is designed to answer the questions a board member or CEO would ask about the organization's AI governance posture.
Board reports are generated on a configurable cadence (Quarterly or Annual) and can be presented directly from the platform or exported to PDF for inclusion in board meeting packs. Healthcare organizations use them to meet the emerging board-level AI oversight expectations from CMS, The Joint Commission, and state health regulators. (no PHI will be entered or retained)
What's included
Board AI Governance Report capabilities
- Non-technical language — designed for board members, not compliance teams
- Governance summary: systems by risk, maturity score, incidents, controls
- Framework readiness summary suitable for board-level discussion
- Upcoming governance obligations and review schedule
- PDF export for board meeting documentation
- Configurable generation cadence: Quarterly or Annual
- Healthcare-specific language, HIPAA Aligned, and CMS / Joint Commission alignment
Immutable Audit Trail
Append-only, partitioned audit log for every governance action.
An AI governance program without an auditable history is not a governance program — it is a snapshot. Risk Meridian's immutable audit trail records every governance action from the moment a system is registered: every field change, every risk review submission, every control status update, every disclosure generation, every policy creation, every certification, and every incident lifecycle event.
The audit log is append-only by design. Records cannot be altered or deleted. This immutability is a core architectural guarantee, not a UI convention. The log is partitioned by quarter for query performance at scale, designed to remain performant as organizations accumulate years of governance history.
Auditors with the `auditor` role have dedicated read-only access to the complete audit log — they can review the full history of any AI system or governance action without access to live operational data. The audit trail can also be exported as part of the Governance Report Pack.
💡 Immutability is architectural, not a UI setting. Every governance action is permanently recorded.
What's included
Immutable Audit Trail capabilities
- Append-only — no record can be altered or deleted after creation
- Every governance action captured: field changes, reviews, controls, disclosures, incidents
- Quarterly partitioning for query performance at scale
- Dedicated auditor role with read-only audit log access
- Per-system and org-wide audit log views
- Exportable as part of the Governance Report Pack
- Timestamped with user attribution for every event
Vendor AI Register
Track third-party AI systems and vendor governance documentation.
Most organizations use far more vendor-provided AI than internally-built AI. Chatbots, hiring tools, clinical decision support, fraud detection — these third-party systems carry governance obligations just as internal systems do. Risk Meridian's Vendor AI Register tracks third-party AI systems and the governance documentation their vendors have provided.
The register captures vendor name, contact, AI system description, vendor-provided governance documentation, risk classification, and oversight mechanisms. It surfaces which vendors have demonstrated governance programs in place and which have documentation gaps requiring follow-up.
Vendor AI systems in the register are fully integrated with the platform — they receive risk reviews, generate controls, appear in the Governance Report Pack, and contribute to framework readiness assessments. Vendor governance is not a silo; it is part of the organization's complete AI governance program.
What's included
Vendor AI Register capabilities
- Vendor name, contact, and AI system documentation fields
- Risk classification for third-party AI systems
- Vendor governance documentation tracking
- Integrated with risk reviews, controls, and reporting modules
- Gap identification for vendors with missing governance documentation
- Included in Governance Report Pack vendor section
Regulatory frameworks
Multi-framework AI compliance from one platform
Risk Meridian's platform features are pre-configured for the Texas Responsible AI Governance Act, with the architecture designed to extend to additional frameworks without workflow changes.
| Framework | Status | Key features covered |
|---|---|---|
Texas Responsible AI Governance Act (TRAIGA) | ✅ Supported | AI System InventoryRisk ScoringDisclosure GeneratorPolicy GeneratorExecutive CertificationsGovernance Report Pack |
EU AI Act | Roadmap | Risk ClassificationTechnical DocumentationHuman Oversight ControlsIncident ReportingConformity Assessment |
NIST AI Risk Management Framework (AI RMF) | Roadmap | AI System InventoryRisk GovernanceMap / Measure / Manage / Govern FunctionsMaturity Profiling |
Colorado AI Act | Roadmap | High-Risk AI IdentificationImpact AssessmentsConsumer DisclosureDeveloper Obligations |
ISO 42001 | Roadmap | AI Management SystemRisk AssessmentControl FrameworkDocumentation Requirements |
All 14 features. One platform. TRAIGA-aligned from day one.
Start your AI governance program today — starting at $79/month. Register your first AI system, run your first risk review, and generate your first TRAIGA-aligned disclosure in a single session.
Questions? Email our team