Afrexai Ai Governance

# AI Governance Policy Builder

Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.

## When to Use
- Writing or reviewing internal AI acceptable use policies
- Establishing AI governance committees or review boards
- Mapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)
- Evaluating vendor AI terms and liability clauses
- Preparing board-level AI governance reports

## Governance Policy Framework

### 1. Acceptable Use Policy (AUP)

Every organization running AI needs a written AUP covering:

**Permitted Uses**
- List approved AI tools by department and function
- Define data classification tiers (public, internal, confidential, restricted)
- Map which data tiers can enter which AI systems
- Specify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)

**Prohibited Uses**
- Customer PII in non-SOC2 models without anonymization
- Autonomous financial decisions above $[threshold] without human review
- HR screening/scoring without bias audit documentation
- Any use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)

**Shadow AI Detection**
| Signal | Risk Level | Action |
|--------|-----------|--------|
| API calls to unknown AI endpoints | HIGH | Block + investigate |
| Browser extensions with AI features | MEDIUM | Audit + approve/deny |
| Personal accounts on company devices | MEDIUM | Policy reminder + monitor |
| Exported data to AI training sets | CRITICAL | Immediate review |

### 2. AI Model Selection & Procurement

**Evaluation Scorecard (100 points)**

| Criteria | Weight | What to Check |
|----------|--------|---------------|
| Data residency & sovereignty | 20 | Where is data processed? Stored? Can you choose region? |
| Security certifications | 20 | SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP |
| Model transparency | 15 | Training data provenance, bias testing, version control |
| Contract terms |...

# AI Governance Policy Builder

Build internal AI governance policies that actually hold up — acceptable use, vendor contracts, compliance mapping, incident response, and board reporting.

Covers EU AI Act, NIST AI RMF, and ISO 42001 frameworks with practical templates you can deploy this week.

## What's Inside

- **Acceptable Use Policy** template with shadow AI detection
- **Model Selection Scorecard** (100-point evaluation)
- **Data Handling Audit** template for every AI integration
- **Regulatory Mapping** — EU AI Act risk categories, NIST RMF, ISO 42001
- **Governance Committee** structure and decision authority matrix
- **Vendor Contract Checklist** — 12 non-negotiable clauses
- **Board Reporting Template** — quarterly AI governance report
- **Incident Response** categories and post-incident review
- **90-Day Implementation Roadmap**

## Who This Is For

CTOs, CISOs, compliance officers, and ops leaders at companies running AI tools without a formal governance framework. Especially relevant if you're in a regulated industry (financial services, healthcare, legal) or selling to enterprise customers who ask about your AI policies.

## Get More

- Full industry context packs ($47 each): https://afrexai-cto.github.io/context-packs/
- AI Revenue Calculator (free): https://afrexai-cto.github.io/ai-revenue-calculator/
- Agent Setup Wizard (free): https://afrexai-cto.github.io/agent-setup/

Built by [AfrexAI](https://afrexai-cto.github.io/context-packs/) — AI operations infrastructure for mid-market companies.