- AI System Development, Data & Deployment Gate — Regulatory · 11 steps
Run the release board gate that every new AI system and substantial modification must clear before deployment. The gate approves responsible-AI objectives and per-system requirements before build, governs training, validation, and test data with bias mitigation, executes the pre-deployment impact assessment and EU AI Act risk classification, confirms Annex IV-grade technical documentation, and records verification, validation, and deployment sign-off, with retraining and other changes re-entering the same gate. - AI Transparency & Value-Chain Communications — Regulatory · 11 steps
Run the recurring AI-transparency cycle: keep each AI system's user and deployer documentation, AI-interaction disclosures, and AI-generated-content marking (including deepfakes) current with system changes, and retain distribution evidence. Evaluate AI suppliers against the organization's responsible-AI requirements and review customer needs and communications so customers have what they need to use the systems responsibly. - DPIA / Privacy Impact Assessment — Regulatory · 9 steps
Screen a processing activity and, where required, run the full DPIA: necessity, privacy risks, mitigations, residual-risk decision, and sign-off. - DSAR Fulfillment (Access & Deletion Requests) — Regulatory · 9 steps
Fulfill a data-subject access or deletion request inside the statutory deadline: verify identity, locate data, apply exemptions, review, and deliver. - EU AI Act Obligation Impact Analysis — Regulatory · 26 steps
Parse EU AI Act obligations, map affected AI use cases, crosswalk controls, flag conformity gaps, and hand high-risk items to AIMS. - GPAI Model Provider Compliance Cycle — Regulatory · 12 steps
Run the recurring compliance cycle owned by providers of general-purpose AI models: maintain model technical documentation and the downstream-provider information pack, operate the EU copyright reservation-of-rights policy, and publish the training-content summary on every model release and quarterly refresh. For models designated as posing systemic risk, the cycle additionally runs state-of-the-art model evaluations with adversarial testing, assesses and mitigates systemic risks, tracks and reports serious incidents to the AI Office, and verifies cybersecurity protection of the model and its infrastructure. - Legal & Regulatory Compliance Register Evaluation — Regulatory · 11 steps
Run the compliance office's recurring register-evaluation cycle: maintain the register of applicable legal, regulatory, and contractual requirements — including intellectual-property and software-licensing obligations — with named owners, evaluate compliance with each requirement on its defined cadence through documented reviews, and drive remediation of non-compliance with status reported to management, keeping the register and evaluation results retained as evidence. - Personal Data Quality & De-identification — Regulatory · 10 steps
Run the recurring PII data-hygiene cycle: check personal data for accuracy, relevance, timeliness, and completeness, correct or delete failing records and notify recipients, execute individual correction requests, and de-identify data where full identifiers are not required. - Privacy Breach Assessment & Notification — Regulatory · 12 steps
Assess a personal-data breach handed off from incident response: scope the exposure, decide notifiability against GDPR, US state, and HIPAA clocks, notify regulators and affected individuals on time, and close with a defensible breach-register entry. - Privacy Program Operations (Consent, Complaints & Sharing) — Regulatory · 9 steps
Run the privacy program's recurring operations: capture and honor consent and preferences, resolve privacy complaints with an accounting of disclosures, and govern data-sharing agreements. - Privacy Safeguards & Notice Management — Regulatory · 10 steps
Run the privacy office's periodic program cycle: maintain the inventory of statutory, regulatory, and contractual privacy requirements, confirm PII-protection accountability, verify that administrative, technical, and physical safeguards remain appropriate to the data held, remediate gaps, and keep external privacy notices and required registrations accurate to actual processing and delivered at the point of collection. - Regulatory Compliance Attestation Cycle — Regulatory · 23 steps
Compile evidence for a regulation or obligation set, resolve gaps, route officer certification, and archive the attestation package. - Regulatory Exam & External Audit Management — GRC · Regulatory · 16 steps
Manage a live regulator exam or external audit from notification intake through request fulfillment, QC'd evidence release, fieldwork support, findings response, and commitment closure. - Regulatory Horizon Scanning & Triage — Regulatory · 13 steps
Ingest regulator publications, classify applicability, assign owners, and route relevant changes into impact analysis. - Regulatory Impact Analysis & Obligation Mapping — Regulatory · 23 steps
Parse regulatory changes into obligations, map them to policies and controls, identify gaps, and hand confirmed gaps to implementation. - Regulatory Obligation Implementation — Regulatory · 22 steps
Implement a new or changed regulatory obligation from gap analysis through policy update, control design, process operationalization, and coverage validation. - Third-Party ICT Vendor Regulatory Assurance — Regulatory · 23 steps
Assess third-party and ICT vendor regulatory obligations, gaps, remediation, and register updates for DORA, FFIEC, and related regimes.