Enterprise AI audits no longer ask whether governance documentation exists. They ask whether governance enforcement is demonstrable. The distinction between these two questions separates organizations that pass audits from organizations that generate findings.
Auditors, risk committees, and regulatory bodies have converged on a single evidentiary standard: show that governance controls execute deterministically in production — before state mutation, not after. Policy documents describe intent. Enforcement artifacts prove execution. SOC 2 AI trust criteria, ISO 42001 management system requirements, and EU AI Act compliance obligations all require evidence of runtime enforcement. None accept documentation alone.
This checklist maps the four-layer enforcement stack to specific audit evidence requirements. Each item is a verification question. A "no" answer is a governance gap. The checklist is structured to function as both a self-assessment instrument and an auditor-facing evidence guide.
Related: AI Governance Consulting: A Practical Framework for Runtime Enforcement (/insights/ai-governance-consulting) provides the full architectural context for each enforcement layer referenced below.
Layer 1 Checklist: Authority Gate Controls
The Authority Gate is the first enforcement point in the runtime governance stack. It evaluates whether execution authority exists before any state mutation proceeds. Every question in this section maps to pre-execution attestation — the enforcement mechanism that SOC 2 AI trust criteria and ISO 42001 both require as evidence of governance control.
Is every AI execution path gated by authority evaluation before state mutation? Authority evaluation must occur deterministically — before the action executes, not as a post-hoc review. If any execution path bypasses the authority gate, the entire enforcement stack is compromised at its foundation.
Is the default execution state denial? Fail-closed configuration means that when authority cannot be verified, execution halts. Fail-open configurations — where execution proceeds unless explicitly blocked — are the single most common audit finding in enterprise AI deployments.
Are tool invocations constrained by allow-lists enforced external to the model? Allow-lists must be enforced by infrastructure external to the AI system. Model-level restrictions (system prompts, fine-tuning) are not enforcement — they are suggestions that the model can circumvent through prompt injection, context manipulation, or behavioral drift.
Is there pre-execution attestation for every state-mutating action? Attestation must be cryptographically verifiable and captured before the mutation executes. Post-execution logging does not satisfy this requirement. The attestation record must prove: what action was requested, what authority was evaluated, what policy was applied, and whether execution was permitted or denied.
Does the authority gate enforce scope boundaries on tool parameters? Authority evaluation must extend beyond whether a tool can be invoked to what parameters the tool receives. An authorized tool invoked with unauthorized parameters produces the same blast radius as an unauthorized tool invocation.
Layer 2 Checklist: Mutation Attestation
The Mutation Attestation layer captures cryptographic proof of every state change. This is the evidence layer — the enforcement artifacts that auditors examine when evaluating whether governance controls are operative. The distinction between logs and receipts is the distinction between observation and proof.
Are state changes cryptographically attested with tamper-evident records? Attestation must use cryptographic methods that prevent retroactive modification. Standard application logs fail this requirement because they can be edited, truncated, or deleted. Receipts must be append-only and cryptographically chained.
Is the receipt ledger append-only and tamper-evident? The ledger architecture must prevent deletion or modification of existing records. Append-only constraints must be enforced at the infrastructure level, not the application level. Database-level append-only guarantees differ from application-level write restrictions — auditors evaluate the infrastructure constraint.
Can you prove who authorized what, when, under what policy? Each receipt must contain: the identity of the requesting entity, the authority evaluation result, the policy version applied, the timestamp, the action taken, and the outcome. This chain of evidence satisfies non-repudiation requirements across SOC 2 AI, ISO 42001, and EU AI Act.
Do receipts satisfy non-repudiation requirements for your compliance obligations? Non-repudiation means the authorizing entity cannot credibly deny having authorized the action. This requires cryptographic binding between the authority evaluation and the mutation record. Logs that record events without cryptographic binding do not satisfy non-repudiation.
Is receipt capture integrated into the enforcement pipeline or bolted on as telemetry? Receipts captured as a side-effect of execution (telemetry) can miss events, arrive out of order, or fail silently. Receipts integrated into the enforcement pipeline are captured as a prerequisite for execution — the mutation does not proceed until the receipt is committed.
Related: SOC 2 AI Controls — What Auditors Actually Require (/insights/soc-2-ai-controls) details how the logs-versus-receipts distinction maps to specific audit evidence standards.
Layer 3 Checklist: Behavioral Drift Controls
The Behavioral Drift layer enforces containment across time. Autonomous systems do not fail at a single transaction — they fail through gradual deviation from intended behavior patterns across sessions, days, and weeks. Drift Guard controls detect and contain this deviation before it compounds into audit-grade failures.
Are evaluation pass rates monitored over rolling windows? Single-transaction evaluations miss drift. Rolling window analysis — tracking pass rates over 7-day, 14-day, and 30-day windows — detects gradual degradation that per-transaction monitoring cannot identify. The rolling window interval must be calibrated to the workflow's execution frequency.
Are guardrail trigger frequencies tracked and alerted? Increasing guardrail trigger frequency is a leading indicator of behavioral drift. If guardrails fire 2% of the time in baseline operation and 8% after two weeks, the model is drifting toward the guardrail boundaries. This metric must be tracked as a time series, not a point-in-time snapshot.
Do drift thresholds trigger automated enforcement actions? Detection without enforcement is monitoring, not governance. When drift metrics breach warning thresholds, automated enforcement must engage: deployment freeze, governance lead escalation, workflow quarantine, regression test gate activation. The enforcement action must be deterministic — triggered by the threshold, not by human judgment.
Is there evidence of containment actions taken when drift is detected? Auditors require evidence that enforcement actions executed — not just that monitoring detected an anomaly. Containment records must show: what metric breached, what threshold was crossed, what enforcement action fired, what the outcome was, and when normal operation resumed.
Are adaptive baselines maintained for drift detection? Static thresholds fail because normal operational patterns change with workflow modifications, data distribution shifts, and seasonal variation. Adaptive baselines recalibrate acceptable ranges based on recent operational data while maintaining hard floors that cannot be adapted below minimum governance standards.
Related: AI Drift Detection — How to Monitor Behavioral Deviation in Production (/insights/ai-drift-detection) provides the full drift monitoring architecture including threshold calibration and enforcement action design.
Layer 4 Checklist: Execution Substrate Isolation
The Execution Substrate layer enforces physical isolation at the infrastructure level. If an AI system can route itself to unauthorized resources, governance is compromised regardless of what the upper layers enforce. Capability must be removed at the infrastructure level — not restricted at the application level.
Are AI workloads isolated at the infrastructure level? Isolation must be enforced by infrastructure — network segmentation, separate compute environments, dedicated execution substrates. Application-level isolation (API restrictions, permission checks within the AI runtime) is insufficient because the AI system operates within the same trust boundary it is supposed to be constrained by.
Are tool boundaries enforced by capability removal, not restriction? Restriction means the capability exists but is blocked by a rule. Removal means the capability does not exist in the execution environment. Restriction can be circumvented — through prompt injection, parameter manipulation, or privilege escalation. Removal cannot be circumvented because the attack surface does not exist.
Is there network segmentation between AI execution environments and production systems? AI workloads that share network access with production databases, internal APIs, or third-party services present an unbounded blast radius. Network segmentation must enforce that AI execution environments can only reach explicitly authorized endpoints through gateway-mediated connections.
Can an AI workflow route itself to unauthorized resources? This is the substrate integrity test. If an AI system can discover and connect to resources not explicitly provisioned for its workflow, the substrate is not isolated. Discovery and connection must both be impossible — not just unauthorized.
Are execution environment configurations version-controlled and auditable? Substrate configurations must be treated as enforcement artifacts. Changes to network rules, capability provisioning, and isolation boundaries must be version-controlled, reviewed, and auditable. Configuration drift at the substrate level is as dangerous as behavioral drift at the model level.
Cross-Cutting: Incident Response and Evidence Capture
Incident response for AI systems requires procedures that account for autonomous execution dynamics. Traditional incident response assumes human-initiated actions with bounded blast radius. Agentic systems can execute dozens of state mutations before detection — containment must be automated, not dependent on human response cycles.
Is there a documented AI incident response playbook with severity classification? The playbook must classify incidents by severity: P1 (unauthorized state mutation with financial or compliance impact), P2 (tool misuse or policy violation without external exposure), P3 (quality degradation detected by monitoring), P4 (anomaly detected, no impact confirmed). Each severity level must map to specific containment procedures, escalation paths, and evidence capture requirements.
Are incidents classified with specific response procedures for each severity? Classification without procedure is taxonomy, not response. Each severity level must define: who is notified, what containment actions execute automatically, what manual containment steps are required, what evidence must be captured, and what the timeline for resolution and post-incident review is.
Is evidence captured during containment, not after? Evidence captured after containment may be incomplete or corrupted by the incident itself. The enforcement pipeline must capture state at the moment of detection: active sessions, pending mutations, tool invocation queue, authority evaluation state, and drift metrics. This evidence capture must be integrated into the containment procedure.
Are post-incident reviews conducted and documented with enforcement stack gap mapping? Every AI incident maps to an enforcement layer gap. Policy citation mismatch maps to Authority Gate deficiency. Escalation loops map to Drift Guard gaps. Prompt injection maps to Substrate isolation weakness. Post-incident reviews must identify the layer failure and produce remediation actions that strengthen the specific enforcement point.
Related: AI Incident Response — Containment Procedures for Autonomous System Failures (/insights/ai-incident-response) provides the full incident response architecture including severity classification and containment procedures.
Using This Checklist
Run this checklist against your highest-risk AI workflow first. Highest-risk is defined by blast radius: the workflow with the greatest potential for irreversible state mutation, financial impact, regulatory exposure, or operational disruption.
Any "no" answer is a governance gap. Governance gaps are not findings — they are exposure. The difference is response timeline. Findings require remediation within audit cycles. Exposure requires remediation before the next incident.
Prioritize gaps by layer position. Layer 1 (Authority Gate) gaps are foundational — they compromise every layer above. Layer 4 (Substrate) gaps are structural — they cannot be compensated by upper-layer enforcement. Layer 2 and 3 gaps are operational — they can be addressed incrementally while the foundational and structural layers are hardened.
Map each gap to the compliance framework requirements that apply to your organization. SOC 2 AI trust criteria, ISO 42001 management system controls, and EU AI Act high-risk system requirements each map to specific items in this checklist. The mapping determines both the remediation priority and the evidence format required.
Related: ISO 42001 vs NIST AI RMF — Which Framework Fits Your Organization (/insights/iso-42001-vs-nist-ai-rmf) provides the framework comparison for determining which compliance mapping applies to your deployment.
When to Run a Readiness Scan
This checklist identifies gaps. A Readiness Scan operationalizes the findings into an actionable governance roadmap. The Readiness Scan takes 30 minutes and produces four deliverables: a control-plane gap map identifying enforcement layer weaknesses across your AI workflows, a failure-mode heatmap showing where each production failure mode is most likely to occur, an evidence checklist mapping your compliance obligations to specific enforcement artifacts, and a prioritized 30/60/90 hardening plan sequencing remediation from highest-blast-radius gaps to operational refinements.
Organizations that run this checklist internally and find gaps in more than two layers are operating with structural governance exposure. The Readiness Scan converts that exposure assessment into a remediation plan with specific enforcement improvements, evidence capture mechanisms, and compliance mapping.
Schedule a Readiness Scan at /readiness-scan — convert this checklist into an actionable governance roadmap.