Before deploying AI to production, risk and compliance teams need evidence of controls. Here is what they typically require:
**1. Risk Register** - Identified failure modes with likelihood and impact scores - Mapped controls for each risk - Residual risk acceptance criteria
**2. Evaluation Infrastructure** - Documented test suites with coverage metrics - Automated regression testing in CI/CD - Human review sampling procedures
**3. Access Controls** - Model access logging - Prompt and response audit trails - Data handling procedures
**4. Escalation Procedures** - Clear criteria for human handoff - Response time SLAs - Escalation chain documentation
**5. Incident Response** - Defined severity levels - Notification procedures - Rollback capabilities
**6. Monitoring & Alerting** - Performance dashboards - Drift detection alerts - Anomaly notifications
**7. Evidence Capture** - Audit trail retention - Decision logging - Compliance reporting
This checklist is not exhaustive—requirements vary by industry and jurisdiction. But having documented answers to these questions is the minimum for enterprise AI deployment.