Confidential AI Governance Scorecard

Q1. Complete AI System Inventory: Have you created and maintain a complete, current inventory of all AI systems used across your operations?

Q2. EU AI Act Risk Classification: Have you classified each AI system according to EU AI Act risk categories (High Risk, Limited Risk, Minimal Risk)?

Q3. DORA ICT System Classification: Have you identified which AI platforms constitute critical or important ICT services under DORA requiring operational resilience measures?

Q4. PCF/CF Accountability Documentation: Have you documented which PCF/CF holders are accountable for AI governance, with clear responsibilities mapped to specific AI systems?

Q5. AI Governance Policy Framework: Have you established comprehensive AI governance policies covering permissible use, risk management, human oversight, and regulatory compliance?

Q6. Board and Senior Management Reporting: Does the Board receive regular reports on AI governance, risk management, and compliance status?

Q7. AI Governance Committee or Forum: Have you established a dedicated AI governance committee or forum with appropriate senior representation and clear terms of reference?

Q8. Staff Training Needs Assessment: Have you assessed AI literacy requirements for all staff working with AI systems, based on their roles and the systems they use?

Q9. Training Programme Delivery: Have you delivered AI literacy training to staff, with records of completion and competency assessment?

Q10. Ongoing Competency Maintenance: Have you established processes for maintaining AI literacy through refresher training and competency reassessment?

Q11. Human Oversight Protocols: Have you documented human oversight protocols for high risk AI systems showing when and how humans review AI outputs?

Q12. Explainability Frameworks: Can you explain to members and regulators how your AI systems reach specific decisions affecting individual members?

Q13. Decision Audit Trail: Do you maintain audit trails showing AI inputs, outputs, and human decisions for individual member cases?

Q14. Override and Intervention Records: Do you track when humans override AI recommendations, with documented reasons for intervention?

Q15. Platform Vendor AI Governance Oversight: Have you assessed the AI governance capabilities of platform vendors (core banking, loan origination, fraud detection) and obtained necessary documentation?

Q16. Contractual AI Governance Requirements: Do your contracts with AI platform vendors include specific requirements for transparency, explainability, and regulatory compliance?

Q17. Vendor Incident Management: Have you established processes for identifying and managing AI related incidents involving vendor platforms?

Q18. Board Level AI Literacy and Oversight: Has the Board (including volunteer directors for credit unions) received appropriate AI literacy training enabling effective strategic oversight?

Q19. Board Risk Committee AI Oversight: Does the Board Risk Committee (or equivalent) actively oversee AI related risks with appropriate expertise or external support?

Q20. Strategic AI Governance Decisions: Can the Board demonstrate it makes informed strategic decisions about AI adoption, risk appetite, and resource allocation?

Q21. Resource Appropriate Governance Framework: Have you established an AI governance framework proportionate to your institution's size, resources, and AI system complexity?

Q22. External Expertise Engagement: Where internal expertise is limited, have you engaged appropriate external support for AI governance, risk assessment, or technical evaluation?

Q23. Collaborative Governance Approaches: Have you explored collaborative approaches with peer institutions, sector bodies, or shared service providers to address AI governance requirements efficiently?

Q24. Vulnerable Member Identification: Have you established systematic processes for identifying vulnerable members who may require enhanced protections when AI systems are used in their interactions?

Q25. Enhanced Safeguards for Vulnerable Members: Have you implemented enhanced human oversight, explainability, and intervention protocols for AI decisions affecting vulnerable members?