AI Governance Assessment Guide
An AI governance assessment is a structured evaluation of how an organisation manages the risks, accountability, controls, and oversight of its AI systems. The Veridio assessment scores an organisation against 58 principles across nine domains and produces a Governance Readiness Score, a gap analysis, and a prioritised remediation plan aligned to the EU AI Act, ISO/IEC 42001, NIST AI RMF, and GDPR.
Why governance assessments matter
From August 2026, the EU AI Act applies in full. High-risk AI systems must satisfy obligations across risk management, data governance, technical documentation, transparency, human oversight, and accuracy. Penalties reach 7% of global turnover. Investors increasingly require evidence of AI governance during due diligence; enterprise customers require it in procurement. ISO/IEC 42001, the AI management system standard, has been certifiable since December 2023.
A structured assessment converts a diffuse compliance question (“is our AI governance good enough?”) into a measurable maturity score with a clear remediation path. It surfaces gaps before regulators, investors, or incidents do.
The nine domains of the Veridio framework
The Veridio AI Governance Framework (VAGF) organises 58 principles into nine domains: System Visibility & Classification (D1), Governance & Accountability (D2), Risk & Impact Assessment (D3), Transparency & Explainability (D4), Model Governance & Operational Controls (D5), Data Governance & Management (D6), Human Oversight & Ethical Safeguards (D7), Monitoring, Incident & Lifecycle Management (D8), and Assurance, Audit & Validation (D9).
Principles are grouped into three tiers. Tier 1 covers the 23 foundational principles every organisation deploying AI must address. Tier 2 covers the 27 critical controls expected of organisations operating AI at scale or in regulated contexts. Tier 3 covers the 8 advanced controls required for certification and high-stakes deployments. Domain-by-domain explanations are at veridio.co.uk/resources.
How scoring works
Each principle is scored on a 0–5 maturity scale: 0 (Not Started), 1 (Informal), 2 (Incomplete), 3 (Defined), 4 (Embedded), 5 (Optimised). Principle scores aggregate to domain scores using weighted averages — tier 1 principles weight 1.5x to ensure foundations are credited before advanced controls. Domain scores aggregate to a Governance Readiness Score (GRS).
Two integrity rules apply. Dependency capping: a downstream principle (e.g. monitoring) is capped at the upstream principle (e.g. inventory) plus 1.0 — you cannot meaningfully monitor what you have not catalogued. Minimum-floor capping: a principle is capped at the minimum of its three question scores plus 2.0 — a single weak answer caps the principle, preventing inflation by averaging.
Common questions about AI governance assessments
What is an AI governance assessment?
An AI governance assessment is a structured evaluation of how an organisation manages the risks, accountability, controls, and oversight of its AI systems. It produces a maturity score against a defined framework — for Veridio, this is 58 principles across nine domains — together with a gap analysis and a prioritised remediation plan.
How is AI governance maturity measured?
Maturity is measured by scoring an organisation against each principle in the framework, on a six-point scale from 0 (no structured governance) to 5 (optimised). Principle scores aggregate to domain scores; domain scores aggregate to a Governance Readiness Score (GRS). Veridio uses 1.5x weighting for tier 1 (foundational) principles and 1.0x for tier 2/3 to ensure foundations are in place before advanced controls are credited.
What does the EU AI Act require?
The EU AI Act, fully applicable from August 2026, requires risk-based controls scaled to AI system classification: prohibited practices banned outright, high-risk systems requiring conformity assessment and ongoing risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), accuracy and robustness (Article 15), and fundamental rights impact assessment (Article 27). Limited-risk systems require disclosure (Article 50). Penalties reach 7% of global turnover.
How long does a Veridio AI governance assessment take?
The Veridio Lite quick check takes five minutes and produces an instant snapshot. The Foundational tier (T1) takes 60–90 minutes for one informed respondent. The Growth tier (T2) takes 2.5–4 hours, often spread across multiple stakeholders. The Enterprise tier (T3) takes 4–6 hours and typically involves coordination across legal, security, engineering, and operations.
Who in an organisation should complete the assessment?
For Foundational, a single AI-aware leader (CTO, Head of Risk, or Head of Compliance) can complete it. For Growth and Enterprise, a coordinated effort works best: legal/compliance for policy and disclosure principles, engineering for model and data principles, security for access and incident principles, and an executive sponsor (CEO, COO, General Counsel) to confirm governance and accountability.
What is included in the assessment report?
Every Veridio assessment produces a PDF report with: an executive summary; the Governance Readiness Score with maturity-level interpretation; per-domain scores and ranking; per-principle scoring with current state and target state; a prioritised remediation plan; recommended templates for each gap; and a regulatory alignment view mapping scores to EU AI Act, ISO/IEC 42001, NIST AI RMF, and GDPR requirements.
How does the Veridio framework relate to ISO/IEC 42001 and NIST AI RMF?
The Veridio framework consolidates control expectations from the EU AI Act, ISO/IEC 42001 (AI management system standard), NIST AI Risk Management Framework, GDPR, OECD AI Principles, and 8+ further instruments. Each Veridio principle maps to the corresponding requirements in those frameworks, so a single assessment produces evidence aligned to multiple regimes.
What is the difference between a self-assessment and a professional assessment?
Veridio is a self-assessment: respondents complete it themselves with structured guidance and scoring rubrics. Professional governance assessments by consulting firms typically cost £7,500 to £50,000+ and provide independent validation of the same evidence. Many organisations use the Veridio self-assessment to prepare and structure evidence before engaging a professional auditor.
How is investor due diligence different from a standard assessment?
The Veridio Investor Due Diligence assessment (£1,500 +VAT) uses 111 questions across 37 principles, focused on controls that materially affect investment risk: regulatory exposure, intellectual property, data provenance, and incident history. It produces an investor-focused report with risk-weighted findings, recommended deal conditions, and a 90-day / 6-month / 12-month post-investment governance roadmap.
What happens after the assessment is complete?
You receive the PDF report and dashboard access. The remediation plan identifies the highest-impact gaps to close first; for each gap, the report recommends specific Veridio templates that address it. Many organisations re-assess annually to track maturity progression and demonstrate improvement to investors and regulators.