A policy on the shelf
is worse than no policy.

This assessment evaluates the written governance instruments that are supposed to govern your AI use, the policies, standards, and procedures. It tests them on six dimensions: existence, coherence, compliance, coverage, enforceability, and alignment to practice. A policy that exists but is unenforced, contradictory, or ignored is worse than no policy because it creates a documented standard the organization is demonstrably failing to meet.

Schedule a call → Back to Audit overview →

The six tests

Six questions every
policy must answer.

Each instrument is assessed against the six tests below, with specific defects recorded by location and severity rather than as general impressions.

Existence

Do the instruments needed to govern your actual AI use exist at all?

Coherence

Are they internally consistent, mutually consistent, and free of contradiction or dangerous ambiguity?

Compliance

Do they reflect current regulatory, contractual, and ethical obligations?

Coverage

Do they address the AI uses you actually have, not a generic template that ignores real practice?

Enforceability

Are they specific enough to be followed and enforced, with clear ownership, consequences, and review cycles?

Practice alignment

Do they match what the workforce actually does, as evidenced by skills, Shadow AI, and interview findings?

How we review it

Documents, mapped
against reality.

Most policy reviews stop at reading what is written. This one tests what is written against what is happening, and records both the divergence and its direction.

Inventory the instruments

Collect all documents governing AI use, including relevant sections of acceptable-use, data-protection, procurement, HR, and security policies.

Map to a reference framework

Compare the instrument set against a reference model of what a comparable organization should have, identifying absent and underdeveloped instruments.

Review each instrument

Assess against the six tests, recording specific defects with location and severity rather than general impressions.

Test against practice

Triangulate documented standards against actual behavior. Where policy and practice diverge, both the divergence and its direction are recorded.

What you receive

A defect register
with specific fixes.

Recommendations are specific, often including drafted language for the gaps that matter most, so policy remediation is a workplan rather than another committee.

Policy gap map — which instruments exist, which are missing, which need rework.
Defect register with severity ratings and specific, drafted-language recommendations where useful.
Prioritized policy remediation plan, sequenced with the master roadmap.
Sample finding: acceptable-use policy prohibits entering confidential information into external websites but does not name AI tools, define what counts as confidential in an AI context, or distinguish sanctioned from unsanctioned tools. Employees do not understand the policy to cover AI assistants at all. Recommended remediation: a dedicated AI Acceptable Use Standard with named tool tiers, data-category rules, and worked examples.

Next step

Find the gaps before someone else does.

A focused review of your existing AI policies and procedures, tested against the six tests and against actual practice.

Schedule a call → See Policy Implementation →

✓ Evidence-based, not assertion-based

✓ Powered by the Governance 1st platform

✓ Findings to roadmap, with owners and dates

Six questions everypolicy must answer.