ai · security · skills

Readiness pulse · the leadership self-check

11 questions. One honest baseline.

A five-minute self-check across the NIST AI RMF’s four functions — Govern · Map · Measure · Manage. Answer for your organisation and the reading appears below as you go. Nothing is saved; the reading is the artefact.

Honesty: every output of this instrument is Self-assessed. Saved questionnaire responses — attestation without artifacts. Never measured— a measured reading requires task-level before/after on your own work, which lives elsewhere on the site.

Set the guardrails

Govern.

Does your organisation have an approved AI use policy that names accountable owners?

GOVERN asks whether the practice has stated roles + accountability before it starts running. No policy = no defensible posture.

Does an executive sponsor (CISO, CEO, or board) review AI risk at a recurring cadence?

GOVERN includes leadership engagement — without a regular review, AI risk drifts off the agenda.

Is there a named owner for the AI-Security Center of Excellence (or its equivalent)?

GOVERN asks whether there is a vehicle that owns the climb — not a working group, an accountable function.

Have staff who use AI received role-appropriate AI-literacy training (per EU AI Act Article 4)?

GOVERN names the people layer; Article 4 makes this a binding duty for orgs operating in the EU.

Know where AI is

Map.

Do you maintain an inventory of AI systems in use across the organisation (including shadow AI)?

MAP requires the practice to know what it owns. Shadow AI is the canonical hidden inventory item.

Are AI use cases classified by risk tier (EU AI Act unacceptable / high / limited / minimal)?

MAP includes risk classification before controls are sized — high-risk systems carry obligations limited-risk ones do not.

Test and evidence it

Measure.

Have you baselined your AI controls against an established framework (CSA AICM, ISO 42001, NIST AI 600-1)?

MEASURE starts with a baseline — without one, change cannot be detected.

Are AI-specific incidents (prompt injection, model misuse, data leakage, output harms) detected and tracked?

MEASURE includes operational monitoring of AI-specific failure modes, not generic security signals.

Are the intended benefits of AI governance (risk reduction, value, compliance, trust, sustainability) being monitored?

MEASURE includes the value half — a governance program that only measures cost is a defensive posture, not a strategic one.

Operate and respond

Manage.

When an AI risk or incident is identified, is there a defined remediation path with a named owner and deadline?

MANAGE requires a closed loop — identification without remediation is a list, not a program.

Is the governance program reviewed and updated as AI use, regulation, and threat landscape evolve?

MANAGE includes continuous improvement — a static program goes stale within a quarter in this domain.

Your readingSelf-assessed

Overall posture: Early (0%)

Govern

Early

Not answered

Map

Early

Not answered

Measure

Early

Not answered

Manage

Early

Not answered

Answer the questions above and the reading updates as you go.