ai · security · skills

Self-assessed · STAR for AI Level 1 readiness · sample

Initech: CSA AI-CAIQ assessment report

Big-4 / CSA STAR-style pack for a Phase-1 self-assessment: engagement control, executive summary, scope and methodology, domain dashboard, priority findings, and an answer appendix of CAIQ ids only. Same GRA postures as the Initech ISO and NIST stacks.

Illustrative sample for a fictional organisation. Answers are self-assessed and derived for demonstration. This is not a CSA STAR for AI listing, not an independent audit, and not a Big-4 opinion. Verbatim AI-CAIQ question text and CSA control specifications are omitted (public-safe structure only).

Engagement IDSAMPLE-INITECH-AI-CAIQ-2026-07
Report date17 July 2026
PeriodPoint-in-time · illustrative sample
OrganisationInitech
Assessed roleAI Customer · Deployer (self-assessment)
InstrumentCSA AI-CAIQ v1.1.0
ProgrammeSTAR for AI Level 1 (self-assessment readiness)
ClassificationSample · Illustrative · Not for submission
ProvenanceSelf-assessed

1 · Executive summary

Management readout

Initech Phase-1 AI-CAIQ self-assessment (8 AICM domains, 122 questions): 2% affirmative (Yes among Yes+No). 120 No / 2 Yes / 0 NA. This is a STAR for AI Level 1 readiness readout — self-assessed sample data, not a CSA STAR listing, not an audit opinion.

Based on the procedures described, and subject to the limitations below, management's Phase-1 self-assessment indicates material gaps relative to a STAR for AI Level 1 Yes posture. We do not express an audit opinion.

Questions in scope

122

Yes

2

No

120

NA

0

Affirmative rate

2%

Full AI-CAIQ

320

2 · Scope and methodology

Engagement boundaries

Phase-1 scope: AICM domains A&A, AIS, GRC, HRS, TVM, STA, BCR, IPY (122 of 320 AI-CAIQ questions). Out-of-scope domains are excluded from this sample pack.

  1. Instrument: CSA AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) v1.1.0 mapped to CSA AI Controls Matrix (AICM) v1.1.0.
  2. Answer lexicon: Yes / No / NA per STAR Level 1 self-assessment practice.
  3. Implementation status (Fully / Partially / Not implemented / NA) is a consulting annotation alongside the binary answer.
  4. Scoring: affirmative rate = Yes ÷ (Yes + No); NA excluded from the rate.
  5. Priority: Critical if the underlying AICM control is gate-blocking; otherwise High/Medium by domain and implementation status.
  6. No independent testing, walkthroughs, or evidence sampling were performed for this sample.

3 · Domain dashboard

Affirmative rate by AICM domain

Affirmative rate = Yes ÷ (Yes + No). NA is excluded. Rates are self-assessed sample posture, not tested evidence.

DomainControlsQuestionsYesNoNAAffirmative
A&AAudit & Assurance670700%
AISApplication & Interface Security151801800%
BCRBusiness Continuity Management and Operational Resilience111601600%
GRCGovernance, Risk and Compliance1518216011%
HRSHuman Resources152202200%
IPYInteroperability & Portability450500%
STASupply Chain Management, Transparency, and Accountability161901900%
TVMThreat & Vulnerability Management131701700%

4 · Key findings

Priority gap register

One row per AICM control with a No answer (first CAIQ id shown). Critical = gate-blocking control. Verbatim questionnaire text is omitted.

PriorityAICMCAIQ idControl titleAnswerImpl.Finding
HighA&A-02A&A-02.1Independent AssessmentsNoNot implementedIndependent Assessments: not attested. Close with evidence before a STAR Level 1 Yes.
HighA&A-03A&A-03.1Risk Based Planning AssessmentNoNot implementedRisk Based Planning Assessment: not attested. Close with evidence before a STAR Level 1 Yes.
HighA&A-04A&A-04.1Requirements ComplianceNoNot implementedRequirements Compliance: not attested. Close with evidence before a STAR Level 1 Yes.
HighA&A-05A&A-05.1Audit Management ProcessNoNot implementedAudit Management Process: not attested. Close with evidence before a STAR Level 1 Yes.
HighA&A-06A&A-06.1RemediationNoNot implementedRemediation: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-03GRC-03.1Organizational Policy ReviewsNoNot implementedOrganizational Policy Reviews: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-04GRC-04.1Policy Exception ProcessNoNot implementedPolicy Exception Process: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-05GRC-05.1Information Security ProgramNoNot implementedInformation Security Program: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-06GRC-06.1Governance Responsibility ModelNoNot implementedGovernance Responsibility Model: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-07GRC-07.1Information System Regulatory MappingNoNot implementedInformation System Regulatory Mapping: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-08GRC-08.1Special Interest GroupsNoNot implementedSpecial Interest Groups: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-09GRC-09.1Acceptable Use of the AI ServiceNoNot implementedAcceptable Use of the AI Service: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-10GRC-10.1AI Impact AssessmentNoNot implementedAI Impact Assessment: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-11GRC-11.1Bias and Fairness AssessmentNoNot implementedBias and Fairness Assessment: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-12GRC-12.1Ethics CommitteeNoNot implementedEthics Committee: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-13GRC-13.1Explainability RequirementNoNot implementedExplainability Requirement: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-14GRC-14.1Explainability EvaluationNoNot implementedExplainability Evaluation: not attested. Close with evidence before a STAR Level 1 Yes.
HighGRC-15GRC-15.1Human supervisionNoNot implementedHuman supervision: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-02STA-02.1SSRM Policy and ProceduresNoNot implementedSSRM Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-03STA-03.1SSRM Supply ChainNoNot implementedSSRM Supply Chain: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-04STA-04.1SSRM GuidanceNoNot implementedSSRM Guidance: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-05STA-05.1SSRM Control OwnershipNoNot implementedSSRM Control Ownership: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-06STA-06.1SSRM Documentation ReviewNoNot implementedSSRM Documentation Review: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-07STA-07.1SSRM Control ImplementationNoNot implementedSSRM Control Implementation: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-09STA-09.1Service Bill of Material (BOM)NoNot implementedService Bill of Material (BOM): not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-10STA-10.1Supply Chain Risk ManagementNoNot implementedSupply Chain Risk Management: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-11STA-11.1Primary Service and Contractual AgreementNoNot implementedPrimary Service and Contractual Agreement: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-12STA-12.1Supply Chain Agreement ReviewNoNot implementedSupply Chain Agreement Review: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-13STA-13.1Supply Chain Compliance AssessmentNoNot implementedSupply Chain Compliance Assessment: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-14STA-14.1Supply Chain Service Agreement ComplianceNoNot implementedSupply Chain Service Agreement Compliance: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-15STA-15.1Supply Chain Governance ReviewNoNot implementedSupply Chain Governance Review: not attested. Close with evidence before a STAR Level 1 Yes.
HighSTA-16STA-16.1Supply Chain Data Security AssessmentNoNot implementedSupply Chain Data Security Assessment: not attested. Close with evidence before a STAR Level 1 Yes.
MediumA&A-01A&A-01.1Audit and Assurance Policy and ProceduresNoPartiallyAudit and Assurance Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumAIS-01AIS-01.1Application and Interface Security Policy and ProceduresNoPartiallyApplication and Interface Security Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumAIS-02AIS-02.1Application Security Baseline RequirementsNoNot implementedApplication Security Baseline Requirements: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-03AIS-03.1Application Security MetricsNoNot implementedApplication Security Metrics: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-04AIS-04.1Secure Application Development LifecycleNoNot implementedSecure Application Development Lifecycle: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-05AIS-05.1Application Security TestingNoNot implementedApplication Security Testing: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-06AIS-06.1Secure Application DeploymentNoNot implementedSecure Application Deployment: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-07AIS-07.1Application Vulnerability RemediationNoNot implementedApplication Vulnerability Remediation: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-08AIS-08.1API SecurityNoNot implementedAPI Security: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-09AIS-09.1Input ValidationNoNot implementedInput Validation: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-10AIS-10.1Output ValidationNoNot implementedOutput Validation: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-11AIS-11.1Agents Security BoundariesNoNot implementedAgents Security Boundaries: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-12AIS-12.1Source Code ManagementNoNot implementedSource Code Management: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-13AIS-13.1AI SandboxingNoNot implementedAI Sandboxing: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-14AIS-14.1AI Cache ProtectionNoNot implementedAI Cache Protection: not attested. Close with evidence before a STAR Level 1 Yes.
MediumAIS-15AIS-15.1Prompt DifferentiationNoNot implementedPrompt Differentiation: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-01BCR-01.1Business Continuity Management Policy and ProceduresNoNot implementedBusiness Continuity Management Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-02BCR-02.1Risk Assessment and Impact AnalysisNoNot implementedRisk Assessment and Impact Analysis: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-03BCR-03.1Business Continuity StrategyNoNot implementedBusiness Continuity Strategy: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-04BCR-04.1Business Continuity PlanningNoNot implementedBusiness Continuity Planning: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-05BCR-05.1DocumentationNoNot implementedDocumentation: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-06BCR-06.1Business Continuity ExercisesNoNot implementedBusiness Continuity Exercises: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-07BCR-07.1CommunicationNoNot implementedCommunication: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-08BCR-08.1BackupNoPartiallyBackup: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumBCR-09BCR-09.1Disaster Response PlanNoNot implementedDisaster Response Plan: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-10BCR-10.1Response Plan ExerciseNoNot implementedResponse Plan Exercise: not attested. Close with evidence before a STAR Level 1 Yes.
MediumBCR-11BCR-11.1Equipment RedundancyNoNot implementedEquipment Redundancy: not attested. Close with evidence before a STAR Level 1 Yes.
MediumGRC-02GRC-02.1Risk Management ProgramNoPartiallyRisk Management Program: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumHRS-01HRS-01.1Background Screening Policy and ProceduresNoNot implementedBackground Screening Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-02HRS-02.1Acceptable Use of Technology Policy and ProceduresNoNot implementedAcceptable Use of Technology Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-03HRS-03.1Clean Desk Policy and ProceduresNoNot implementedClean Desk Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-04HRS-04.1Remote and Home Working Policy and ProceduresNoNot implementedRemote and Home Working Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-05HRS-05.1Asset returnsNoNot implementedAsset returns: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-06HRS-06.1Employment TerminationNoNot implementedEmployment Termination: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-07HRS-07.1Employment Agreement ProcessNoNot implementedEmployment Agreement Process: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-08HRS-08.1Employment Agreement ContentNoNot implementedEmployment Agreement Content: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-09HRS-09.1Personnel Roles and ResponsibilitiesNoNot implementedPersonnel Roles and Responsibilities: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-10HRS-10.1Non-Disclosure AgreementsNoNot implementedNon-Disclosure Agreements: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-11HRS-11.1Security Awareness TrainingNoNot implementedSecurity Awareness Training: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-12HRS-12.1Personal and Sensitive Data Awareness and TrainingNoNot implementedPersonal and Sensitive Data Awareness and Training: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-13HRS-13.1Compliance User ResponsibilityNoNot implementedCompliance User Responsibility: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-14HRS-14.1AI Competency TrainingNoNot implementedAI Competency Training: not attested. Close with evidence before a STAR Level 1 Yes.
MediumHRS-15HRS-15.1AI Acceptable UseNoPartiallyAI Acceptable Use: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumIPY-01IPY-01.1Interoperability and Portability Policy and ProceduresNoNot implementedInteroperability and Portability Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumIPY-02IPY-02.1Application Interface AvailabilityNoNot implementedApplication Interface Availability: not attested. Close with evidence before a STAR Level 1 Yes.
MediumIPY-03IPY-03.1Secure Interoperability and Portability ManagementNoNot implementedSecure Interoperability and Portability Management: not attested. Close with evidence before a STAR Level 1 Yes.
MediumIPY-04IPY-04.1Data Portability Contractual ObligationsNoNot implementedData Portability Contractual Obligations: not attested. Close with evidence before a STAR Level 1 Yes.
MediumSTA-01STA-01.1Supply Chain Risk Management Policies and ProceduresNoPartiallySupply Chain Risk Management Policies and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumSTA-08STA-08.1Supply Chain InventoryNoPartiallySupply Chain Inventory: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumTVM-01TVM-01.1Threat and Vulnerability Management Policy and ProceduresNoPartiallyThreat and Vulnerability Management Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence.
MediumTVM-02TVM-02.1Malware and Malicious Instructions Protection Policy and ProceduresNoNot implementedMalware and Malicious Instructions Protection Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-03TVM-03.1Vulnerability IdentificationNoNot implementedVulnerability Identification: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-04TVM-04.1Threat Analysis and ModellingNoNot implementedThreat Analysis and Modelling: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-05TVM-05.1Detection UpdatesNoNot implementedDetection Updates: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-06TVM-06.1External Library VulnerabilitiesNoNot implementedExternal Library Vulnerabilities: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-07TVM-07.1Penetration TestingNoNot implementedPenetration Testing: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-08TVM-08.1Vulnerability Remediation ScheduleNoNot implementedVulnerability Remediation Schedule: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-09TVM-09.1Vulnerability PrioritizationNoNot implementedVulnerability Prioritization: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-10TVM-10.1Threat ResponseNoNot implementedThreat Response: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-11TVM-11.1Vulnerability Management ReportingNoNot implementedVulnerability Management Reporting: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-12TVM-12.1Vulnerability Management MetricsNoNot implementedVulnerability Management Metrics: not attested. Close with evidence before a STAR Level 1 Yes.
MediumTVM-13TVM-13.1GuardrailsNoNot implementedGuardrails: not attested. Close with evidence before a STAR Level 1 Yes.

5 · Recommendations

Path to a STAR Level 1 Yes posture

  • Convert every High/Critical No into an evidence-backed remediation with owner and date before a STAR Level 1 registry submission.
  • Partial implementations remain No under the binary Yes/No/NA lexicon — close evidence gaps, then re-answer Yes.
  • Expand scope beyond Phase-1 GRA domains (DSP, IAM, LOG, MDS, SEF, …) for a full 320-question AI-CAIQ attestation.
  • Keep AICM control ids as the spine; AI-CAIQ question ids are the attestation layer on the same controls.

6 · Answer appendix

122 CAIQ ids (320 instrument total)

Public-safe structure: question id, parent AICM control, domain, Yes/No/NA, and consulting implementation status. No CSA question wording.

CAIQ idAICMDomainAnswerImpl.
A&A-01.1A&A-01A&ANoPartially
A&A-01.2A&A-01A&ANoPartially
A&A-02.1A&A-02A&ANoNot implemented
A&A-03.1A&A-03A&ANoNot implemented
A&A-04.1A&A-04A&ANoNot implemented
A&A-05.1A&A-05A&ANoNot implemented
A&A-06.1A&A-06A&ANoNot implemented
AIS-01.1AIS-01AISNoPartially
AIS-01.2AIS-01AISNoPartially
AIS-02.1AIS-02AISNoNot implemented
AIS-03.1AIS-03AISNoNot implemented
AIS-04.1AIS-04AISNoNot implemented
AIS-05.1AIS-05AISNoNot implemented
AIS-05.2AIS-05AISNoNot implemented
AIS-06.1AIS-06AISNoNot implemented
AIS-07.1AIS-07AISNoNot implemented
AIS-08.1AIS-08AISNoNot implemented
AIS-08.2AIS-08AISNoNot implemented
AIS-09.1AIS-09AISNoNot implemented
AIS-10.1AIS-10AISNoNot implemented
AIS-11.1AIS-11AISNoNot implemented
AIS-12.1AIS-12AISNoNot implemented
AIS-13.1AIS-13AISNoNot implemented
AIS-14.1AIS-14AISNoNot implemented
AIS-15.1AIS-15AISNoNot implemented
BCR-01.1BCR-01BCRNoNot implemented
BCR-01.2BCR-01BCRNoNot implemented
BCR-02.1BCR-02BCRNoNot implemented
BCR-02.2BCR-02BCRNoNot implemented
BCR-03.1BCR-03BCRNoNot implemented
BCR-04.1BCR-04BCRNoNot implemented
BCR-05.1BCR-05BCRNoNot implemented
BCR-05.2BCR-05BCRNoNot implemented
BCR-06.1BCR-06BCRNoNot implemented
BCR-07.1BCR-07BCRNoNot implemented
BCR-08.1BCR-08BCRNoPartially
BCR-08.2BCR-08BCRNoPartially
BCR-09.1BCR-09BCRNoNot implemented
BCR-09.2BCR-09BCRNoNot implemented
BCR-10.1BCR-10BCRNoNot implemented
BCR-11.1BCR-11BCRNoNot implemented
GRC-01.1GRC-01GRCYesFully
GRC-01.2GRC-01GRCYesFully
GRC-02.1GRC-02GRCNoPartially
GRC-03.1GRC-03GRCNoNot implemented
GRC-04.1GRC-04GRCNoNot implemented
GRC-05.1GRC-05GRCNoNot implemented
GRC-06.1GRC-06GRCNoNot implemented
GRC-07.1GRC-07GRCNoNot implemented
GRC-07.2GRC-07GRCNoNot implemented
GRC-08.1GRC-08GRCNoNot implemented
GRC-09.1GRC-09GRCNoNot implemented
GRC-09.2GRC-09GRCNoNot implemented
GRC-10.1GRC-10GRCNoNot implemented
GRC-11.1GRC-11GRCNoNot implemented
GRC-12.1GRC-12GRCNoNot implemented
GRC-13.1GRC-13GRCNoNot implemented
GRC-14.1GRC-14GRCNoNot implemented
GRC-15.1GRC-15GRCNoNot implemented
HRS-01.1HRS-01HRSNoNot implemented
HRS-01.2HRS-01HRSNoNot implemented
HRS-01.3HRS-01HRSNoNot implemented
HRS-02.1HRS-02HRSNoNot implemented
HRS-02.2HRS-02HRSNoNot implemented
HRS-03.1HRS-03HRSNoNot implemented
HRS-03.2HRS-03HRSNoNot implemented
HRS-04.1HRS-04HRSNoNot implemented
HRS-04.2HRS-04HRSNoNot implemented
HRS-05.1HRS-05HRSNoNot implemented
HRS-06.1HRS-06HRSNoNot implemented
HRS-07.1HRS-07HRSNoNot implemented
HRS-08.1HRS-08HRSNoNot implemented
HRS-09.1HRS-09HRSNoNot implemented
HRS-10.1HRS-10HRSNoNot implemented
HRS-11.1HRS-11HRSNoNot implemented
HRS-11.2HRS-11HRSNoNot implemented
HRS-12.1HRS-12HRSNoNot implemented
HRS-13.1HRS-13HRSNoNot implemented
HRS-14.1HRS-14HRSNoNot implemented
HRS-14.2HRS-14HRSNoNot implemented
HRS-15.1HRS-15HRSNoPartially
IPY-01.1IPY-01IPYNoNot implemented
IPY-01.2IPY-01IPYNoNot implemented
IPY-02.1IPY-02IPYNoNot implemented
IPY-03.1IPY-03IPYNoNot implemented
IPY-04.1IPY-04IPYNoNot implemented
STA-01.1STA-01STANoPartially
STA-01.2STA-01STANoPartially
STA-02.1STA-02STANoNot implemented
STA-02.2STA-02STANoNot implemented
STA-03.1STA-03STANoNot implemented
STA-04.1STA-04STANoNot implemented
STA-05.1STA-05STANoNot implemented
STA-06.1STA-06STANoNot implemented
STA-07.1STA-07STANoNot implemented
STA-08.1STA-08STANoPartially
STA-09.1STA-09STANoNot implemented
STA-09.2STA-09STANoNot implemented
STA-10.1STA-10STANoNot implemented
STA-11.1STA-11STANoNot implemented
STA-12.1STA-12STANoNot implemented
STA-13.1STA-13STANoNot implemented
STA-14.1STA-14STANoNot implemented
STA-15.1STA-15STANoNot implemented
STA-16.1STA-16STANoNot implemented
TVM-01.1TVM-01TVMNoPartially
TVM-01.2TVM-01TVMNoPartially
TVM-02.1TVM-02TVMNoNot implemented
TVM-02.2TVM-02TVMNoNot implemented
TVM-03.1TVM-03TVMNoNot implemented
TVM-04.1TVM-04TVMNoNot implemented
TVM-04.2TVM-04TVMNoNot implemented
TVM-05.1TVM-05TVMNoNot implemented
TVM-06.1TVM-06TVMNoNot implemented
TVM-07.1TVM-07TVMNoNot implemented
TVM-08.1TVM-08TVMNoNot implemented
TVM-09.1TVM-09TVMNoNot implemented
TVM-10.1TVM-10TVMNoNot implemented
TVM-11.1TVM-11TVMNoNot implemented
TVM-12.1TVM-12TVMNoNot implemented
TVM-13.1TVM-13TVMNoNot implemented
TVM-13.2TVM-13TVMNoNot implemented

7 · Limitations

What this pack is not

  • Not a CSA STAR for AI registry submission or listing.
  • Not an independent audit, attestation, or Big-4 opinion.
  • Not a full 320-question AI-CAIQ; Phase-1 GRA domains only.
  • Fictional organisation; answers are illustrative and aligned to the Initech GRA diagnostic sample.
  • Related lenses: ISO stack and NIST stack use the same AICM postures.