Self-assessed · STAR for AI Level 1 readiness · sample
Initech: CSA AI-CAIQ assessment report
Big-4 / CSA STAR-style pack for a Phase-1 self-assessment: engagement control, executive summary, scope and methodology, domain dashboard, priority findings, and an answer appendix of CAIQ ids only. Same GRA postures as the Initech ISO and NIST stacks.
Illustrative sample for a fictional organisation. Answers are self-assessed and derived for demonstration. This is not a CSA STAR for AI listing, not an independent audit, and not a Big-4 opinion. Verbatim AI-CAIQ question text and CSA control specifications are omitted (public-safe structure only).
| Engagement ID | SAMPLE-INITECH-AI-CAIQ-2026-07 |
|---|---|
| Report date | 17 July 2026 |
| Period | Point-in-time · illustrative sample |
| Organisation | Initech |
| Assessed role | AI Customer · Deployer (self-assessment) |
| Instrument | CSA AI-CAIQ v1.1.0 |
| Programme | STAR for AI Level 1 (self-assessment readiness) |
| Classification | Sample · Illustrative · Not for submission |
| Provenance | Self-assessed |
1 · Executive summary
Management readout
Initech Phase-1 AI-CAIQ self-assessment (8 AICM domains, 122 questions): 2% affirmative (Yes among Yes+No). 120 No / 2 Yes / 0 NA. This is a STAR for AI Level 1 readiness readout — self-assessed sample data, not a CSA STAR listing, not an audit opinion.
Based on the procedures described, and subject to the limitations below, management's Phase-1 self-assessment indicates material gaps relative to a STAR for AI Level 1 Yes posture. We do not express an audit opinion.
Questions in scope
122
Yes
2
No
120
NA
0
Affirmative rate
2%
Full AI-CAIQ
320
2 · Scope and methodology
Engagement boundaries
Phase-1 scope: AICM domains A&A, AIS, GRC, HRS, TVM, STA, BCR, IPY (122 of 320 AI-CAIQ questions). Out-of-scope domains are excluded from this sample pack.
- Instrument: CSA AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) v1.1.0 mapped to CSA AI Controls Matrix (AICM) v1.1.0.
- Answer lexicon: Yes / No / NA per STAR Level 1 self-assessment practice.
- Implementation status (Fully / Partially / Not implemented / NA) is a consulting annotation alongside the binary answer.
- Scoring: affirmative rate = Yes ÷ (Yes + No); NA excluded from the rate.
- Priority: Critical if the underlying AICM control is gate-blocking; otherwise High/Medium by domain and implementation status.
- No independent testing, walkthroughs, or evidence sampling were performed for this sample.
3 · Domain dashboard
Affirmative rate by AICM domain
Affirmative rate = Yes ÷ (Yes + No). NA is excluded. Rates are self-assessed sample posture, not tested evidence.
| Domain | Controls | Questions | Yes | No | NA | Affirmative |
|---|---|---|---|---|---|---|
| A&AAudit & Assurance | 6 | 7 | 0 | 7 | 0 | 0% |
| AISApplication & Interface Security | 15 | 18 | 0 | 18 | 0 | 0% |
| BCRBusiness Continuity Management and Operational Resilience | 11 | 16 | 0 | 16 | 0 | 0% |
| GRCGovernance, Risk and Compliance | 15 | 18 | 2 | 16 | 0 | 11% |
| HRSHuman Resources | 15 | 22 | 0 | 22 | 0 | 0% |
| IPYInteroperability & Portability | 4 | 5 | 0 | 5 | 0 | 0% |
| STASupply Chain Management, Transparency, and Accountability | 16 | 19 | 0 | 19 | 0 | 0% |
| TVMThreat & Vulnerability Management | 13 | 17 | 0 | 17 | 0 | 0% |
4 · Key findings
Priority gap register
One row per AICM control with a No answer (first CAIQ id shown). Critical = gate-blocking control. Verbatim questionnaire text is omitted.
| Priority | AICM | CAIQ id | Control title | Answer | Impl. | Finding |
|---|---|---|---|---|---|---|
| High | A&A-02 | A&A-02.1 | Independent Assessments | No | Not implemented | Independent Assessments: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | A&A-03 | A&A-03.1 | Risk Based Planning Assessment | No | Not implemented | Risk Based Planning Assessment: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | A&A-04 | A&A-04.1 | Requirements Compliance | No | Not implemented | Requirements Compliance: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | A&A-05 | A&A-05.1 | Audit Management Process | No | Not implemented | Audit Management Process: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | A&A-06 | A&A-06.1 | Remediation | No | Not implemented | Remediation: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-03 | GRC-03.1 | Organizational Policy Reviews | No | Not implemented | Organizational Policy Reviews: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-04 | GRC-04.1 | Policy Exception Process | No | Not implemented | Policy Exception Process: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-05 | GRC-05.1 | Information Security Program | No | Not implemented | Information Security Program: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-06 | GRC-06.1 | Governance Responsibility Model | No | Not implemented | Governance Responsibility Model: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-07 | GRC-07.1 | Information System Regulatory Mapping | No | Not implemented | Information System Regulatory Mapping: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-08 | GRC-08.1 | Special Interest Groups | No | Not implemented | Special Interest Groups: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-09 | GRC-09.1 | Acceptable Use of the AI Service | No | Not implemented | Acceptable Use of the AI Service: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-10 | GRC-10.1 | AI Impact Assessment | No | Not implemented | AI Impact Assessment: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-11 | GRC-11.1 | Bias and Fairness Assessment | No | Not implemented | Bias and Fairness Assessment: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-12 | GRC-12.1 | Ethics Committee | No | Not implemented | Ethics Committee: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-13 | GRC-13.1 | Explainability Requirement | No | Not implemented | Explainability Requirement: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-14 | GRC-14.1 | Explainability Evaluation | No | Not implemented | Explainability Evaluation: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | GRC-15 | GRC-15.1 | Human supervision | No | Not implemented | Human supervision: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-02 | STA-02.1 | SSRM Policy and Procedures | No | Not implemented | SSRM Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-03 | STA-03.1 | SSRM Supply Chain | No | Not implemented | SSRM Supply Chain: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-04 | STA-04.1 | SSRM Guidance | No | Not implemented | SSRM Guidance: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-05 | STA-05.1 | SSRM Control Ownership | No | Not implemented | SSRM Control Ownership: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-06 | STA-06.1 | SSRM Documentation Review | No | Not implemented | SSRM Documentation Review: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-07 | STA-07.1 | SSRM Control Implementation | No | Not implemented | SSRM Control Implementation: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-09 | STA-09.1 | Service Bill of Material (BOM) | No | Not implemented | Service Bill of Material (BOM): not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-10 | STA-10.1 | Supply Chain Risk Management | No | Not implemented | Supply Chain Risk Management: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-11 | STA-11.1 | Primary Service and Contractual Agreement | No | Not implemented | Primary Service and Contractual Agreement: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-12 | STA-12.1 | Supply Chain Agreement Review | No | Not implemented | Supply Chain Agreement Review: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-13 | STA-13.1 | Supply Chain Compliance Assessment | No | Not implemented | Supply Chain Compliance Assessment: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-14 | STA-14.1 | Supply Chain Service Agreement Compliance | No | Not implemented | Supply Chain Service Agreement Compliance: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-15 | STA-15.1 | Supply Chain Governance Review | No | Not implemented | Supply Chain Governance Review: not attested. Close with evidence before a STAR Level 1 Yes. |
| High | STA-16 | STA-16.1 | Supply Chain Data Security Assessment | No | Not implemented | Supply Chain Data Security Assessment: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | A&A-01 | A&A-01.1 | Audit and Assurance Policy and Procedures | No | Partially | Audit and Assurance Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | AIS-01 | AIS-01.1 | Application and Interface Security Policy and Procedures | No | Partially | Application and Interface Security Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | AIS-02 | AIS-02.1 | Application Security Baseline Requirements | No | Not implemented | Application Security Baseline Requirements: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-03 | AIS-03.1 | Application Security Metrics | No | Not implemented | Application Security Metrics: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-04 | AIS-04.1 | Secure Application Development Lifecycle | No | Not implemented | Secure Application Development Lifecycle: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-05 | AIS-05.1 | Application Security Testing | No | Not implemented | Application Security Testing: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-06 | AIS-06.1 | Secure Application Deployment | No | Not implemented | Secure Application Deployment: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-07 | AIS-07.1 | Application Vulnerability Remediation | No | Not implemented | Application Vulnerability Remediation: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-08 | AIS-08.1 | API Security | No | Not implemented | API Security: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-09 | AIS-09.1 | Input Validation | No | Not implemented | Input Validation: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-10 | AIS-10.1 | Output Validation | No | Not implemented | Output Validation: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-11 | AIS-11.1 | Agents Security Boundaries | No | Not implemented | Agents Security Boundaries: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-12 | AIS-12.1 | Source Code Management | No | Not implemented | Source Code Management: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-13 | AIS-13.1 | AI Sandboxing | No | Not implemented | AI Sandboxing: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-14 | AIS-14.1 | AI Cache Protection | No | Not implemented | AI Cache Protection: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | AIS-15 | AIS-15.1 | Prompt Differentiation | No | Not implemented | Prompt Differentiation: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-01 | BCR-01.1 | Business Continuity Management Policy and Procedures | No | Not implemented | Business Continuity Management Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-02 | BCR-02.1 | Risk Assessment and Impact Analysis | No | Not implemented | Risk Assessment and Impact Analysis: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-03 | BCR-03.1 | Business Continuity Strategy | No | Not implemented | Business Continuity Strategy: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-04 | BCR-04.1 | Business Continuity Planning | No | Not implemented | Business Continuity Planning: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-05 | BCR-05.1 | Documentation | No | Not implemented | Documentation: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-06 | BCR-06.1 | Business Continuity Exercises | No | Not implemented | Business Continuity Exercises: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-07 | BCR-07.1 | Communication | No | Not implemented | Communication: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-08 | BCR-08.1 | Backup | No | Partially | Backup: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | BCR-09 | BCR-09.1 | Disaster Response Plan | No | Not implemented | Disaster Response Plan: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-10 | BCR-10.1 | Response Plan Exercise | No | Not implemented | Response Plan Exercise: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | BCR-11 | BCR-11.1 | Equipment Redundancy | No | Not implemented | Equipment Redundancy: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | GRC-02 | GRC-02.1 | Risk Management Program | No | Partially | Risk Management Program: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | HRS-01 | HRS-01.1 | Background Screening Policy and Procedures | No | Not implemented | Background Screening Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-02 | HRS-02.1 | Acceptable Use of Technology Policy and Procedures | No | Not implemented | Acceptable Use of Technology Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-03 | HRS-03.1 | Clean Desk Policy and Procedures | No | Not implemented | Clean Desk Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-04 | HRS-04.1 | Remote and Home Working Policy and Procedures | No | Not implemented | Remote and Home Working Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-05 | HRS-05.1 | Asset returns | No | Not implemented | Asset returns: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-06 | HRS-06.1 | Employment Termination | No | Not implemented | Employment Termination: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-07 | HRS-07.1 | Employment Agreement Process | No | Not implemented | Employment Agreement Process: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-08 | HRS-08.1 | Employment Agreement Content | No | Not implemented | Employment Agreement Content: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-09 | HRS-09.1 | Personnel Roles and Responsibilities | No | Not implemented | Personnel Roles and Responsibilities: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-10 | HRS-10.1 | Non-Disclosure Agreements | No | Not implemented | Non-Disclosure Agreements: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-11 | HRS-11.1 | Security Awareness Training | No | Not implemented | Security Awareness Training: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-12 | HRS-12.1 | Personal and Sensitive Data Awareness and Training | No | Not implemented | Personal and Sensitive Data Awareness and Training: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-13 | HRS-13.1 | Compliance User Responsibility | No | Not implemented | Compliance User Responsibility: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-14 | HRS-14.1 | AI Competency Training | No | Not implemented | AI Competency Training: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | HRS-15 | HRS-15.1 | AI Acceptable Use | No | Partially | AI Acceptable Use: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | IPY-01 | IPY-01.1 | Interoperability and Portability Policy and Procedures | No | Not implemented | Interoperability and Portability Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | IPY-02 | IPY-02.1 | Application Interface Availability | No | Not implemented | Application Interface Availability: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | IPY-03 | IPY-03.1 | Secure Interoperability and Portability Management | No | Not implemented | Secure Interoperability and Portability Management: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | IPY-04 | IPY-04.1 | Data Portability Contractual Obligations | No | Not implemented | Data Portability Contractual Obligations: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | STA-01 | STA-01.1 | Supply Chain Risk Management Policies and Procedures | No | Partially | Supply Chain Risk Management Policies and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | STA-08 | STA-08.1 | Supply Chain Inventory | No | Partially | Supply Chain Inventory: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | TVM-01 | TVM-01.1 | Threat and Vulnerability Management Policy and Procedures | No | Partially | Threat and Vulnerability Management Policy and Procedures: practice partially attested; STAR Level 1 Yes requires full implementation evidence. |
| Medium | TVM-02 | TVM-02.1 | Malware and Malicious Instructions Protection Policy and Procedures | No | Not implemented | Malware and Malicious Instructions Protection Policy and Procedures: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-03 | TVM-03.1 | Vulnerability Identification | No | Not implemented | Vulnerability Identification: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-04 | TVM-04.1 | Threat Analysis and Modelling | No | Not implemented | Threat Analysis and Modelling: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-05 | TVM-05.1 | Detection Updates | No | Not implemented | Detection Updates: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-06 | TVM-06.1 | External Library Vulnerabilities | No | Not implemented | External Library Vulnerabilities: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-07 | TVM-07.1 | Penetration Testing | No | Not implemented | Penetration Testing: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-08 | TVM-08.1 | Vulnerability Remediation Schedule | No | Not implemented | Vulnerability Remediation Schedule: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-09 | TVM-09.1 | Vulnerability Prioritization | No | Not implemented | Vulnerability Prioritization: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-10 | TVM-10.1 | Threat Response | No | Not implemented | Threat Response: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-11 | TVM-11.1 | Vulnerability Management Reporting | No | Not implemented | Vulnerability Management Reporting: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-12 | TVM-12.1 | Vulnerability Management Metrics | No | Not implemented | Vulnerability Management Metrics: not attested. Close with evidence before a STAR Level 1 Yes. |
| Medium | TVM-13 | TVM-13.1 | Guardrails | No | Not implemented | Guardrails: not attested. Close with evidence before a STAR Level 1 Yes. |
5 · Recommendations
Path to a STAR Level 1 Yes posture
- Convert every High/Critical No into an evidence-backed remediation with owner and date before a STAR Level 1 registry submission.
- Partial implementations remain No under the binary Yes/No/NA lexicon — close evidence gaps, then re-answer Yes.
- Expand scope beyond Phase-1 GRA domains (DSP, IAM, LOG, MDS, SEF, …) for a full 320-question AI-CAIQ attestation.
- Keep AICM control ids as the spine; AI-CAIQ question ids are the attestation layer on the same controls.
6 · Answer appendix
122 CAIQ ids (320 instrument total)
Public-safe structure: question id, parent AICM control, domain, Yes/No/NA, and consulting implementation status. No CSA question wording.
| CAIQ id | AICM | Domain | Answer | Impl. |
|---|---|---|---|---|
| A&A-01.1 | A&A-01 | A&A | No | Partially |
| A&A-01.2 | A&A-01 | A&A | No | Partially |
| A&A-02.1 | A&A-02 | A&A | No | Not implemented |
| A&A-03.1 | A&A-03 | A&A | No | Not implemented |
| A&A-04.1 | A&A-04 | A&A | No | Not implemented |
| A&A-05.1 | A&A-05 | A&A | No | Not implemented |
| A&A-06.1 | A&A-06 | A&A | No | Not implemented |
| AIS-01.1 | AIS-01 | AIS | No | Partially |
| AIS-01.2 | AIS-01 | AIS | No | Partially |
| AIS-02.1 | AIS-02 | AIS | No | Not implemented |
| AIS-03.1 | AIS-03 | AIS | No | Not implemented |
| AIS-04.1 | AIS-04 | AIS | No | Not implemented |
| AIS-05.1 | AIS-05 | AIS | No | Not implemented |
| AIS-05.2 | AIS-05 | AIS | No | Not implemented |
| AIS-06.1 | AIS-06 | AIS | No | Not implemented |
| AIS-07.1 | AIS-07 | AIS | No | Not implemented |
| AIS-08.1 | AIS-08 | AIS | No | Not implemented |
| AIS-08.2 | AIS-08 | AIS | No | Not implemented |
| AIS-09.1 | AIS-09 | AIS | No | Not implemented |
| AIS-10.1 | AIS-10 | AIS | No | Not implemented |
| AIS-11.1 | AIS-11 | AIS | No | Not implemented |
| AIS-12.1 | AIS-12 | AIS | No | Not implemented |
| AIS-13.1 | AIS-13 | AIS | No | Not implemented |
| AIS-14.1 | AIS-14 | AIS | No | Not implemented |
| AIS-15.1 | AIS-15 | AIS | No | Not implemented |
| BCR-01.1 | BCR-01 | BCR | No | Not implemented |
| BCR-01.2 | BCR-01 | BCR | No | Not implemented |
| BCR-02.1 | BCR-02 | BCR | No | Not implemented |
| BCR-02.2 | BCR-02 | BCR | No | Not implemented |
| BCR-03.1 | BCR-03 | BCR | No | Not implemented |
| BCR-04.1 | BCR-04 | BCR | No | Not implemented |
| BCR-05.1 | BCR-05 | BCR | No | Not implemented |
| BCR-05.2 | BCR-05 | BCR | No | Not implemented |
| BCR-06.1 | BCR-06 | BCR | No | Not implemented |
| BCR-07.1 | BCR-07 | BCR | No | Not implemented |
| BCR-08.1 | BCR-08 | BCR | No | Partially |
| BCR-08.2 | BCR-08 | BCR | No | Partially |
| BCR-09.1 | BCR-09 | BCR | No | Not implemented |
| BCR-09.2 | BCR-09 | BCR | No | Not implemented |
| BCR-10.1 | BCR-10 | BCR | No | Not implemented |
| BCR-11.1 | BCR-11 | BCR | No | Not implemented |
| GRC-01.1 | GRC-01 | GRC | Yes | Fully |
| GRC-01.2 | GRC-01 | GRC | Yes | Fully |
| GRC-02.1 | GRC-02 | GRC | No | Partially |
| GRC-03.1 | GRC-03 | GRC | No | Not implemented |
| GRC-04.1 | GRC-04 | GRC | No | Not implemented |
| GRC-05.1 | GRC-05 | GRC | No | Not implemented |
| GRC-06.1 | GRC-06 | GRC | No | Not implemented |
| GRC-07.1 | GRC-07 | GRC | No | Not implemented |
| GRC-07.2 | GRC-07 | GRC | No | Not implemented |
| GRC-08.1 | GRC-08 | GRC | No | Not implemented |
| GRC-09.1 | GRC-09 | GRC | No | Not implemented |
| GRC-09.2 | GRC-09 | GRC | No | Not implemented |
| GRC-10.1 | GRC-10 | GRC | No | Not implemented |
| GRC-11.1 | GRC-11 | GRC | No | Not implemented |
| GRC-12.1 | GRC-12 | GRC | No | Not implemented |
| GRC-13.1 | GRC-13 | GRC | No | Not implemented |
| GRC-14.1 | GRC-14 | GRC | No | Not implemented |
| GRC-15.1 | GRC-15 | GRC | No | Not implemented |
| HRS-01.1 | HRS-01 | HRS | No | Not implemented |
| HRS-01.2 | HRS-01 | HRS | No | Not implemented |
| HRS-01.3 | HRS-01 | HRS | No | Not implemented |
| HRS-02.1 | HRS-02 | HRS | No | Not implemented |
| HRS-02.2 | HRS-02 | HRS | No | Not implemented |
| HRS-03.1 | HRS-03 | HRS | No | Not implemented |
| HRS-03.2 | HRS-03 | HRS | No | Not implemented |
| HRS-04.1 | HRS-04 | HRS | No | Not implemented |
| HRS-04.2 | HRS-04 | HRS | No | Not implemented |
| HRS-05.1 | HRS-05 | HRS | No | Not implemented |
| HRS-06.1 | HRS-06 | HRS | No | Not implemented |
| HRS-07.1 | HRS-07 | HRS | No | Not implemented |
| HRS-08.1 | HRS-08 | HRS | No | Not implemented |
| HRS-09.1 | HRS-09 | HRS | No | Not implemented |
| HRS-10.1 | HRS-10 | HRS | No | Not implemented |
| HRS-11.1 | HRS-11 | HRS | No | Not implemented |
| HRS-11.2 | HRS-11 | HRS | No | Not implemented |
| HRS-12.1 | HRS-12 | HRS | No | Not implemented |
| HRS-13.1 | HRS-13 | HRS | No | Not implemented |
| HRS-14.1 | HRS-14 | HRS | No | Not implemented |
| HRS-14.2 | HRS-14 | HRS | No | Not implemented |
| HRS-15.1 | HRS-15 | HRS | No | Partially |
| IPY-01.1 | IPY-01 | IPY | No | Not implemented |
| IPY-01.2 | IPY-01 | IPY | No | Not implemented |
| IPY-02.1 | IPY-02 | IPY | No | Not implemented |
| IPY-03.1 | IPY-03 | IPY | No | Not implemented |
| IPY-04.1 | IPY-04 | IPY | No | Not implemented |
| STA-01.1 | STA-01 | STA | No | Partially |
| STA-01.2 | STA-01 | STA | No | Partially |
| STA-02.1 | STA-02 | STA | No | Not implemented |
| STA-02.2 | STA-02 | STA | No | Not implemented |
| STA-03.1 | STA-03 | STA | No | Not implemented |
| STA-04.1 | STA-04 | STA | No | Not implemented |
| STA-05.1 | STA-05 | STA | No | Not implemented |
| STA-06.1 | STA-06 | STA | No | Not implemented |
| STA-07.1 | STA-07 | STA | No | Not implemented |
| STA-08.1 | STA-08 | STA | No | Partially |
| STA-09.1 | STA-09 | STA | No | Not implemented |
| STA-09.2 | STA-09 | STA | No | Not implemented |
| STA-10.1 | STA-10 | STA | No | Not implemented |
| STA-11.1 | STA-11 | STA | No | Not implemented |
| STA-12.1 | STA-12 | STA | No | Not implemented |
| STA-13.1 | STA-13 | STA | No | Not implemented |
| STA-14.1 | STA-14 | STA | No | Not implemented |
| STA-15.1 | STA-15 | STA | No | Not implemented |
| STA-16.1 | STA-16 | STA | No | Not implemented |
| TVM-01.1 | TVM-01 | TVM | No | Partially |
| TVM-01.2 | TVM-01 | TVM | No | Partially |
| TVM-02.1 | TVM-02 | TVM | No | Not implemented |
| TVM-02.2 | TVM-02 | TVM | No | Not implemented |
| TVM-03.1 | TVM-03 | TVM | No | Not implemented |
| TVM-04.1 | TVM-04 | TVM | No | Not implemented |
| TVM-04.2 | TVM-04 | TVM | No | Not implemented |
| TVM-05.1 | TVM-05 | TVM | No | Not implemented |
| TVM-06.1 | TVM-06 | TVM | No | Not implemented |
| TVM-07.1 | TVM-07 | TVM | No | Not implemented |
| TVM-08.1 | TVM-08 | TVM | No | Not implemented |
| TVM-09.1 | TVM-09 | TVM | No | Not implemented |
| TVM-10.1 | TVM-10 | TVM | No | Not implemented |
| TVM-11.1 | TVM-11 | TVM | No | Not implemented |
| TVM-12.1 | TVM-12 | TVM | No | Not implemented |
| TVM-13.1 | TVM-13 | TVM | No | Not implemented |
| TVM-13.2 | TVM-13 | TVM | No | Not implemented |
7 · Limitations
What this pack is not
- Not a CSA STAR for AI registry submission or listing.
- Not an independent audit, attestation, or Big-4 opinion.
- Not a full 320-question AI-CAIQ; Phase-1 GRA domains only.
- Fictional organisation; answers are illustrative and aligned to the Initech GRA diagnostic sample.
- Related lenses: ISO stack and NIST stack use the same AICM postures.