The AI governance document that matters most may not be the policy. It may be the approval form.
The policy describes what should happen. The approval form determines what does. If a question is on the form, it gets answered. If it is not on the form, it does not exist in the approval record — regardless of what the policy says.
Episode 6 introduced the AI Risk Assessment Checklist as a pre-approval instrument. The next question is simple: how does your current approval form compare? Not in theory. In writing.
This issue is the audit. Pull the real form your investment committee, capital committee, or AI governance body uses today. Run it through the four sections below. What is missing tells you where the form is weak.
HOW TO USE THIS AUDIT
Pull one document — the AI investment approval form your organization uses today. The actual file, the actual fields, the actual sign-off chain. Not the policy. Not the description. The form.
Work through the four sections in order. For each, decide whether your form is Present, Adjacent, or Absent. That distinction is the audit. A field that asks the wrong question will not surface the right risk.
Present — the form asks the question and returns the diagnostic the checklist is designed to surface. Adjacent — the form asks something nearby but returns a different answer. Absent — the form does not ask the question at all.
The pattern across all four sections — not the count of Absents — is the diagnostic. Where the absences cluster is where the form is weakest.
A common pattern is that operational risk gets priced, while regulatory and vendor risk stay outside the approval record. The form treats AI as an internal performance question and leaves the external exposure unwritten.
SECTION A. Classification
Core question: Does your approval form return a quadrant assignment with a prescribed governance architecture — or only a risk rating?
• Does the form capture deployment autonomy — whether a human reviews each output before consequence, or the system acts at scale with aggregate review only?
Autonomy is one of the two axes that determine the governance requirement. A risk rating that does not capture this axis cannot return a quadrant.
• Does the form capture reversibility of consequence — whether incorrect outputs are catchable before material harm, or harm occurs before correction?
Reversibility is the second axis. Together with autonomy, it places the investment in one of four quadrants. Without both, the form is rating risk without measuring it.
• Does the form combine the two axes into a quadrant assignment with a prescribed governance architecture attached — committee oversight, board reporting, or monitoring?
Quadrant assignment is the diagnostic. A form that stops at a risk rating is adjacent; a form that maps the rating to a governance requirement is present.
What this returns: Present = the form maps the AI investment to a governance quadrant before approval. Adjacent = a risk rating that does not bind to a governance requirement. Absent = no classification logic on the form at all. Adjacent is the risky middle ground here. It signals governance without actually creating it.
SECTION B. Evidence Discipline
Core question: Does your approval form make the performance claim testable — and assign someone to test it?
• Does the form capture the specific, time-bound, measurable performance claim being approved — not the expected ROI, but the claim about what the AI system will do?
The Promise Layer is the claim itself. If the form captures only expected outcomes or success metrics in free-text, the claim is not testable and cannot be governed.
• Does the form capture the test date and the named individual responsible for measuring the claim against actual evidence?
Without a test date, no measurement occurs. Without a named owner, no one is accountable for the measurement. The Accountability Layer is built from both.
• Does the form capture the evidence threshold at which the investment is paused or restructured — the trigger point for the governance response?
An evidence threshold makes the governance response automatic at the moment the claim is missed by a defined margin. Without it, the response is discretionary, which means it is reactive.
What this returns: Present = the form binds a testable claim to a named owner and a test date with a defined threshold. Adjacent = a “success metrics” field that captures the claim but not the testing infrastructure. Absent = the claim itself is never written in approval-grade language. This gap can sit inside an otherwise polished business case. The ROI line is filled in. The testing structure is not.
SECTION C. Regulatory Exposure
Core question: Does your approval form return a regulatory exposure determination with a priced obligation stack — or only a compliance signoff?
• Does the form capture an EU AI Act Annex III scope determination — in scope or out, with the specific category if in scope?
The Annex III determination is binary. A “regulatory considerations: yes / no” field is adjacent — it signals regulation has been thought about but does not return the specific exposure.
• Does the form capture the role assignment — provider, deployer, or both via Article 25 substantial modification?
Article 25 is one of the easiest determinations to miss. A deployer who substantially modifies a vendor-built system becomes a provider mid-lifecycle. The form should capture the determination even when the interpretation is still open.
• Does the form capture the applicable obligation components with named cost owners — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and cybersecurity, post-market monitoring, and Article 27 FRIA where applicable?
If no owner is named, the obligation usually lands on whoever is closest to the system when audit or incident pressure arrives. Sector-specific obligations outside the EU AI Act follow the same logic — the form should route the investment into the relevant regime, not just acknowledge one exists.
What this returns: Present = the form returns the scope determination, the role, and the priced obligation stack with named owners. Adjacent = a compliance checkbox without the underlying determinations. Absent = no regulatory field on the form. The audit standard is whether the form creates a record of the determination — not whether the regulatory interpretation is settled.
SECTION D. Vendor & Contract
Core question: Does your approval form return contract risk allocation that survives the renewal cycle — or only a vendor selection rationale?
• Does the form ask whether the vendor contract explicitly addresses responsibility for incorrect outputs, regulatory non-compliance, and Article 25 substantial-modification risk?
Many AI vendor contracts were negotiated before current AI-specific regulatory obligations were fully reflected in standard terms. Where the contract is silent, the risk lands on whichever party is closest to the system at audit or incident. The form should surface that default before approval, not after.
• Does the form capture the next renewal date and whether AI-specific clauses are durable through it, or reset to vendor standard terms at renewal?
A clause that exists today and disappears at renewal is a clause that does not exist. Renewal is the natural point to allocate pass-through risk. If the form does not capture the renewal date, the action trigger is invisible.
• Does the form capture switching costs and data portability — what it would take to exit this vendor relationship, and what would be lost in the exit?
Switching cost is the practical ceiling on the organization’s exit option. A form that captures the entry decision but not the exit cost is documenting the commitment without measuring the constraint.
What this returns: Present = the form allocates risk across the three failure modes, captures renewal durability, and prices the exit option. Adjacent = a vendor justification field or a legal review checkbox that documents the relationship without allocating its risk. Absent = no vendor or contract field at all. Section D is often where an Absent answer lasts the longest, because contract exposure can carry through renewal cycles and deepen vendor dependency.
APPLIED EXAMPLE
Consider a regional bank that approved an AI-powered loan underwriting model during the FY2026 capital cycle. The investment is in implementation; the vendor contract was signed in 2024; the next renewal sits in Q4 2026. The approval form used to greenlight the investment is the same form the bank has used for software investments for the last five years.
Running the audit against that form:
Section A (Classification): The form has a one-line risk rating field — low / medium / high — set by the requesting business unit. There is no autonomy axis, no reversibility axis, no quadrant assignment. → ADJACENT.
Section B (Evidence Discipline): The form has a “success metrics” free-text field and an “expected ROI” field. It does not capture a testable performance claim, a test date, a named measurement owner, or a pause threshold. → ABSENT.
Section C (Regulatory Exposure): The form has a “regulatory review required: yes / no” checkbox routed to compliance. There is no Annex III scope field, no provider/deployer role assignment, no obligation cost line. Compliance signed off with a one-line memo. → ADJACENT, with the obligation cost effectively unowned.
Section D (Vendor & Contract): The form has a “preferred vendor justification” field completed at intake and a “legal review complete” checkbox. There is no field for substantial-modification risk allocation, no renewal-date capture, no clause-durability check, no switching-cost estimate. → ABSENT.
Diagnosis Two ABSENT, two ADJACENT. The absences cluster on Section D (Vendor & Contract) and Section B (Evidence Discipline). The Adjacents on A and C give the appearance of governance without the diagnostic — a risk rating without a quadrant, a compliance checkbox without an obligation cost. The Q4 2026 vendor renewal is the highest-leverage moment to close the Section D gap: the clauses for substantial-modification allocation, renewal durability, and switching-cost disclosure must be drafted before the renegotiation opens, not after. The Section B gap is the next item — the form needs a testable claim, a test date, and a named owner before the next AI investment enters the queue. The bank does not need a new policy. It needs four new fields on the existing form. |
THREE QUESTIONS TO ASK MONDAY
Pull the AI investment approval form your organization actually uses today. Run the audit. Which section returned the most ABSENT determinations?
The absence pattern is the diagnostic. If three of four sections are Absent, the form has not been updated since AI entered the portfolio. If one section is Absent, that section is the next field to add.
For the section with the most absences — what specifically would need to change on the form? Not the policy. The form. Who owns the document, and what is the version-control process?
Policy revision and form revision are two different workflows. The form is usually owned by finance, the PMO, or governance — not by the policy author. Identify the form owner before the next governance meeting.
Which vendor contract currently in your portfolio represents the highest unallocated AI risk — and when is its next renewal date?
Renewal is the natural action trigger. If the renewal is inside the next two quarters and the substantial-modification clause has not been drafted, the negotiation will open with the risk where it sits today — unassigned.
WHAT’S NEXT
The audit surfaces the absences. The next question is which absence to close first. Across the four sections, Section D — Vendor & Contract — is the section most likely to surface durable multi-year exposure that is invisible on the current form. Vendor dependency is not a procurement question. It is a capital architecture question with a renewal clock attached.
Episode 7 will move into vendor dependency as its own subject: lock-in, pass-through risk, renewal-cycle exposure, switching costs, and the point at which an AI vendor relationship becomes a long-term strategic constraint rather than a near-term capability decision.
Newsletter Issue #7 will accompany Episode 7 with a Vendor Dependency Index — a six-dimension scoring instrument for your highest-leverage AI vendor relationships.
Watch Episode 6 Episode 6 walks through the Pre-Approval AI Investment Checklist. If this audit surfaced a gap on your current approval form, forwarding this issue to the person who owns that form is the most useful next step. |