IMPROVE
Owner: AI Governance Committee / Risk Management / Process Improvement
Continuous AI Improvement & Maturity
Drive maturity through structured reviews, gap analysis, post-incident learning, and continuous alignment with evolving frameworks and organizational goals.
Framework Mapping
Controls from each source framework that map to this domain.
| Framework | Mapped Controls |
|---|---|
| ISO 42001 |
Cl.10 Improvement
A.8 Data for AI Systems
|
| NIST AI RMF |
GV-4 Org Culture
MG-3 Manage AI Risks
|
| OWASP |
Cross-cutting (all LLM and Agentic controls inform improvement cycles)
|
Controls
7 controls across Tier 1 (essential) and Tier 2 (advanced).
Tier 1
ISO Clause 10
NIST GV-4
AI Governance Maturity Model
Tier 1
ISO Clause 10
Post-Incident Review
Tier 2
NIST GV-4
Framework Update Tracking
Tier 2
ISO A.8
NIST MG-3
Retraining Governance
Tier 1
ISO Clause 10
Gap Remediation Workflow
Tier 1
ISO Clause 9
ISO Clause 10
Annual Review Checklist
Tier 2
Lessons Learned Process
Audit Checklist
Quick-reference checklist items grouped by control.
- ☐ Maturity model adopted or developed with clear level definitions
- ☐ Annual assessment conducted with evidence-based scoring
- ☐ Gap analysis completed identifying specific improvements needed
- ☐ Roadmap created prioritizing gaps with owners and deadlines
- ☐ Quarterly progress tracked showing advancement toward next level
- ☐ Post-incident review process defined with trigger criteria
- ☐ Reviews completed within 5 days for all major incidents
- ☐ Root cause analysis documented using structured method (5 Whys, Fishbone)
- ☐ Corrective actions defined with owners and deadlines tracked to completion
- ☐ Lessons learned shared with team and incorporated into training/runbooks
- ☐ Subscribed to update channels for all relevant frameworks
- ☐ Quarterly reviews conducted with summaries of changes
- ☐ Gap analysis completed assessing impact on controls
- ☐ Control updates documented with version history
- ☐ Training materials refreshed to reflect framework updates
- ☐ Retraining governance process defined with trigger criteria
- ☐ Recent retraining has change tickets with all required fields
- ☐ Validation testing conducted with documented results and approvals
- ☐ Deployments follow standard process (canary, versioning, rollback)
- ☐ Stakeholders notified of retraining with impact summary
- ☐ Gap remediation workflow defined and documented
- ☐ All identified gaps logged in central tracker
- ☐ Gaps prioritized by risk with leadership approval
- ☐ Owners assigned and deadlines set for all gaps
- ☐ Verification completed for closed gaps with evidence on file
- ☐ Annual review process defined with comprehensive scope
- ☐ Review completed covering all required sections
- ☐ Data sources documented and metrics pulled from authoritative systems
- ☐ Report presented to executive leadership and board/audit committee
- ☐ Approval decisions documented with follow-up actions tracked
- ☐ Lessons learned process defined with template and cadence
- ☐ Retrospectives conducted for incidents and major projects
- ☐ Quarterly synthesis completed identifying common themes
- ☐ Lessons published to knowledge base and tagged/searchable
- ☐ Training and runbooks updated incorporating lessons learned