The AI Governance Readiness Snapshot is a fixed-fee diagnostic that inventories your AI, classifies each system by risk, runs an audit-readiness gap assessment against the supervisory expectations you answer to, and hands you a prioritized remediation roadmap. This page walks through what that deliverable looks like, component by component, using a redacted, anonymized sample so you can see the artifact before you scope.
Every value below is invented to show structure: no real client, no real system, no real data. The Snapshot is readiness evidence and a roadmap, not a certification and not a guarantee that you pass an exam.
This is a redacted sample of the Snapshot deliverable, not a real engagement output. It names no client; every system, owner, vendor, and finding is invented to show structure. Real Snapshots go only to the client under a signed SOW and MSA.
The first deliverable is an AI system inventory and use-case register covering up to five in-scope systems, including shadow deployments. Every value below is redacted or illustrative.
| System [sample] | Owner | Purpose | Data touched | Vendor | Risk tier |
|---|---|---|---|---|---|
| SYS-001 | Model Risk [redacted] | Pre-screens consumer loan applications | Consumer PII, credit-bureau data [sample] | [redacted vendor] | Tier 1 |
| SYS-002 | Retail Banking [redacted] | GenAI copilot drafting customer email and marketing copy | Internal docs, customer names [sample] | [redacted vendor] | Tier 2 |
| SYS-003 | Financial Crime [redacted] | Scores transactions for fraud risk | Transaction data, NPI [sample] | [redacted vendor] | Tier 1 |
| SYS-004 | Operations [redacted] | Agentic assistant chaining tools to reconcile records | Internal ledgers [redacted] | In-house [sample] | Tier 2 |
Each system gets a stable identifier, owner, purpose, data, origin, and risk tier. The register is the spine of the engagement: every later component references these identifiers.
Each system is tiered by impact and regulatory exposure. The tier drives how much scrutiny and evidence it needs, so a credit-decision model is not governed like a tool that drafts internal email.
| Tier | What lands here | Why |
|---|---|---|
| Tier 1 | Systems that inform a credit, pricing, or capital decision, or that touch consumers directly | Highest exposure: fair-lending and consumer-protection duties apply, and any underlying traditional model stays inside SR 26-2 model-risk scope. |
| Tier 2 | Generative and agentic assistants that draft, summarize, or take internal actions | Outside SR 26-2 scope, but governed under third-party risk, UDAP, and the institution's own risk practices. Needs an acceptable-use policy and human review. |
| Tier 3 | Low-impact internal productivity tools with no consumer or decision exposure | Inventoried and monitored, not over-governed. Light-touch controls keep the program proportionate. |
SYS-001 is Tier 1 because it informs a consumer credit decision, which creates fair-lending exposure under ECOA and Regulation B, and because it wraps a traditional scoring model that stays in scope for SR 26-2. The generative front end is governed under the institution's adapted risk practices; the underlying model is governed as a model.
The crosswalk maps each AI control to the framework that governs it and the evidence that proves it. Document once, tag twice: one control set answers several regimes. The sample rows use accurate frameworks.
| AI system control [sample] | Framework it maps to | Evidence |
|---|---|---|
| Independent validation of the credit-underwriting model, with disparate-impact testing | SR 26-2 model risk (in-scope model) and fair lending under ECOA / Regulation B | Validation report, challenger-model results, fair-lending testing memo [sample] |
| Vendor due diligence and a contractual right to test the vendor model | 2023 interagency third-party risk management guidance | Vendor risk assessment, security questionnaire, contract-clause register [redacted] |
| Acceptable-use policy and a documented human-review step for the GenAI copilot | Outside SR 26-2 scope; governed under third-party risk and UDAP, organized with NIST AI RMF GOVERN | Acceptable-use policy, attestation log, output-review checklist [sample] |
| Access controls and audit logging on the platform that processes NPI | NYDFS Part 500 (23 NYCRR 500) and the GLBA Safeguards Rule | Access-review records, log-retention configuration, encryption evidence [sample] |
One control set, evidenced once, answering several regimes. We map onto the controls you already run; we do not build a parallel program.
Every gap is a numbered finding with a severity and a remediation note an engineer can act on and a risk committee can follow. These three are illustrative but realistic.
| Finding | Severity | What we found, and the remediation [sample] |
|---|---|---|
| G-01 | High | Shadow GenAI: staff draft customer communications in a public LLM, no acceptable-use policy, no human review. UDAP and data-handling exposure. Remediation: publish an AUP, route to an approved tool, add a review step (NIST AI RMF GOVERN). |
| G-02 | High | The in-scope credit-underwriting model lacks current independent validation and disparate-impact testing. Remediation: commission independent validation and fair-lending testing (ECOA / Reg B); refresh documentation to SR 26-2. |
| G-03 | Medium | No contractual right to test, or to receive change notice for, a third-party fraud-scoring model. Remediation: add audit and testing rights and a change-notice clause at renewal (2023 interagency third-party risk guidance). |
Severity reflects exposure and likelihood, not fix difficulty. A High is what an examiner, the board, or a buyer would expect closed; a full Snapshot usually surfaces more than the three shown here.
The findings are sequenced into a 90-day roadmap that closes the highest-risk gaps first. The sample sequence below shows how the three findings above would be ordered.
Publish the acceptable-use policy, stand up an approved path for the GenAI copilot, and add the human-review step. Closes G-01, the highest-likelihood exposure, at the lowest lift.
Commission independent validation and fair-lending testing on the credit-underwriting model and refresh its documentation. Closes G-02 and brings the Tier 1 system back inside defensible model-risk practice.
Negotiate testing and change-notice rights for the fraud-scoring vendor at renewal (G-03), set a quarterly tiering-and-monitoring cadence, and assemble the audit-evidence pack so the program stays current.
The Snapshot ships with a one-page executive brief for a board, a risk committee, or an examiner conversation. It is the summary you hand up the chain. Here is what the single page contains.
Scope and coverage. The systems assessed, by identifier, and the frameworks the assessment was anchored to: SR 26-2 in-scope model risk, third-party risk, fair lending, and NIST AI RMF, with Part 500 or GLBA where the institution is covered.
Readiness posture. Where the program stands today, stated as audit-readiness, not as a guarantee of passing any exam.
Top risks and roadmap. The High and Medium findings ranked by severity, in plain language, with the 90-day remediation sequence, owners, and timing.
What this is. A plain statement that the deliverable is readiness evidence and a roadmap. DSE prepares the program for audit and does not certify, attest, or guarantee an outcome.
The Snapshot runs in four phases over four to six weeks, covering up to five in-scope AI systems within the fixed fee. The six components above are built on your systems instead of these illustrative ones.
Wider context: the AI governance for financial services pillar guide shows which authority governs which AI use, and the AI Governance Readiness service page covers the full offer ladder, timeline, and fee framing.
The six components above: a defensible AI inventory and use-case register, a risk classification that tiers each system, a control crosswalk mapping each control to the framework it answers and the evidence behind it, gap findings with severity and remediation notes, a prioritized 90-day roadmap, and a one-page board and examiner-facing brief. It is readiness evidence and a roadmap, not a certification.
Four to six weeks, in four phases: scope, discovery and inventory, gap analysis and control crosswalk, then roadmap and readout. It covers up to five in-scope AI systems within the fixed fee.
A fixed fee, scoped in a 30-minute discovery call, for up to five in-scope AI systems. Additional systems, frameworks, or environments are scoped separately. We publish fixed fees because the scope is fixed: you buy a defined deliverable, not an open-ended retainer.
No. DSE provides readiness and advisory control-mapping, not certification. We are not an accredited certification body, we do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance, and we cannot guarantee passing an audit or avoiding enforcement. The Snapshot gets you audit-ready and assembles the evidence; the certificate, where one exists, comes from an accredited body.
You have seen the artifact. Tell us which AI systems are in scope and which supervisory or procurement pressure you are answering, and a principal will scope a fixed-fee Snapshot in a 30-minute call. The person who scopes it is the person who runs it.
Scope a Snapshot → See the full service →This page is an illustrative, anonymized sample of the Snapshot deliverable. It is not the output of a real engagement, it names no client, and every value on it is invented to show structure. Real Snapshots are confidential and go only to the client under a signed SOW and MSA.
DSE provides AI governance and compliance readiness consulting. We are not an accredited certification body, we do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance, and we do not guarantee passing an audit or avoiding enforcement. We prepare your program for audit and assemble the evidence. We do not provide legal advice and work alongside your counsel. Where we describe "mapping to" SR 26-2, third-party risk, fair lending, NYDFS Part 500, GLBA, or NIST AI RMF, that means advisory alignment, not certification. All engagements are governed by a signed SOW / MSA with a limitation of liability.