If an auditor showed up in90 days, would you pass?
Most teams don't know until someone asks. This triage scores your AI program across seven control domains and gives you a straight answer — AUDIT-READY, PATCHABLE, or WOULD NOT PASS — plus the one thing to fix first. With a gate that catches the failure auditors find fastest: a control nobody owns.
A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.
Most teams find their gaps the same day the auditor does.
Of organizations say they couldn't pass an AI governance audit on a 90-day notice. The evidence exists in pieces; nobody's assembled it.
The first question in any control review. A domain with great documentation and no accountable owner fails on the spot.
The window a customer's security review or a regulator typically gives you. You want to know your answer before the clock starts.
Score the domains. Get the verdict.
No-owner gate: 1 in-scope domain has no named owner. That fails the audit regardless of the score.
Tap an evidence cell (0–3), flip an owner, or drop a domain out of scope and watch the verdict move. Worked example as of 2026-06-25.
| Control domain | Wt | Evidence | Owner | In scope |
|---|---|---|---|---|
| AI system & use-case inventory | 18 | |||
| Named owner & accountability | 14 | |||
| Acceptable-use policy & approvals | 14 | |||
| Output record-keeping & audit trail | 16 | |||
| Vendor & sub-processor governance | 14 | |||
| Risk assessment & monitoring | 14 | |||
| Staff AI-literacy / training record | 10 |
Same math as the workbook: weighted evidence renormalized over the in-scope domains, and a no-owner gate that forces WOULD NOT PASS when any in-scope control lacks a named owner — the way the shipped example scores 92 yet still fails. A readiness self-assessment, not legal advice or an audit opinion.
Five companies. One uncomfortable result.
This is the shipped example, scored by the same engine behind the workbook and the demo. Read Meridian Health closely: it scores 92 out of 100 — comfortably above the AUDIT-READY floor — and still lands WOULD NOT PASS, because one control domain has no named owner. The score alone would have waved it through. The gate didn't.
"Pass a 90-Day AI Audit?" Readiness Triage (as-of 2026-06-25) ================================================================== Meridian Health readiness 92 -> WOULD NOT PASS [GATE: vendor governance has no owner] Northwind SaaS readiness 59 -> PATCHABLE fix: training record Apex Logistics readiness 25 -> WOULD NOT PASS fix: record-keeping Cobalt Fintech readiness 95 -> AUDIT-READY Driftwood Agency readiness 19 -> WOULD NOT PASS fix: ownership
Three rules keep the verdict honest.
Any in-scope domain with no named owner fails the audit — full stop. It's the control auditors test first, so it gates the verdict.
Mark a domain out of scope when it genuinely doesn't apply; the weights renormalize over what's left. No padding, no distortion.
Every verdict names the single highest-leverage gap — the ownerless control if the gate fired, else the weakest evidence.
A readiness read, not a compliance certificate.
- A cross-domain triage of whether you'd pass a 90-day audit.
- An accountability gate that catches ownerless controls.
- A remediation runbook that sequences the fixes — owners first.
- An audit opinion or a compliance certification.
- Tied to one framework — it triages the domains they share.
- Legal advice. It tells you where you stand; your counsel rules on sufficiency.
A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.
Whoever has to answer when the request lands.
Triage first, then go deep where you're weak.
Go deep on the record-keeping domain: who generated what, reviewed by whom.
ViewClose the vendor-governance gap with a defensible data-flow register.
ViewBuild the full framework once the triage shows you're serious.
ViewEverything else you'd ask before buying.
Any review where someone asks for evidence that your AI is governed — a customer's vendor-risk or security review, a SOC 2 / ISO readiness check, an insurer's questionnaire, or a regulator's request. The triage isn't tied to one framework; it scores the seven control domains those reviews share — inventory, ownership, policy, record-keeping, vendor governance, risk, and training — so you get one cross-domain read on whether you'd pass.
Because accountability is a gate, not a line item. Any in-scope control domain with no named owner forces a WOULD NOT PASS verdict regardless of the score — that's the failure auditors find fastest, since “who owns this?” is the first question in a control review. In the shipped example, Meridian Health scores 92 but its vendor-governance domain has no owner, so it fails. A strong score can't paper over a control nobody is accountable for.
AUDIT-READY: every in-scope domain is owned and your weighted readiness is 80 or above — you'd likely pass. PATCHABLE: everything is owned but the evidence is thin (readiness 55–79) — fixable inside the 90-day window. WOULD NOT PASS: either a domain has no owner (the gate fired) or readiness is below 55. Every verdict also names the single domain to fix first — the ownerless control if the gate fired, otherwise the weakest evidence.
This sits above them. The AI Output Audit-Trail Kit goes deep on record-keeping, the Vendor & Sub-Processor Data-Flow Register goes deep on vendor governance, the AI Literacy kit evidences training, and the NIST AI RMF kit builds the full framework. This triage is the cross-domain rollup that tells you which of those domains is your weakest — the front-door “which gap do I close first” read that routes you into the right deep kit. Run it first, then go deep where you're weak.
Yes. Flag a domain out of scope when it genuinely doesn't apply to you, and the weights renormalize over what's left — no padding, no distortion. One guardrail: an out-of-scope domain can't fire the no-owner gate, so dropping a domain just to dodge the accountability check won't help. Scope it honestly and the verdict stays meaningful.
No. It's a readiness self-assessment and decision aid — not legal advice, an audit opinion, or a compliance certification, and it doesn't certify anything. It tells you where you'd stand and where to focus; your own counsel or auditor rules on whether the evidence is sufficient. The file is one .xlsx plus a Facilitator Playbook and a 90-Day Remediation Runbook, deterministic and offline.
Know your answer
before they ask.
One purchase, lifetime access, 12 months of updates. $79, once.
A readiness self-assessment and decision aid — not legal advice and not an audit opinion. It does not certify compliance. Confirm scope and evidence with your own counsel or auditor.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai