← Reports
Certifying Data and AI Programs
Full Report
01/00·Title
Audit Committee Brief · AI Governance · 2026

Certifying your data and AI programs before the board asks.

Chander Dhall
Chander Dhall Builder • Leader • Speaker

A short, audit-grade method for Board, Audit, and Governance owners. Turn a confident vendor pitch and a busy program into a dated evidence pack, signed ownership record, release-gate history, and board brief designed for external review. 90 days. Documented gates.

Request a certification call → Full Report
90day path
Audit Committee Brief · 2026
The question behind the question

If this AI release goes wrong next quarter, can you show what was approved, by whom, and why?

Audit committees do not want a tour of the model. They want a paper trail a regulator, plaintiff, or member of the press would accept. Most programs cannot produce one in under 24 hours.

Risk

Vendor demos as evidence

A confident slide is treated as readiness. Procurement closes. Controls arrive late, if at all.

Friction

Policies no system can run

Written governance lives in a binder. Engineering cannot execute it. Exceptions accumulate quietly.

Control

Certified gates change behavior

Funding, release, and remediation tie to evidence. The release decision becomes auditable on its face.

Audit Committee pain map
Executive snapshot

The pressure on Audit and Risk Committees is already here.

Four numbers from independent research and regulators. Each one lands in an Audit Committee inbox. None is a vendor talking point.

GenAI ROI 95%

of enterprise GenAI pilots produce zero measurable P&L impact.

MIT Project NANDA, 2025
EU AI Act EUR 35M

maximum fine, or 7% of global turnover, whichever is higher, for prohibited AI uses.

EU AI Act, Art. 99
SEC posture 2 advisers

charged by the SEC in March 2024 over allegedly misleading AI claims. The agency calls this "AI washing" and has signaled continued scrutiny.

SEC, March 2024
NACD signal Persistent

director concern about board readiness for AI oversight, in surveys from the National Association of Corporate Directors.

NACD director surveys, 2023-2024

Numbers presented for orientation. Each citation appears with a verifiable URL on the Sources slide and the corresponding pages of the full report.

Independent benchmarks
Owner alignment

Audit owns the evidence standard. Delivery operationalizes it.

Engineering and the CIO function are measured on velocity, cost, and feature parity. The Audit Chair, Risk Committee, and General Counsel are measured on defensibility. The first economic sponsor for a certification effort is usually the owner accountable for evidence, risk acceptance, and external review.

Audit Chair

Wants a clean opinion

Needs control owners, evidence retention, and a tested gate before the next external audit, ISO 42001 review, or SOX/ICFR cycle where AI touches financial reporting.

Risk Committee

Wants a defensible record

Needs documented decisions, model inventory, and incident playbooks tied to the company's risk appetite statement.

General Counsel

Wants reduced exposure

Needs clear approval records, vendor diligence files, and disclosures aligned with SEC and EU AI Act language.

Buyer alignment
The certification model

Four artifacts decide whether an AI program is auditable.

Not a model card. Not a demo. The audit posture rests on four artifacts the committee can read in a sitting and external reviewers can sample on their own schedule.

Inventory Model and data register

Every AI use case, model, dataset, vendor, owner, decision impact, and exit criteria, in one signed register.

Gates Release-of-funds gates

Funding, deployment, and exception approval are tied to documented readiness thresholds, not opinions.

Evidence Decision and exception log

Every approval, override, retrain, and incident is captured as a record a regulator can read in plain English.

Brief Board-ready brief

A 10 to 12 page document the Audit Chair can hand to a regulator, plaintiff, or external auditor without translation.

Certification artifacts
Recurring audit gaps

An uncertified AI program leaks evidence at five places.

These are the categories an internal auditor will sample first. Each is aligned to NIST AI RMF GOVERN and MANAGE functions and ISO/IEC 42001 planning and operational-control requirements. Each is what the engagement is designed to close, bound, or convert into an owned remediation plan.

Gap 1 Inventory

Models, datasets, vendors, and decision impacts with no named human owner. Aligned to NIST AI RMF GOVERN function.

Gap 2 Release

Deployments approved on a Slack thread or vendor demo, with no documented readiness gate. Aligned to NIST AI RMF MANAGE function.

Gap 3 Exceptions

Open-ended waivers that never expire. Treated by external reviewers as permanent risk acceptance with no rollup.

Gap 4 Procurement

Vendor contracts moving without an AI-specific diligence pack. Standard SOC 2 templates do not cover model risk or training data.

Gap 5 Reporting

No short document an Audit Chair can read cold and follow. Vendor decks are not a substitute for an audit-grade record.

Gap categories aligned to NIST AI RMF 1.0 plus the Generative AI Profile, ISO/IEC 42001:2023, and ISACA's Auditing Artificial Intelligence guidance. References on the Sources slide.

Common audit gap map
Side by side

What changes when a program is certified.

A short comparison the Audit Chair can read in 60 seconds. The right column is what the engagement leaves behind.

Dimension Uncertified program Certified program Audit posture
Model inventory Unknown count, scattered owners. Signed register with owners, exits, and approvals. Defensible.
Vendor diligence Procurement template with AI sticker. AI-specific evidence pack and exit clause. Reviewable.
Release decision Verbal sign-off in a Slack channel. Documented gate tied to readiness thresholds. Auditable.
Exception handling Open-ended waivers, no expiry. Time-bound, owned, and rolled up to the committee. Bounded.
Incident response Blame, then silence. External lesson release and internal controls package. Credible.
Board reporting Vendor slides, dashboards no one signs. 10 to 12 page brief signed by the program owner. Plain English.
Audit-grade comparison
90-day certification motion

From exposure to evidence pack, in three phases.

A senior cross-functional team enters the program, exposes what is missing, remediates the gaps, and leaves the Audit Committee with a dated evidence pack, signed brief, and operating cadence designed for external review.

Expose

Inventory models, datasets, vendors, decisions, owners, and the contracts already in flight. Identify the gates that do not yet exist.

Remediate

Stand up the register, release gates, vendor diligence pack, exception log, and incident ritual. Train staff on the new cadence.

Certify

Hand the Audit Committee a signed brief, evidence pack, and operating cadence. Leave the organization with a repeatable internal cadence.

Certification here means an evidence-readiness process and a board-facing evidence pack. It is not an ISO/IEC 42001 certification, a legal opinion, or an independent audit opinion.

90-day delivery shape
What the committee receives

Eight artifacts. One audit-grade record.

Each item is concrete, owned, and dated. None is a slide deck about a slide deck.

Signed model and data register
Release-of-funds gate definitions
Vendor diligence evidence pack
Decision and exception log
Policy-as-code rule set
Incident response ritual and runbook
Staff training artifacts and attestation
10 to 12 page Audit Committee brief
Certification deliverables
When and how

Certify before the next examination, not after the next incident.

The right moment is a quarter before the question lands. If any of the signals on the left are visible today, the path on the right is sized to a single calendar quarter.

Signals worth acting on

Signal

External audit on the calendar

An ICFR, SOX, SOC 2, ISO 42001, or sector-specific exam will land in the next two quarters.

Signal

Vendor near signature

A material AI platform, agent, or data deal is moving without an AI-specific evidence pack.

Signal

Board-level question already asked

A director has asked, in a meeting, who owns the model. The minute is in the record. The answer is not.

Three steps from here

1

30-minute scoping call

Audit Chair, Risk Chair, or General Counsel. Two pages of notes. No deck.

2

10-day diagnostic

Inventory snapshot, gap map, and a written option set the committee can compare.

3

90-day certification motion

Expose, remediate, certify. Hand the Audit Committee a signed brief and evidence pack.

Request a certification call →
Engagement path
Sources

Citations a committee can verify in a browser.

Every figure on the executive snapshot slide and every framework reference on the gap-map slide is sourced. The full report carries inline citations and the underlying URLs.

  1. MIT Project NANDA, "The GenAI Divide: State of AI in Business 2025," preliminary findings. The 95% finding for GenAI pilots with zero measurable P&L impact. State of AI in Business 2025 (PDF). Project home: nanda.media.mit.edu.
  2. European Union AI Act, Regulation (EU) 2024/1689. Article 99 penalty schedule, including the EUR 35M and 7% global turnover ceilings for prohibited AI uses. eur-lex.europa.eu
  3. U.S. Securities and Exchange Commission, March 18 2024. "SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence." sec.gov
  4. National Association of Corporate Directors, survey release plus NACD board-oversight resources on technology and AI. Persistent director concern about board readiness for AI oversight. Survey release: prnewswire.com. Additional materials: nacdonline.org.
  5. NIST AI Risk Management Framework, AI RMF 1.0 plus Generative AI Profile (NIST AI 600-1). Reference baseline for the certification artifacts and gate language on slide 5. nist.gov
  6. ISO/IEC 42001:2023. AI management system standard. Inventory and exception requirements aligned to the certification model. iso.org
  7. ISACA, "Auditing Artificial Intelligence" white paper. Audit baselines used to align the gap categories on slide 6. isaca.org/resources/white-papers/auditing-artificial-intelligence.
Verifiable references
Closing question

Could your AI program withstand a serious audit next quarter?

If the honest answer is "not yet," that is a 90-day project, not an open-ended risk. The Audit Committee should have a record designed for external review. The team should have a path that ends.

Request a certification call → Full Report

© 2026 Chander Dhall Methodworks, LLC. All rights reserved.