Methodology and transparency
How the AI governance readiness calculator works with current model risk expectations
The AegisAI Compliance readiness calculator is a structured self-assessment for banks, credit unions, fintechs, and regulated technology teams. It is designed to help teams identify practical governance gaps before AI use expands faster than policies, controls, and evidence can keep up. The calculator is not a legal opinion or an examination finding. It is a transparent scoring framework that turns common AI governance expectations into a prioritized readiness view. It is not legal advice and does not determine regulatory compliance.
The six governance domains
The calculator uses six domains because AI risk is rarely owned by one function. A credible program needs policy ownership, vendor oversight, current model risk discipline, data governance, board reporting, and compliance evidence working together.
AI Policy & Governance
Assesses whether AI use is governed by clear policies, accountable oversight, and documented approval practices.
Vendor & Third-Party AI Risk
Reviews how AI vendor relationships are identified, contracted, diligenced, monitored, and security reviewed.
Model Risk Management
Measures alignment with current model risk governance expectations, including ownership, inventory, validation, monitoring, change controls, and documentation.
Data Governance & Privacy
Checks whether AI data sources, bias risks, retention rules, privacy reviews, and incident processes are documented.
Board & Audit Reporting
Evaluates whether AI risk is visible to the board, ERM, audit, issue tracking, and escalation channels.
Evidence & Compliance
Assesses whether the organization can prove governance activity, attest control status, and maintain exam readiness.
Scoring logic
The assessment has 30 questions, with five questions in each domain. Every answer receives a simple readiness value: Yes = 2, Partial = 1, and No = 0. The maximum score is 60. Each domain has a maximum of 10 points, which makes it easier to compare strengths and weaknesses across the program.
50-60
Advanced
A mature program with strong governance evidence, repeatable oversight practices, and fewer urgent remediation needs.
35-49
Developing
A functioning program with important policies or controls in place, but notable gaps across evidence, vendor risk, or model governance.
20-34
Emerging
An early program where basic ownership may exist, but formal controls, reporting, and documentation are still incomplete.
0-19
At Risk
A high-exposure posture with material gaps in oversight, inventory, validation, vendor review, or exam-ready evidence.
Current model risk and regulatory basis
The framework is informed by well-known supervisory themes in banking and financial services. Current model risk language should reflect updated supervisory guidance, including SR 26-2 / OCC Bulletin 2026-13. SR 11-7 remains historically important and may still appear in internal policies, legacy model inventories, audit workpapers, and board materials, so SR 11-7 mapping can be useful for continuity.
The calculator is aligned to current model risk governance expectations, including SR 26-2 / OCC Bulletin 2026-13, with SR 11-7 mapping retained for continuity. The questions emphasize practical governance evidence: ownership, inventory, approval, monitoring, validation, reporting, and documentation. FFIEC IT Examination Handbook materials emphasize governance, third-party risk, security, operations, and evidence. CFPB guidance and enforcement activity around automated decisioning highlight fairness, transparency, explainability, and consumer-impact risk.
The calculator does not claim that a given score proves compliance. Instead, it helps teams organize questions that auditors, boards, model risk teams, vendor managers, privacy teams, and examiners are likely to care about. The output should be treated as a starting point for discussion, remediation planning, and evidence collection.
Disclaimer
This calculator is for self-assessment and informational purposes only. It does not constitute legal, regulatory, audit, risk, or compliance advice. It does not replace institution-specific review, formal model risk validation, vendor due diligence, privacy analysis, board reporting, or consultation with qualified counsel and advisors.