Insights

AI Governance Audit Prep: Your 30-Day Plan

You Just Got 30 Days Notice. Now What?

AI governance audit preparation is one of those things organizations plan to do properly, right up until the moment they get the calendar invite. Thirty days feels short when you’ve been running informal governance — some policies in a shared drive, a vendor review here and there, maybe a spreadsheet tracking which tools are in use. It isn’t enough time to build a mature program from scratch. It is enough time to get organized, close the gaps auditors are most likely to flag, and show up to that first meeting with something credible in your hands.

a spiral notebook with the word ai on it
Photo by Mohamed Nohassi
on Unsplash

This guide covers exactly that: what auditors are looking at, what documentation you need to produce, how to prioritize remediation in the time you have, and what to say when you walk in without everything complete.

What Auditors Are Actually Looking For

Before you start assembling documents, you need to understand the audit’s frame of reference. Depending on who’s conducting it and why, the evaluator may be working from the NIST AI Risk Management Framework (NIST AI RMF), the EU AI Act’s requirements if your organization has EU exposure, ISO/IEC 42001, or an internal corporate standard handed down from a parent company or major client.

Request the evaluation criteria on day one. If the auditor won’t share a framework reference or a questionnaire in advance, ask directly: “What control domains will this assessment cover?” Most legitimate assessors will tell you. Knowing whether they’re focused on data governance, model risk, human oversight controls, or incident response lets you allocate your thirty days rather than thrashing across every possible domain.

At a high level, auditors in this space typically want to see four things: that you know what AI systems you’re running, that someone owns accountability for each one, that you’ve thought about the risks, and that you have some mechanism for catching and responding to problems. Informal governance programs usually have partial evidence for each of these — the goal of your prep is to surface that evidence, fill in what’s missing, and present it in a format an auditor can follow.

Week 1: Get a Complete Inventory

You cannot govern what you haven’t documented. The first thing to produce is an AI system inventory — a list of every AI tool, model, or vendor-provided AI feature your organization uses or permits employees to use. This includes obvious things like your CRM’s predictive scoring, your HR platform’s resume screener, and any generative AI tools your team has adopted. It also includes the less-obvious: the AI-assisted features in your security tools, the copilot baked into your productivity suite, any third-party APIs your developers are calling.

For each entry, you want to capture the system name and vendor, what it does and who uses it, what data it touches, who inside your organization owns it, and whether it’s been formally approved or is operating informally. That last column is uncomfortable to fill in, but it’s critical. Auditors expect to find shadow AI. What they want to see is that you’ve gone looking for it.

If you have a vendor management process, pull from it. If you don’t, send a short questionnaire to department heads asking them to list any AI tools their team uses. Keep it simple enough that people actually respond in 48 hours.

Week 2: Map Your Documentation Against What’s Expected

Once you have the inventory, you can run a gap analysis. Pull whatever documentation you have — acceptable use policies, vendor assessments, data handling procedures, incident records — and map it against the control domains your auditor flagged, or against a standard framework if you’re working from one.

The gaps you find will fall into two categories: missing documentation for things you’re actually doing, and missing controls where you haven’t done the work at all. The first category is fixable in weeks two and three. The second requires honest triage.

For documentation gaps, prioritize in this order. First, an AI acceptable use policy — if you don’t have a written policy governing what AI tools employees can use and how, that’s the single most common finding and the easiest one to fix. A serviceable policy doesn’t need to be long; it needs to clearly define what’s permitted, what’s prohibited, what data can and can’t be fed into AI systems, and who to contact when something goes wrong. Second, evidence of risk assessment for your highest-risk AI applications. Third, any records of AI-related incidents, concerns, or anomalies — even informal ones like a Slack thread where someone flagged an unexpected model output.

For genuine control gaps, don’t try to paper over them with documents that describe a process you haven’t implemented. Auditors have seen that before, and it makes the finding worse. Instead, document the gap honestly and pair it with a remediation plan that has dates and owners. That’s a much stronger position than fabricated evidence of a control that doesn’t exist.

Week 3: Close the Highest-Priority Gaps

With the gap map in hand, spend week three on targeted remediation. You’re not building a compliance program in seven days — you’re closing the specific gaps most likely to generate audit findings.

If you’re missing an acceptable use policy, write one. If you’ve never run a formal risk assessment on your AI vendors, run abbreviated ones for the two or three systems that handle the most sensitive data or have the widest user base. If you have no incident log, create one and backfill it with any AI-related issues you can find records of — support tickets, email threads, change management notes.

One area that gets underweighted in audit prep is human oversight documentation. For any AI system making consequential decisions — flagging transactions, scoring job applicants, generating customer-facing content — you should be able to show that a human reviews the output before action is taken. If that process exists, write it down. If it doesn’t, implement something minimal and document it now. Auditors focused on the NIST AI RMF or EU AI Act requirements will specifically look for this, particularly for higher-risk applications.

Also spend time this week preparing your accountability map. Every AI system in your inventory should have a named owner, and that owner should know they’re on the hook. This doesn’t require a formal RACI chart — a simple column in your inventory will do — but it should reflect reality, not aspiration.

Week 4: Organize Evidence and Prepare Your Narrative

Audit preparation isn’t just about having the right documents — it’s about being able to walk someone through them in a way that holds together. Spend week four organizing your evidence package and preparing your team.

Create a single audit-ready folder or workspace that contains your AI inventory, your gap analysis, your policy documents, your risk assessment outputs, your incident log, and your remediation plan. Label everything clearly and make sure the dates are accurate. If a document was created last week, say so — auditors appreciate transparency about what’s fresh versus what’s been in place. Don’t backdate anything.

Prepare short talking points for the people who will be in the room: what systems are in scope, how you assess risk, how incidents get escalated, and what you’re actively working to improve. The auditor will ask questions that go off-script, but a prepared team gives more consistent answers.

What to Say When You Don’t Have Everything

This is the part nobody writes about, but it matters. You will walk into that audit without complete documentation. Every organization in your position does. The question is how you handle it.

The answer is simple: be specific and be forward. “We don’t have a formal risk assessment for this vendor” is a better answer than a vague gesture toward a process that doesn’t exist. Follow it immediately with “we’ve identified that gap, and here’s what we’re doing about it with this timeline.” Auditors are evaluating your governance maturity, and maturity includes knowing what you don’t know. An honest gap with a credible remediation plan is a manageable finding. A fabricated control that unravels under questioning is a serious one.

If there are significant gaps you couldn’t close in thirty days, be explicit about them in the opening conversation. Name them before the auditor finds them. It reframes the conversation from “you failed to do this” to “you identified this and are addressing it.”

Do This Week

If you take nothing else from this guide, do one thing in the next five business days: build your AI system inventory. Open a spreadsheet, send a two-question email to your department heads, and give yourself a deadline of Friday to have every AI tool your organization uses written down in one place. You cannot prioritize, assess, or defend anything you haven’t documented. The inventory is the foundation every other piece of audit prep builds on, and it’s the first thing your auditor is going to ask for.

Using Tools to Move Faster

Thirty days is tight if you’re doing everything manually. A structured tool can accelerate the inventory, gap analysis, and evidence collection steps significantly — not by replacing the judgment calls, but by giving you a framework to work inside instead of building one from scratch under deadline.

InfoDefenders’ AI Governance Manager is built specifically for organizations in this position: mid-market IT teams that need to demonstrate governance posture without a dedicated compliance function. If your audit is imminent and you want to understand what a structured approach would look like for your environment, that’s a reasonable conversation to have now rather than after the report lands.

Thirty days is not comfortable. But it’s enough to show up credibly, demonstrate that you understand your environment, and present a clear picture of where you are and where you’re going. Auditors are not expecting perfection from a 200-person company with no compliance team. They are expecting honesty, organization, and evidence that someone is actually paying attention. Get those three things right, and you’re in a defensible position.

Sources