E008—Review internal processes
>Control Description
Establish regular internal reviews of key processes and document review records and approvals
Application
Mandatory
Frequency
Every 12 monthsCapabilities
Universal
>Controls & Evidence (2)
Operational Practices
E008.1
Documentation: Internal reviewCore - This should include:
- Reviewing decision processes every quarter including AI system changes, foundational model selection, security assessment. - Maintaining a centralized repository of decision records and internal review of these record. For example, supporting evidence reviewed, remediation plans. - Documenting and tracking remediation of any risks identified.int
Typical evidence: Centralized repository, policy, or tickets showing quarterly internal reviews - e.g. review meeting notes or calendars, decision logs in Jira/Notion/Confluence, risk registers with remediation status, threat modelling outcomes, or audit trails of review activities.
Location: Internal processes
E008.2
Documentation: External feedback integrationSupplemental - This may include:
- Collecting and implementing external feedback on AI systems. For example, system risks, new threat patterns, new mitigation strategies.
Typical evidence: Documentation showing external feedback collected and implemented - may include external security advisories reviewed, threat intelligence integrated, third-party recommendations adopted, or records of external input incorporated into system improvements.
Location: Internal processes
>Cross-Framework Mappings
NIST AI RMF
Ask AI
Configure your API key to use AI features.