What scoring looks like in practice

The model is a hosted LLM behind a thin retrieval layer over the company's policy pages. The team shipped fast: a vendor SaaS, a system prompt that describes the brand's voice, and a deploy that landed in production the same week the contract was signed.

The Data Architecture pillar scores Lvl 2 because the retrieval index is updated by a recurring job, but no one knows whether the index reflects the latest policy revision. There is no drift detection on the underlying LLM provider's model — when the vendor silently rolls a new model version, behavior changes in ways the team will discover in production rather than in eval.

Access Control scores Lvl 1: the system prompt sits in a Git repo with broad read access; the inference endpoint has authentication but no rate-limiting per session; prompt-injection isn't enumerated as a threat.

Process Documentation scores Lvl 1: there is no incident runbook for "the chatbot said something wrong." There is no kill switch beyond redeploying the previous container. There is no recorded test of either.

Agent Governance is N/A or Lvl 1 — single-agent, but no defined owner, no eval cadence, no escalation policy when output is unsafe.

This is the *Air Canada chatbot* shape. The lawsuit established that the brand is liable for what the chatbot says, regardless of whether the brand wrote the policy itself.

This is one of the better-governed AI deployments in fintech because tabular ML for fraud has been a line-of-business problem for a decade. The team has documented features, a feature store, and a reasonable retraining cadence.

Data Architecture scores Lvl 3: end-to-end lineage exists, drift is monitored against a baseline distribution, and training-serving consistency is in CI. The retention windows are documented and there is a process for handling label leakage.

Access Control scores Lvl 2: model artifacts live in an MLflow registry with named owners, but the inference service inherits a generic IAM role that several adjacent services also use. No model-specific rate limiting beyond what the API gateway provides. Prompt-injection isn't relevant; supply-chain (a poisoned package in the training pipeline) hasn't been considered.

Process Documentation scores Lvl 1: incidents are handled via the standard data-platform on-call, which doesn't carry AI-specific runbooks. There's no documented response to "the model is now flagging 5x more transactions than yesterday." Kill switch is a feature flag, never tested.

Agent Governance: not yet relevant — this is a single non-agentic model.

The blast radius here is regulatory: a sustained drift event that produces a wave of false-positive fraud blocks would surface as a CFPB complaint pattern within days. SR 11-7 applies whether or not the team has acknowledged it.

Medical imaging is one of the most regulated AI surfaces. The model is a third-party SaaS cleared under FDA's Software as a Medical Device guidance. The clinic does not retrain it; they use it as decision support.

Data Architecture scores Lvl 2: the input pipeline (PACS → vendor API) is stable, but distribution drift is invisible — the clinic doesn't see the vendor's training data, has no baseline for the patient population the model was trained on, and has no SLA from the vendor for model updates. The clinic's own image distribution may differ in ways that degrade accuracy and they would not know.

Access Control scores Lvl 3: PHI flows are tightly governed because HIPAA and the existing HITRUST posture forced that. The model's inference endpoint is segregated, audit-logged, and access is named-individual. This pillar is unusually strong because the regulatory baseline was already strict before AI arrived.

Process Documentation scores Lvl 1: the clinic does not have a documented protocol for "the model disagrees with the radiologist." Whether the radiologist defers, ignores, or escalates is up to the individual. There is no aggregated record of model-vs-reader disagreement that could surface drift.

Agent Governance: not relevant.

The buyer here likely passed an FDA clearance gate — and would still fail an audit, because clearance covers the model and not the deployment context.

An engineering organization stands up a multi-agent system: a "lead reviewer" agent decomposes a PR into sub-tasks, dispatches to a security-scanning agent, a test-coverage agent, and a style agent, and then aggregates findings into a single review comment.

Data Architecture scores Lvl 3: the codebase the agents operate on is version-controlled, the agents read from a stable source-of-truth, and the agent prompts and tool definitions are themselves versioned alongside the code.

Access Control scores Lvl 2: the agents have repo-level read but the security scanner has elevated permissions for some sensitive paths; permissions are static rather than scoped per-PR. Token rotation is manual.

Process Documentation scores Lvl 2: the system has an incident runbook for "the lead agent crashed," but not for "the lead agent decomposed a security-sensitive change incorrectly and the security sub-agent never saw it."

Agent Governance scores Lvl 1: there is no published agent org chart. The lead agent has no defined "manager" — no named human owner. The escalation path when an agent decomposes wrong is just whoever notices in code review. Tool permissions are not reviewed quarterly. Performance reviews don't exist.

This is a useful, productive system. It is also the most-prone-to-drift class of AI deployment we see, because no one organization has done multi-agent governance for long enough to have a settled practice.

What "ready" actually looks like. Each pillar at 3 or above; no Lvl 1.

Data Architecture scores Lvl 4: the team treats the prompt + retrieval index as a versioned artifact, runs a regression eval suite on every prompt change, monitors both input distribution and output quality with statistical drift detection, and contractually requires the LLM provider to notify of base-model changes.

Access Control scores Lvl 3: model artifacts and prompts have IAM-scoped roles, audit trails are reviewed monthly, and the team uses OWASP LLM Top 10 as a deploy checklist. Quarterly red-team. Supply-chain provenance verified for the base model.

Process Documentation scores Lvl 3: there's a model inventory with named owners and last-deploy dates; an AI-specific runbook covers drift, eval-loop failure, prompt-injection, and agent runaway; the kill switch is exercised quarterly.

Agent Governance scores Lvl 3: agent-style features have named owners, permission policies are reviewed, eval cadence is monthly. Not Lvl 4 because the company hasn't yet implemented role descriptions or independent challenger reviews.

A buyer at this maturity is the rare audit client who passes most pillars and uses the engagement to identify the next-investment area. The audit's role here is *attestation*, not gap-finding.

This is a high-risk AI system under the EU AI Act (Annex III, employment domain). Heavy obligations apply: risk management, data governance, technical documentation, human oversight, registration in the EU AI database, conformity assessment, and ongoing monitoring for serious incidents. Most are not yet in place.

Data Architecture scores Lvl 2: training data is documented but bias mitigation is informal; the team can produce a data sheet on request but did not author one proactively. Drift on protected-class fairness metrics is not monitored.

Access Control scores Lvl 2: model artifacts are versioned, but logging of who scored which candidate when is not retained at the granularity required for a regulator's reconstruction of an individual decision.

Process Documentation scores Lvl 1: no documented human-oversight procedure; recruiters are told to "review" ranked outputs but the process is not formalized. No incident runbook for a candidate dispute.

Agent Governance: not relevant — non-agentic ranking.

Full applicability of the EU AI Act lands August 2, 2026. The deployment in its current state will not pass conformity assessment. The audit's value here is the gap-list against Article 9 (risk management) and Article 14 (human oversight).