Snapshot only · Not legal advice. A point-in-time directional snapshot generated from the answers provided.
Executive Summary
Acme Corp appears to have High AI governance documentation exposure. Primary drivers are EU and multi-state U.S. operations, employment / HR AI use, personal and employee data, and a third-party AI vendor with limited documentation. The most important gaps are Impact Assessment, Vendor Evidence File, and Human Oversight Plan. Legal review is strongly recommended.
Snapshot Risk Score
Directional snapshot, not a certification. Each sub-score reflects the sample answers, not an audit.
EU + multi-state U.S. operations with HR use case.
Few formal documents in place today.
Third-party model provider documentation is limited.
Personal and employee data processed by the system.
Informal review exists but not documented.
System influences employment decisions in the EU.
Top Legal-Review Flags
- Employment / HR AIHigh
AI influences hiring, promotion, or termination decisions.
- EU operations with high-risk use caseHigh
Likely triggers EU AI Act high-risk obligations.
- Vendor documentation gapMedium
Third-party provider has not supplied required evidence.
What Drove Your Snapshot Result
- Operates across EU and multiple U.S. states.
- Uses AI for employment / HR decisions about people.
- Processes personal and employee data.
- Relies on a third-party AI vendor with limited documentation.
- No formal human oversight or appeal process documented.
Documentation Gap Analysis & Recommended Package
Trigger: HR use case + EU operations
Required to evaluate risk to fundamental rights before deployment.
Trigger: Third-party model provider
Centralizes vendor technical docs, training data summaries, and evaluations.
Trigger: Decisions about people
Documents who reviews outputs, how, and when humans can override.
Trigger: All deployed systems
Already drafted internally; refresh for completeness.
Trigger: Ongoing production use
Tracks performance drift, bias, and incidents post-deployment.
Trigger: Internal AI tooling
Defines what employees may and may not do with AI systems.
Minimum Viable Documentation
If you can only stand up a few things right now, prioritize:
- AI Impact Assessment for the HR use case
- Vendor Evidence File for the third-party provider
- Human Oversight Plan with escalation paths
- AI Acceptable Use Policy for employees
Priority Next Steps
- Confirm scope and company AI role for the HR system.
- Complete an impact assessment covering HR and EU obligations.
- Request technical documentation and training data summary from the vendor.
- Document the human oversight and escalation process for employment decisions.
- Have qualified counsel validate EU AI Act applicability.
Suggested Remediation Roadmap
- Stand up Impact Assessment
- Request vendor evidence package
- Draft Human Oversight Plan
- Publish AI Acceptable Use Policy
- Operationalize Monitoring Plan
- Train reviewers on oversight workflow
- Annual review cadence
- Vendor recertification process
Cross-Border Considerations
- EU AI Act conformity assessment likely required before market placement.
- U.S. state-level employment AI laws (e.g., NYC Local Law 144, Colorado AI Act) may apply.
- GDPR Article 22 implications for automated decisions about EU data subjects.
Questions to Ask a Governance Professional
- Does our HR system meet the EU AI Act 'high-risk' threshold under Annex III?
- Which U.S. state AI employment laws apply to our footprint?
- What contractual evidence are we entitled to from our model provider?
- How should we document meaningful human review to satisfy GDPR Article 22?
Questions to Ask Your Vendor
- Provide a system card or technical documentation for the deployed model.
- Share a training data summary and known limitations.
- Describe your evaluation methodology for bias and performance.
- Confirm support for incident notification and post-deployment monitoring data.
AI Governance Template Pack
Turn this snapshot into ready-to-edit documentation.
The ArcPoint AI Governance Template Pack includes professionally drafted starting points for every document referenced above — risk classification memos, impact assessments, vendor evidence checklists, oversight plans, and more.
Your Assessment Inputs
Assumptions & Limitations
- Snapshot is generated solely from the answers provided; no audit was performed.
- Regulatory coverage reflects the tool's current ruleset and may evolve.
- Recommendations are directional and do not replace legal review.
Disclaimer & Snapshot Metadata
Snapshot only · Not legal advice. Regulatory requirements change frequently; validate with qualified counsel.