ACT-1 Starter: Baseline AI Governance Evidence Pack
Use ACT-1 when your team needs first AI governance records, not a full operating model. It helps create an AI system inventory, risk register, gap checklist, acceptable-use baseline, and cross-framework control view.
ACT-1 is a file-based implementation artifact. It is not legal advice, audit assurance, certification support, buyer approval, or a SaaS workflow.
Decide in 30 seconds
ACT-1 is the right starting product only when the buyer needs baseline records. If the buyer already has board, vendor, FRIA, or agentic AI pressure, route them to ACT-2.
Need first records
You need a controlled AI inventory, risk register, gap checklist, and acceptable-use baseline.
Need implementation evidence
You need policies, board reporting, vendor review, FRIA starter files, or agentic AI records.
Gap is still unclear
Run the free assessments if you do not yet know the scope, owner, or evidence gap.
Need assurance
Use legal counsel, auditors, certification bodies, or a GRC platform if assurance or live workflow is the main need.
Decision rule
Choose ACT-1 for baseline evidence. Choose ACT-2 when the work must become an implementation system.
What you receive
ACT-1 is packaged as editable files, not a static PDF. It gives the buyer a practical evidence baseline that can be maintained internally.
Cross-framework controls matrix
Baseline mapping across ISO/IEC 42001, NIST AI RMF, NIST GenAI Profile, and Colorado AI Act evidence prompts.
Inventory and gap records
Starter records for AI systems, control gaps, risks, owners, status, and evidence notes.
Acceptable-use baseline
A practical internal baseline for approved use, restricted use, data handling, review triggers, and escalation.
Sample fields buyers should expect
This preview helps buyers understand the files before purchase without exposing the full workbook logic.
| Artifact | Typical fields | Primary use | Upgrade signal |
|---|---|---|---|
| AI System Inventory | System, owner, purpose, data category, vendor, users, risk route, evidence gap. | Create one controlled register of AI use cases. | Upgrade when inventory needs vendor, board, FRIA, or agentic AI evidence links. |
| AI Risk Register | Risk event, likelihood, impact, control owner, mitigation, residual risk, review date. | Turn AI risk discussion into owner-managed records. | Upgrade when risks need procedures, escalation, and board reporting. |
| Gap Tracker | Gap, severity, owner, blocker, target date, decision needed, evidence retained. | Convert assessment results into a backlog. | Upgrade when the backlog needs rollout sequencing and executive reporting. |
| AUP Starter | Allowed uses, restricted uses, data handling, approval triggers, escalation route. | Create a first internal AI-use baseline. | Upgrade when policy coverage must expand into incident, vendor, and oversight procedures. |
Who ACT-1 is not for
Not enough for full implementation
Choose ACT-2 if you need policies, board reporting, vendor procedures, FRIA starter artifacts, or agentic AI and MCP governance records.
Not a SaaS or assurance product
ACT-1 does not provide legal opinions, audit assurance, certification assurance, automated workflows, integrations, or continuous monitoring.
Start with ACT-1 only if the immediate gap is baseline evidence.
If the buyer already needs connected implementation evidence, ACT-2 is the cleaner route.
Frequently asked questions
These answers help with buying and implementation decisions. They do not provide legal, audit, certification, buyer-approval, or security assurance.
What is ACT-1 Starter?
ACT-1 Starter is a baseline AI governance evidence pack. It helps a team create an AI inventory, risk register, gap checklist, acceptable-use baseline, and cross-framework controls view before buying a larger implementation package.
Who should choose ACT-1?
Choose ACT-1 when the immediate problem is first governance records. It is best for SMEs that need structure but are not yet ready for board packs, vendor procedures, FRIA starter materials, or agentic AI governance records.
When should I choose ACT-2 instead?
Choose ACT-2 when buyers, board members, vendors, agentic AI systems, MCP use, FRIA-style review, or implementation rollout evidence are already in scope.
Is ACT-1 legal advice or certification support?
No. ACT-1 provides editable implementation artifacts. It does not provide legal advice, audit assurance, certification assurance, regulatory approval, buyer approval, safe harbor assurance, or security assurance.
Are the files editable?
Yes. ACT-1 is designed as editable files so internal owners can adapt the records to their systems, governance model, and evidence requirements.
What should we do after ACT-1?
After ACT-1, move to ACT-2 if you need full implementation evidence. Use the Sprint only when you need guided ownership, sequencing, and a 30-day backlog.
Source and review note: This page describes a file-based implementation evidence product. It is not legal, tax, audit, certification, conformity-assessment, buyer-approval, safe-harbor, or security advice. Buyers should involve qualified counsel, auditors, certification bodies, and internal control owners where required.