Every AI governance practitioner has been in this situation.
A team is preparing to deploy a new AI system. Someone pulls up a generic governance checklist — 30 to 40 questions, same ones used for the last three systems. The boxes get ticked. The document gets filed. The system goes live.
Six months later, a risk surfaces that the checklist never asked about. Not because the team was careless, but because the checklist wasn't built for that system, that sector, or that risk profile.
This is the operational gap in AI governance today. Not a lack of frameworks — we have the EU AI Act, ISO 42001, NIST AI RMF, IMDA MOGF, OWASP LLM Top 10, MITRE ATLAS, and more. The gap is in translating those frameworks into guidance a practitioner can actually use at the point of a real deployment decision.
That's what I built generate-ai-risk-assessment.vercel.app to address.
What the Tool Does
At its core, this is a phase-wise AI governance toolkit. You provide context about your system — the sector, deployment model, data sensitivity, region, stakeholder profile, and whether the system is agentic — and it generates a tailored governance package for each lifecycle phase defined across current frameworks and regulations.
For each phase, the output includes:
A tailored risk assessment questionnaire. Not a generic list of questions — a set specific to your system's characteristics and the risk domains relevant to your context. A healthcare LLM deployed in Singapore carries different regulatory obligations than a retail recommendation engine deployed in the EU. The tool reflects that.
Required controls mapped to applicable regulations. For each risk identified, the tool surfaces the specific controls required under the frameworks that apply to your situation. Practitioners can trace every control back to its regulatory source.
Evidence requirements. Knowing what control to implement is only half the job. Knowing what evidence you need to demonstrate that control is in place — for an audit, a committee review, or a regulatory inquiry — is the other half. The tool makes this explicit for each phase.
Implementation guidance. This is where most governance tools stop short. Telling a team what to do without telling them how produces beautiful documentation and stalled programmes. The tool provides practical implementation direction that can be handed directly to an engineering or product team.
Downloadable package with sample evidence templates. Every output can be downloaded, including sample templates aligned to the questionnaire generated for your system.
Why Agentic AI Gets Its Own Treatment
One of the deliberate design decisions in this tool was to treat agentic AI systems as a distinct risk domain — not a variant of a standard LLM deployment.
An autonomous AI agent that can take actions, use tools, call APIs, and operate across systems without step-by-step human instruction creates governance challenges that standard AI frameworks were not originally designed to address. Questions around autonomy boundaries, human oversight mechanisms, tool use permissions, task interruption, and multi-agent coordination are fundamentally different from the questions you'd ask about a static language model.
Caveat: Deterministic classifiers built on LLM outputs should not be treated as a replacement for human judgement. They can help flag potential risks, but governance decisions must remain grounded in human review, contextual understanding, and oversight of the system's real-world impact. The agentic AI questionnaire and baseline guidance in this tool is drawn from three sources: NIST's agentic AI guidance, the IMDA Model Governance Framework for Agentic AI, and OWASP's work on LLM and agentic system risks. If you select an agentic system, the output reflects this — different questions, different controls, different evidence requirements.
This matters because agentic AI adoption is accelerating faster than governance frameworks can keep pace. Practitioners need tooling that treats this as a first-class concern today.
Who This Is For
This tool is built for practitioners who are implementing AI governance inside organisations — not studying it theoretically. If you are responsible for reviewing AI systems before deployment, designing governance processes, advising engineering teams on compliance obligations, or building the evidence trail for regulatory readiness, this tool is designed for your workflow.
It is also useful for organisations beginning their AI governance journey who need a structured starting point that is grounded in current frameworks rather than built from scratch.
Try It
The tool is live at generate-ai-risk-assessment.vercel.app.
Enter your system context, select your applicable frameworks and region, and specify whether the system is agentic. The output will reflect your specific situation — not a generic template.
I would genuinely like to know what your context surfaces, and what you find missing. AI governance tooling improves when practitioners engage with it critically. If something in the output doesn't match what your regulatory environment or sector requires, that feedback shapes the next iteration.
If you are building something similar or would like to discuss the framework architecture, I am happy to connect.