VanRein Compliance — AI Governance Intake Form v1.0

AI GOVERNANCE FORM v1.0 · VRC1 PLATFORM CONFIDENTIAL

AI Governance Intake & Scope Confirmation Form

Complete all required sections before engagement commences. Sections marked REQUIRED must be fully populated prior to engagement start.

SECTION 01

ENGAGEMENT OVERVIEW REQUIRED

CLIENT NAME *

ENGAGEMENT / PROJECT NAME *

PREPARED BY (VANREIN) *

DATE *

PRIMARY TECHNICAL POC (CLIENT)

COMPLIANCE / AUDIT LIAISON (CLIENT)

SECTION 02

ORGANIZATION & COMPLIANCE CONTEXT

INDUSTRY *

EMPLOYEE COUNT

STATE OF INCORPORATION

REGULATORY REQUIREMENTS (SELECT ALL THAT APPLY)

HIPAA SOC 2 PCI-DSS ISO 27001 NIST AI RMF TX-RAMP EU AI Act ISO/IEC 42001

OTHER REGULATORY REQUIREMENT

SECTION 03

ENGAGEMENT OBJECTIVES

PRIMARY GOAL (SELECT ALL THAT APPLY)

Identify AI risk exposure Validate existing AI controls Meet compliance requirements Competitive differentiation Customer & enterprise assurance Support audit or certification Establish AI incident response Workforce training & policy

OTHER GOAL

SUCCESS CRITERIA

SECTION 04

AI SYSTEM INVENTORY ● CRITICAL

SCOPE NOTE: Include ALL AI/ML tools regardless of deployment model — public LLMs, fine-tuned models, vendor-embedded AI, internal pipelines, and automation tools with AI components. VanRein assesses both external and internal surfaces.

PUBLIC / COMMERCIAL LLMS IN USE (SELECT ALL THAT APPLY) *

OpenAI GPT-5 / GPT-4o (API or Azure OpenAI) Anthropic Claude 4 (Opus / Sonnet / API or Bedrock) Google Gemini 2.5 Pro / Flash (Vertex AI or API) Meta Llama 4 (via Bedrock, Azure, or self-hosted) Mistral Large 2 / Le Chat (API or Azure) xAI Grok 3 (API or X Premium) Microsoft Copilot / Copilot 365 (Enterprise) AWS Bedrock (Nova, Titan, Llama, Mistral) Ambient AI / Scribes (Nuance DAX, Suki, Abridge) ChatGPT (Employee browser / ChatGPT Team) Automation / RPA w/ AI (UiPath, Power Automate, etc.) Other / Custom or Fine-tuned LLM

SPECIFY OTHER AI VENDORS / MODELS

INTERNAL AI / ML MODELS OR PIPELINES

Custom-trained NLP / ASR Sentiment / intent scoring Clinical decision support Data classification / PII detection Recommendation engine None — vendor models only

AI OUTPUTS USED FOR CONSEQUENTIAL DECISIONS? *

Yes No Partial / In review

CUSTOMERS INFORMED AI IS IN USE? *

Yes No Planned

DESCRIBE PRIMARY AI USE CASES *

SECTION 05

DATA HANDLING & ARCHITECTURE ● CRITICAL

DATA CATEGORIES PROCESSED *

PHI / Medical Records PII (Names, Contacts) Call Audio / Recordings Call Transcripts Financial / Payment Data CRM / Business Records Biometric Data Metadata / Usage Logs Government ID / SSN

TRANSPORT & NETWORK CONTROLS IN USE *

TLS / SSL (HTTPS) REST APIs SFTP VLANs VPN mTLS / Zero Trust

DATA SENT TO THIRD-PARTY AI VENDORS? *

Yes No Partially / Some vendors

DATA MASKING / OBFUSCATION CONTROLS

THIRD-PARTY AI VENDORS / DATA PROCESSORS

NETWORK DIAGRAM AVAILABLE?

Yes No In Progress

DATA FLOW DIAGRAMS AVAILABLE?

Yes No In Progress

SECTION 06

RISK POSTURE & CURRENT GOVERNANCE

CURRENT AI GOVERNANCE MATURITY *

Ad hocNo formal governance — AI in use with no policy, controls, or documentation

DevelopingBasic policies exist — some acceptable use policies; limited controls or inventory

DefinedDocumented AI governance program — risk assessments, inventories, and vendor reviews in place

ManagedEvidence-based assurance — ongoing monitoring, audit logs, training, incident response

KNOWN RISK CONCERNS (SELECT ALL THAT APPLY)

Prompt injection / adversarial input PII / PHI leakage to public models Hallucination / output accuracy Model bias / disparate impact No AI incident response process Lack of AI usage inventory Vendor contractual gaps (DPA, BAA) Regulatory non-compliance

GOVERNANCE CONFIDENCE RATING (1 = NOT CONFIDENT, 5 = VERY CONFIDENT)

1Not Confident 2 3 4 5Very Confident

PRIOR AI / SECURITY ASSESSMENT?

PENETRATION TESTING DESIRED? *

Yes No

CRITICAL SYSTEMS / AI FUNCTIONS THAT MUST NOT BE DISRUPTED

PRIMARY DRIVERS FOR PURSUING AI GOVERNANCE (SELECT ALL THAT APPLY)

Competitive differentiation Customer reassurance / trust Enterprise sales requirements Regulatory compliance Partner / vendor requirements Board / investor mandate

SECTION 07

PROGRAM SELECTION & PRICING REQUIRED

★ PREFERRED CLIENT PRICING — 10% LOYALTY ADJUSTMENT APPLIED As a long-term client, we've applied preferred pricing to extend your compliance program into AI Governance without increasing complexity. Discounted rates are reflected below.

SELECT PROGRAM OPTION *

OPTION 01 AI Risk Snapshot

Quick clarity. Immediate visibility.

$13,950 $15,500 10% discount

or $1,165/month × 12 months

Targeted AI Risk Review
AI Usage Discovery (High-Level)
PHI Exposure & Data Risk Check
Key Vendor Review (Sample-Based)
HIPAA-Aligned Risk Insights
★ Best For: Organizations starting to explore AI risk

OPTION 02 AI Governance Assessment ★ RECOMMENDED

Structured insight. Defined risk posture.

$22,500 $25,000 10% discount

or $1,875/month × 12 months

Comprehensive AI Inventory & Usage Mapping
Full AI Risk Assessment (Data, Models, Usage)
Data Flow & PHI Exposure Analysis
Vendor Security & Compliance Review
AI Risk Register (Included)
Policy Gap Analysis
NIST AI RMF + HIPAA Control Mapping
Usage & Prompt Risk Evaluation
★ Best For: Organizations actively using AI without formal governance

OPTION 03 AI Governance Program

Full governance. Built to scale.

$45,000 $50,000 10% discount

or $3,750/month × 12 months

Enterprise AI Inventory + Risk Classification Model
AI Governance Framework Development
Data Protection Controls + Governance Integration
Vendor Governance + Approval Framework
AI Acceptable Use Policy (Draft Included)
Security Architecture & Control Design
AI Risk Register (Integrated)
Workforce AI Usage Framework & Training
Phased Implementation Roadmap (6–12 Months)
Executive Advisory & Ongoing Governance Support
★ Best For: Enterprise-scale programs, built to scale

PREFERRED PAYMENT STRUCTURE *

Annual (single payment) Monthly (12-month term) Discuss with Bennie

TIMELINE TO BEGIN ENGAGEMENT *

As soon as possible Within 30 days Within 60 days

ADDITIONAL CONTEXT OR SCOPE NOTES

SECTION 08

INCLUDED SERVICE COMPONENTS

VRC1 AI Governance Platform Solutions VRC1 AI Governance Platform Solutions extends your existing HIPAA compliance foundation into the rapidly evolving AI landscape — ensuring that how AI is used across your organization is secure, controlled, and aligned with regulatory expectations. Rather than introducing a separate program, VRC1 integrates AI governance directly into your current compliance framework, providing visibility into AI usage, managing risk exposure, and establishing governance aligned with regulatory expectations.

01

AI Risk Assessment & Use Case InventoryIdentifies where AI is used across your organization and evaluates risk exposure (data input, output reliability, vendor risk). This is not a separate compliance program — it's an extension of your existing HIPAA foundation, designed to govern how AI interacts with sensitive data, workflows, and decision-making across your organization.

02

AI Governance Policies & Acceptable Use FrameworkDefines how AI can and cannot be used across teams, including PHI handling, prompt guidance, and data restrictions.

03

AI Risk Register & Ongoing Risk TrackingCentralized register of AI-related risks with scoring, ownership, and mitigation tracking inside VRC1.

04

AI Vendor Security ReviewDocumentation of third-party AI tools (e.g., ChatGPT, ambient scribes, automation tools) to ensure proper data handling and contractual safeguards aligned with HIPAA and AI governance requirements.

05

Workforce AI Training & CertificationPractical training for staff on safe AI usage, prompt hygiene, and compliance alignment — aligned with HIPAA and emerging AI regulations.

06

AI Output Validation & Human Oversight ControlsEstablishes guardrails to reduce hallucinations, ensure accuracy, and maintain human-in-the-loop review where required.

07

Incident Response & AI Misuse ProtocolsDefines procedures for AI-related incidents including data exposure, incorrect outputs, or unauthorized use.

08

AI Governance Meetings & AdvisoryOngoing guidance to adapt policies and controls as AI tools and regulations evolve.

09

Dedicated AI Compliance Support TeamDirect access to VanRein experts for real-time questions, tool reviews, and implementation support.

SECTION 09

COMPLIANCE & CERTIFICATION TARGETS

CERTIFICATION / FRAMEWORK TARGETS *

SOC 2 Type 1 — Point-in-time SOC 2 Type 2 — 12-month evidence TX-RAMP — Texas state cloud security AI Governance Rating / Seal ISO/IEC 42001 — AI Management System NIST AI RMF Conformance HIPAA (if PHI in scope) FedRAMP / StateRAMP

TARGET CERTIFICATION DATE

PREFERRED CPA FIRM (SOC 2)

CERTIFICATION NOTES / CONSTRAINTS

SECTION 10

REPORTING & DELIVERABLES

REPORTS REQUIRED

Executive Summary Technical Report Both

REMEDIATION TRACKING REQUIRED?

Yes — in VRC1 No — report only

FRAMEWORK ALIGNMENT

NIST AI RMF ISO/IEC 42001 HIPAA Security Rule NIST CSF 2.0 CIS Controls OWASP LLM Top 10

SECTION 11

POINT OF CONTACT & ESCALATION REQUIRED

PRIMARY TECHNICAL CONTACT *

EMAIL *

PHONE

SECONDARY / ESCALATION CONTACT

SECTION 12

LEGAL & FINAL AUTHORIZATION REQUIRED

LEGAL NOTE: Written authorization will be finalized prior to engagement start. All activities are governed by the VanRein Compliance Master Services Agreement and applicable confidentiality terms.

ATTESTATIONS * ACCURACY: I attest that all information provided is accurate and complete to the best of my knowledge. AUTHORIZATION: I am authorized to initiate this engagement and grant access to systems described herein. DATA HANDLING: I understand all information is treated as confidential and used exclusively for this engagement. NDA IN PLACE: A Non-Disclosure Agreement is already executed between the parties. (Check if applicable.)

AUTHORIZED SIGNATORY NAME *

TITLE / AUTHORITY *

COMPANY *

DATE *

SIGNATURE

SIGNATURE / ELECTRONIC ACKNOWLEDGEMENT

SECTION 13

ADDITIONAL NOTES

NOTES, SPECIAL INSTRUCTIONS, VENDOR CONSTRAINTS, OR ENGAGEMENT-SPECIFIC ADDENDA

VanRein Compliance — Confidential & Proprietary AI Governance Intake Form v1.0