Internal Controls
Policies and procedures that ensure AI systems operate as intended, including access controls, change management, and testing approvals.
Internal controls are the policies, procedures, and technical safeguards that ensure an organization’s AI systems operate as intended and comply with laws and internal standards. They include access controls, change management, version control, testing approvals, and segregation of duties.
Exhibit A of the NAIC AI Evaluation Tool focuses on governance, risk management, and internal controls. Examiners look for evidence that controls exist and are operating. For example, can the carrier show who approved a model change, what testing was done, and whether the change was communicated to the business line?
Weak internal controls are a common finding in AI governance exams. A model that is not version-controlled, or a deployment process that does not require testing sign-off, is a control failure even if the model itself is accurate. See our glossary entries on Exhibit A, the AI Systems Program, and model risk management.