IAIL Framework v1.2

Before any scoring begins, every assessment opens with a formal determination of whether the enterprise has identified enough of its AI exposure surface for the findings to be defensible. Most enterprises have not fully mapped this. AI was introduced into products without governance events. Developers consume model APIs outside procurement. Business units run tools that never entered vendor management. The Scope Check establishes what is known, what is unknown, and what the Coverage Confidence verdict is.

Binary conditions assessed before dimensional scoring. Any Hard Stop triggers immediate board notification. S1 Undisclosed Training Data Use. S2 No Deletion Clause. S3 Unlimited Subprocessor Rights. S4 Unlawful Personal Data in AI. S5 Blanket AI Liability Exclusion. S6 No Audit Rights Over AI Outputs. S7 Agentic AI With No Scope Limitation.

D1 Data Flow Exposure. D2 Contractual Gap Analysis. D3 Deletion Incompleteness. D4 Regulatory Exposure Mapping. D5 Privacy Misalignment. D6 Executive Accountability Mapping. D7 Model Change and Continuity Exposure. D8 Employee AI Processing. D9 Agentic and Autonomous AI Exposure. Each addresses a distinct mechanism through which liability accumulates.

The same vendor presents different liability depending on deployment. A language model for internal drafting is different from the same API making credit decisions. Criticality determines which clause families are non-negotiable, the board disclosure threshold, and how dimension weights adjust.

Every finding traces to a specific evidence tier. T1: signed contract documents. T2: vendor-published documentation. T3: enterprise-provided records. T4: publicly available information. The evidence tier determines the confidence rating of each finding.