NorthPoint Financial Services - a mid-size financial institution operating in the EU - had no centralised visibility into its AI systems. Leadership could not answer the most fundamental governance question: "What AI are we running, how risky is it and are we compliant?"
This project delivered that answer. I designed and executed a complete AI system inventory programme covering four production AI systems across credit, fraud, customer support and marketing. The output: a structured inventory, EU AI Act risk classification with full legal reasoning, NIST AI RMF control mapping, automated governance validation and an executive report ready for board and regulatory review.
The business impact: NorthPoint can now demonstrate to regulators, auditors and the board exactly which AI systems it operates, what risk tier each carries, what obligations apply and what controls are in place - with documented, auditable evidence for every decision.
This project is Phase 1 of an ongoing AI governance programme. Phase 2 applies deep risk assessment methodology to the two HIGH RISK systems identified here. β View Phase 2
| Deliverable | Description |
|---|---|
| AI System Inventory | Structured CSV + JSON capturing all AI systems, owners, data sources and review cycles |
| EU AI Act Classification | Risk-tiered classification for each system with full legal reasoning and regulatory obligations |
| NIST AI RMF Mapping | Control mapping across all four RMF functions per system, proportionate to risk level |
| ISO 42001 Alignment | High-level alignment check against ISO 42001 AI Management System requirements |
| Automated Validator | Python script that checks inventory completeness and flags governance gaps before reporting |
| Executive Governance Report | Board-ready report generated directly from validated inventory data |
flowchart TD
A[π’ NorthPoint Financial Services\n4 Production AI Systems] --> B[π AI System Inventory\nCSV + JSON]
B --> C{EU AI Act\nRisk Classifier}
B --> G[NIST AI RMF\nControl Mapper]
C -->|2 Systems| D[π΄ HIGH RISK\nArticles 9β15 Obligations]
C -->|1 System| E[π‘ LIMITED RISK\nArticle 50 Transparency]
C -->|1 System| F[π’ MINIMAL RISK\nVoluntary Codes Only]
G --> H[π΅ GOVERN]
G --> I[π£ MAP]
G --> J[π MEASURE]
G --> K[π€ MANAGE]
D & E & F --> L[β
Inventory Validator\n12 Governance Checks]
H & I & J & K --> L
L --> M[π Executive Governance Report]
M --> N[π Board & Regulatory Review]
style D fill:#ff4444,color:#fff
style E fill:#ffaa00,color:#fff
style F fill:#00aa44,color:#fff
| ID | System | Purpose | Sector | Automated Decision |
|---|---|---|---|---|
| NP-001 | Credit Scoring Engine | Assesses creditworthiness and determines loan eligibility | Financial Services | β Yes |
| NP-002 | Fraud Detection System | Real-time transaction fraud detection with automatic holds | Financial Services | β Yes |
| NP-003 | Customer Support Chatbot | Tier-1 customer query handling via LLM-powered chat | General Purpose | β No |
| NP-004 | Marketing Personalisation AI | Customer segmentation and campaign personalisation | Marketing | β No |
I applied the EU AI Act's four-tier risk model to each system, with documented reasoning for every classification decision.
pie title EU AI Act Risk Distribution - NorthPoint Financial Services
"HIGH RISK (Annex III)" : 2
"LIMITED RISK (Article 50)" : 1
"MINIMAL RISK" : 1
| System | Risk Tier | Regulatory Basis | Key Obligations |
|---|---|---|---|
| π΄ Credit Scoring Engine | HIGH RISK | Annex III Β§5(b) - creditworthiness assessment | Articles 9β15: risk management system, data governance, human oversight, transparency, logging |
| π΄ Fraud Detection System | HIGH RISK | Annex III Β§5(b) - financial services | Articles 9β15: post-market monitoring, robustness testing, incident reporting |
| π‘ Customer Support Chatbot | LIMITED RISK | Article 50(1) - conversational AI | Mandatory disclosure: users must know they are interacting with AI |
| π’ Marketing Personalisation AI | MINIMAL RISK | No Annex III classification | No mandatory obligations; voluntary codes of conduct encouraged |
Classification insight: NP-001 and NP-002 are classified HIGH RISK not because of poor design, but because of where they operate (financial services) and what they decide (access to credit and funds). Under the EU AI Act, context determines classification - not quality.
β Full classification reasoning: docs/eu_ai_act_classification.md
Controls were applied proportionate to each system's risk tier across all four NIST AI RMF functions.
quadrantChart
title NIST AI RMF - Control Coverage vs Risk Level
x-axis Low Risk --> High Risk
y-axis Minimal Controls --> Full Governance Suite
quadrant-1 Full Governance
quadrant-2 Over-governed
quadrant-3 Under-governed
quadrant-4 Proportionate Baseline
Credit Scoring Engine: [0.85, 0.90]
Fraud Detection System: [0.80, 0.88]
Customer Support Chatbot: [0.35, 0.45]
Marketing Personalisation AI: [0.15, 0.25]
| System | GOVERN | MAP | MEASURE | MANAGE | Total Controls |
|---|---|---|---|---|---|
| π΄ Credit Scoring Engine | 5 | 5 | 5 | 5 | 20 |
| π΄ Fraud Detection System | 5 | 5 | 5 | 5 | 20 |
| π‘ Customer Support Chatbot | 4 | 4 | 2 | 3 | 13 |
| π’ Marketing Personalisation AI | 4 | 4 | 2 | 3 | 13 |
The HIGH RISK systems received the full 20-control governance suite. The proportionality principle was applied deliberately - applying full controls to low-risk systems creates compliance overhead without reducing actual risk.
β Full control mapping: docs/nist_rmf_mapping.md
The inventory is validated by a Python engine that runs 12 checks across every system before any report is generated:
[β] No duplicate system IDs detected
[β] All system IDs match expected format (NP-###)
[β] [NP-001] All mandatory fields populated
[β] [NP-001] HIGH RISK system has a named owner: 'Head of Credit Risk'
[β] [NP-001] HIGH RISK system review cycle within limit (6 months)
[β] [NP-001] Human oversight documented for automated decision system
[β] [NP-002] All mandatory fields populated
[β] [NP-002] HIGH RISK system has a named owner: 'Head of Financial Crime'
[β] [NP-002] HIGH RISK system review cycle within limit (3 months)
[β] [NP-002] Human oversight documented for automated decision system
[β] [NP-003] All mandatory fields populated
[β] [NP-004] All mandatory fields populated
β
Validation PASSED - All 12 checks completed successfully.
If any check fails, the script identifies the exact system and field so issues can be corrected before the report goes to leadership.
The final output is a board-ready governance report generated automatically from validated inventory data - no manual formatting.
Key findings from the NorthPoint Financial Services assessment:
- 2 of 4 systems (50%) carry HIGH RISK classification under EU AI Act Annex III
- Full Article 9β15 obligations apply to the Credit Scoring and Fraud Detection systems immediately
- 26 governance controls are active across the portfolio; HIGH RISK systems carry 20 each
- Recommended priority action: Conduct formal conformity assessment for NP-001 before next regulatory cycle
β Full report: docs/governance_report.md
This inventory established what NorthPoint is running and what tier each system falls into.
Phase 2 goes deeper: a full risk assessment on the two HIGH RISK systems - likelihood/impact analysis, bias and fairness evaluation, EU AI Act Article 9 compliance review and a board-level governance memo.
β Phase 2: AI Risk Assessment - NorthPoint Financial Services
AI-System-Inventory/
βββ README.md β You are here
βββ banner.png β Project banner
βββ configs/
β βββ ai_inventory.csv β Structured inventory (spreadsheet-friendly)
β βββ ai_inventory.json β Structured inventory (machine-readable)
βββ docs/
β βββ eu_ai_act_classification.md β Full EU AI Act classification analysis
β βββ nist_rmf_mapping.md β Full NIST AI RMF control mapping
β βββ governance_report.md β Executive governance report
βββ scripts/
β βββ classify_systems.py β EU AI Act risk classifier
β βββ map_to_rmf.py β NIST AI RMF mapper
β βββ validate_inventory.py β Governance gap validator
β βββ generate_report.py β Automated report generator
βββ screenshots/
βββ README.md β Screenshot guide
| Skill Area | What This Project Shows |
|---|---|
| AI Governance | End-to-end operationalisation of an AI governance programme from inventory through to board reporting |
| EU AI Act Compliance | Risk-tier classification with documented legal reasoning; Annex III mapping; Article 9β15 obligation identification |
| NIST AI RMF | Proportionate control design across GOVERN / MAP / MEASURE / MANAGE functions |
| ISO 42001 | AI Management System alignment assessment for enterprise AI governance |
| AI GRC | Governance, Risk and Compliance framework design for regulated AI environments |
| Responsible AI | Human oversight design; fairness and transparency obligation mapping |
| Python Automation | Governance validation pipelines; automated executive report generation |
| Executive Communication | Board-ready reporting; translating regulatory obligations into business language |
| Framework | Resource |
|---|---|
| EU AI Act (Official Text) | EUR-Lex 2024/1689 |
| EU AI Act Annex III - High-Risk Systems | EUR-Lex Annex III |
| NIST AI Risk Management Framework 1.0 | airmf.nist.gov |
| NIST AI RMF Playbook | airc.nist.gov |
| ISO/IEC 42001:2023 - AI Management Systems | iso.org/standard/81230 |
franciscovfonseca Β· GitHub Β· LinkedIn
Part of an ongoing AI Security and AI Governance Portfolio Β· View all projects β
