Process management — Can you demonstrate a structured workflow from intake to resolution?

1. Receive request — log in GRC platform, assign tracking ID. 2. Initial risk triage — classify per EU AI Act risk tiers (minimal, limited, high, unacceptable). 3. Route to reviewer — assign to appropriate subject matter expert based on risk tier and domain. 4. Track through approval — manage workflow through review, approval or remediation, and deployment authorization. 5. Document and close — record decision rationale, update AI inventory, archive evidence.

Framework knowledge — Do you understand how major frameworks complement each other in the governance ecosystem?

NIST AI RMF is voluntary with 4 functions (GOVERN, MAP, MEASURE, MANAGE) — it provides structure but no legal mandate. ISO 42001 is the first certifiable AI management system standard — organizations can be audited against it. EU AI Act is binding regulation with penalties (up to €35M or 7% of turnover) — it creates legal obligations. Each serves a different purpose: NIST for structure, ISO for certification, EU AI Act for legal compliance.

Operational competency — Can you describe the practical mechanics of inventory management?

1. Catalog all AI systems — production, development, and third-party. 2. Assign metadata — owner, risk tier, data sources, deployment status, model version. 3. Use GRC platform — OneTrust, Credo AI, or ServiceNow for centralized tracking. 4. Establish update cadence — quarterly reviews, triggered reviews on system changes. 5. Automate where possible — integrate with CI/CD pipelines for deployment-triggered inventory updates.

Cross-functional coordination — Can you facilitate between teams that have different goals and timelines?

1. Understand constraints — meet with each team to understand their priorities, deadlines, and blockers. 2. Identify shared objectives — find the common ground that all teams benefit from. 3. Establish communication channels — regular touchpoints, shared documentation, clear escalation paths. 4. Document agreements — written commitments with owners and deadlines. 5. Follow up consistently — track progress and surface blockers before they become crises.

Compliance monitoring — Can you handle policy violations with appropriate escalation and remediation?

1. Document the finding — capture system details, deployment date, owner, and data sources. 2. Assess immediate risk — determine EU AI Act risk tier and potential exposure. 3. Escalate per procedure — follow governance escalation procedures to appropriate authority. 4. Conduct retrospective assessment — run the governance review the system should have received. 5. Implement preventive controls — strengthen deployment gates to prevent recurrence.