The governance lifecycle

Gamut is organised around a single idea: AI governance is a lifecycle, not a one-off project. Each stage produces records that the next stage builds on, so that governance stays current as systems and obligations change.

The eight-stage AI governance lifecycle. Each stage produces records the next builds on, and findings feed back into continuous improvement.

The lifecycle has eight stages. You do not have to adopt them all at once. Most organisations start with Discover and Assess and grow into the rest.

The eight stages

1. Discover

Find and record AI use across the organisation before it becomes uncontrolled. Capture AI systems, GenAI tools, vendor AI, internal use cases and emerging agentic workflows in one governed register.

• For the organisation: know what exists, who owns it and how it is being used.
• For the auditor: review a clear AI inventory with ownership and scope.

2. Assess

Understand context, purpose and impact. Assess business purpose, users, data exposure, human oversight, supplier involvement, geography and potential impact.

• For the organisation: make consistent decisions before AI use spreads.
• For the auditor: see the rationale behind each assessment decision.

3. Classify

Turn AI use into a structured risk view that supports EU AI Act readiness, internal policy, assurance and leadership reporting.

• For the organisation: prioritise the systems and workflows that need attention first.
• For the auditor: trace risk classification back to documented evidence.

4. Govern

Apply policy, controls and accountability. Connect owners, approvals, control expectations, model cards, risk registers and governance actions in a repeatable operating model.

• For the organisation: move from ad-hoc AI use to managed AI governance.
• For the auditor: review how governance decisions were made and approved.

5. Evidence

Collect evidence as governance work happens. Create evidence requests, capture artefacts, track quality, record findings and keep remediation visible to the right stakeholders.

• For the organisation: avoid chasing evidence at the end of a review cycle.
• For the auditor: work from structured evidence instead of scattered documents.

6. Audit

Make assurance reviewable, repeatable and defensible. Give internal audit, external reviewers and governance teams a clearer basis for testing, challenge, findings and follow-up.

• For the organisation: prepare for client, board, audit and regulator questions.
• For the auditor: follow a cleaner path from requirement to evidence to finding.

7. Report

Report clearly to boards and leadership, a practical view of AI inventory, risk, evidence quality, open findings, remediation progress and readiness priorities.

• For the organisation: give leadership a concise picture of AI governance maturity.
• For the auditor: support formal reporting with traceable underlying records.

8. Improve

Turn findings into continuous improvement. Track remediation, monitor change, update evidence and keep the lifecycle alive as systems and obligations evolve.

• For the organisation: keep governance current as AI adoption grows.
• For the auditor: review progress over time, not just a point-in-time snapshot.

Why the lifecycle holds together

The value is in the connections, not the stages in isolation. A finding raised at the Audit stage traces back to the evidence that exposed it, the control expectation that evidence was testing, the risk classification that selected that control, and the AI system the whole chain describes. That traceability is what makes Gamut governance defensible.

Note

Each lifecycle stage maps to one or more product modules. See Platform architecture for how the stages are implemented, and Frameworks overview for how assessment routing selects controls.