Reporting & exports
Reporting turns the records in Gamut into outputs people act on, a board view of AI governance maturity, and workpaper-grade exports for audit and assurance. Because reports are generated from the connected records, every conclusion can be traced back to the evidence behind it.
What reports show
Section titled “What reports show”A report draws the lifecycle together into a single, practical view:
- AI inventory: the systems in scope, their owners and lifecycle status.
- Risk: the classification picture across systems.
- Evidence quality: how well governance claims are supported.
- Findings: open deficiencies and exceptions.
- Remediation progress: what is being fixed and how far along it is.
- Readiness priorities: where to focus next.
Pack types
Section titled “Pack types”Rather than one generic report, Gamut produces purpose-built packs, each composed of a different set of sections for a different audience:
| Pack | Built for |
|---|---|
| Full assessment | The complete picture: every section, for a deep review. |
| Framework focus | A single framework in depth (for example GTSAF, EU AI Act, ATF). |
| Executive | Leadership: dashboard, estate, framework, evidence, findings, decisions, roadmap. |
| Board pack | Board oversight: adds estate, agentic and gateway posture to the executive view. |
| Board summary | A concise board-level summary. |
| Evidence pack | Evidence-centred: controls, evidence, findings and supporting workflow. |
| Control testing | The control-testing record for assurance work. |
| Agentic snapshot | The agentic posture: agents, ATF, gateway decisions and runtime evidence. |
Each pack selects only the sections relevant to its purpose, so a board pack is not a 200-page audit file and an evidence pack is not a one-page summary.
Two audiences, one source
Section titled “Two audiences, one source”Reporting serves two audiences at once, from the same records:
- Boards and leadership get a concise picture of AI governance maturity, exposure and the decisions required of them, without engineering detail.
- Auditors and reviewers get traceable, workpaper-grade outputs that connect each conclusion back to its underlying evidence.
Because both views draw on the same connected records, the board view and the audit view never diverge.
Traceability metadata
Section titled “Traceability metadata”Every generated report carries run-level metadata, a run ID, the generation timestamp, the assessment, the framework scope and the pack type, so any export can be located, reproduced and defended. A report is not an anonymous PDF; it is a dated, identified artefact tied to the records it was built from.
Exports
Section titled “Exports”Reports are produced as governed HTML and can be exported for distribution and record-keeping, for
board packs, client assurance, internal audit and external review, subject to the
export.report and export.workpaper permissions. Because the
underlying records are connected, an export reflects the current state of the traceable chain
behind it rather than a snapshot that quietly goes stale.
From point-in-time to continuous
Section titled “From point-in-time to continuous”Traditional governance produces a report once a year. Because Gamut keeps records connected and current, reporting becomes something you run whenever you need it, supporting the Improve stage with a view of progress over time, not just a single snapshot.
- Evidence & findings: the records reports surface.
- Model cards: model-level detail for reports.
- Plans & entitlements: what controls export rights.