The anatomy of an AI evidence pack

An AI evidence pack is the complete set of artefacts a governance committee needs to make a defensible decision about an AI system deployment. It is the input to the committee's review — not the output. The committee's output is the disposition record, which incorporates the committee's decision and references the evidence pack that supported it.

The evidence pack must be complete at the time it is submitted to the committee. A committee meeting that reviews an incomplete evidence pack and expects the gaps to be filled before the next meeting is not conducting governance — it is conducting project management. The committee's mandate is to make decisions on the basis of complete evidence, not to supervise evidence collection.

The six artefacts in a complete AI evidence pack:

1. Disposition record (draft):The proposed decision — what disposition is being recommended, under what conditions, with what re-assessment triggers. The draft disposition is the committee's starting point for deliberation.
2. System description: The scope and boundary of the AI system being assessed — what it does, what data it processes, who uses it, what other systems it interacts with, and the deployment context.
3. Threat model: The risk identification methodology and its output — the identified threats, their likelihood and impact, and the mapping of threats to controls.
4. Control plan with verification evidence: The controls required to address the identified threats, the owner and status of each control, and the evidence that confirms each control is in place and operating as designed.
5. Open gaps log: The control gaps that have been identified and not yet closed — the residual risk they represent, the closure plan, the owner, and the deadline.
6. DPO advisory (where applicable):The Data Protection Officer's assessment of the system's data protection implications, required for any AI system that processes personal data. The DPO advisory may include a DPIA reference or a summary of the DPO's sign-off.

The order of the artefacts in the evidence pack is not arbitrary. The pack should tell a coherent story: scope, risk, controls, gaps, decision. A committee that reads the pack in order should be able to follow the logic from the system description through the threat model and control plan to the proposed disposition.

An evidence pack that presents the disposition before the evidence makes it impossible for the committee to evaluate whether the disposition is well-founded. The evidence must come first — the disposition is a conclusion, not an assertion.

The narrative flow: “Here is what the system is and does. Here are the risks we identified for this specific system in this specific deployment context. Here are the controls in place and the evidence that confirms they work. Here are the gaps that remain and how they will be addressed. Given all of the above, here is the disposition we recommend.”

The draft disposition record is the first artefact in the evidence pack — but it should be read last. It is placed first so the committee knows what decision they are being asked to make before they read the supporting evidence, but the disposition's content is the product of the evidence that follows it.

The draft disposition must specify:

• The proposed disposition: full approval, conditional approval, restricted pilot, or rejection.
• The scope to which the disposition applies.
• The conditions, if any, with owners, deadlines, and verification mechanisms.
• The residual risks being accepted, with a named acceptor recommendation.
• The re-assessment triggers.

The committee may revise any element of the draft disposition during deliberation. The final disposition is the committee's output — the draft is their starting point, not a fait accompli.

The three middle artefacts — system description, threat model, and control plan — are where most of the committee's substantive review work happens.

System description. The system description must be accurate and complete at the boundary level. It does not need to describe every implementation detail. It must describe every data flow, every external integration, the full user population, and the operational context. Ambiguity in the system description creates ambiguity in the threat model.

Threat model.The threat model must be system-specific — not a generic list of AI threats applied to the system without adaptation. The identified threats must correspond to the specific deployment context described in the system description. A threat model that lists “prompt injection” without explaining how prompt injection is relevant to this system, what the attack path is, and what the impact would be is incomplete.

Control plan with verification evidence.Each control in the plan must have documented verification evidence — not just a status of “in place.” The evidence must demonstrate that the control is in place, not just that the control is intended. For design-time controls, the evidence is typically a technical configuration review or an architecture document. For process controls, the evidence is operational records from the first production cycle.

The gaps that most frequently make evidence packs insufficient for committee review:

• No DPO advisory for personal data systems. Any AI system that processes personal data requires a DPO advisory. The advisory is not optional for regulated organisations, and its absence in the evidence pack is a material gap.
• Control plan without verification evidence.Controls listed as “planned” or “to be implemented” rather than confirmed as in place. The control plan must reflect the current state of controls, not the intended future state.
• Open gaps log without closure plans. A list of gaps without owners, deadlines, or closure criteria. The open gaps log must be actionable — not just a record of what is missing.
• Generic threat model. A threat model that was produced from a template without adaptation to the specific system and deployment context. The threat model must reflect the specific risk surface of the system being assessed.

From the committee's perspective, the evidence pack serves one function: to give the committee sufficient information to make a decision they can defend. The committee will ask: do I understand what this system does, what risks it presents, what controls are in place, what gaps remain, and what I am being asked to accept? If any of those questions cannot be answered from the evidence pack, the pack is incomplete.

A committee that routinely receives incomplete evidence packs should return them rather than making decisions with insufficient information. The standard for a complete evidence pack is not bureaucratic — it is the minimum needed for a decision that holds up.

For the governance committee charter that defines the committee's decision authority and evidence requirements, see Writing an AI governance committee charter.