Production AI Institute · PSF v1.1 open standard

AI Right-To-Know AI Data Use Index Check My AI Tools Policy Change Watch Agent Readiness Public Benchmark ContactGlobal standard · Worldwide

PAI-8 · Governance standard · 2026

The organisational control model for AI governance

PSF defines safe AI deployment at the system level. PAI-8 defines the governance, audit, incident, and vendor controls an organisation must operate around those systems. Eight controls, four maturity levels, public evidence.

Read the 8 controls →Run self-assessment Read the PSF

8governance controls

4maturity levels

C1-C8audit evidence model

PAI-8 and PSF are parallel standards, not replacements. PSF (D1-D8) governs technical deployment safety. PAI-8 (C1-C8) governs organisational governance maturity. Mature programmes need both layers.

Read the PSF →

If PAI-8 made the gap obvious

Pick the next proof step.

A governance standard only converts when the reader can turn it into evidence, a team motion, or a client-ready service.

We operate AI internally

Find your governance gaps before a board or buyer does.

Use the organisational path to choose between transparency, team rollout, and Deployment Safety Assessment.

Choose org starting point →

We have a live system

Turn PAI-8 language into an assessment scope.

If the system already affects people, revenue, compliance, or operations, prepare evidence and begin DSA scoping.

Scope a DSA →

We advise clients

Package governance into a paid client offer.

MSPs and consultants can turn PAI-8 into discovery, policy, vendor review, and monitoring work clients understand.

Get MSP launch pack →

The 8 PAI-8 Controls

Each control addresses a distinct category of organisational AI risk. Assessment scores each control L0–L3 against the maturity model.

AI Governance

Formal accountability for AI risk at board and executive level, with documented policies, decision gates, and a register of all AI use cases.

✓Board-level AI risk accountability documented

✓AI ethics/safety policy published and operationally embedded

✓AI use case registry maintained

✓Governance decision gates applied to all new AI deployments

Risk Assessment

Formal AI risk assessment before any new system deployment, with risk tiering, third-party AI inclusion, and regular reassessment as systems change.

✓Risk assessment required before deployment

✓Low/medium/high/critical risk tiers documented

✓Third-party AI included in procurement risk process

✓Reassessment triggered by material system changes

Data Stewardship

Provenance, consent, and lifecycle management for all data used to train or operate AI systems, including vector databases and fine-tuning datasets.

✓Training data provenance documented

✓Consent or lawful basis established for AI data use

✓PII handling procedures for AI pipelines

✓Data retention and deletion policies cover AI artefacts

Model Validation

Pre-deployment evaluation against production-representative benchmarks, including bias testing and independent review for high-risk use cases.

✓Pre-deployment evaluation report required before go-live

✓Bias and fairness evaluation for high-risk use cases

✓Independent review for critical AI deployments

✓Post-deployment performance monitoring in place

Human Oversight

Defined autonomy limits, operational override mechanisms, escalation paths, and documented human intervention capability for all AI systems.

✓Autonomy scope defined for each AI system

✓Override mechanism documented and staff trained on use

✓Escalation path for anomalous AI behaviour

✓Override events logged and reviewed

Incident Response

AI-specific incident classification taxonomy, severity tiers for AI harms, response runbooks, and post-incident review processes.

✓AI incident taxonomy separate from generic IT incidents

✓Response SLAs calibrated to AI harm severity

✓Post-incident review required for significant AI incidents

✓Regulatory notification assessment for AI incidents

Audit Trail

Decision-level logging for AI outputs, log retention aligned to challenge windows, and explainability artefacts for high-risk decisions.

✓Decision-level logging schema captures inputs, model, output, timestamp

✓Log retention policy covers legal challenge window

✓Explainability artefacts for high-risk decisions

✓Immutable audit trail — logs cannot be altered post-hoc

Vendor & Supply Chain

Inventory of all third-party AI dependencies, vendor risk assessment, contractual AI continuity protections, and tested fallback capability.

✓Inventory of all third-party AI components maintained

✓Vendor risk assessment for all AI service providers

✓AI safety and continuity requirements in vendor contracts

✓Continuity plan for critical AI dependencies tested annually

Maturity Levels

Each of the 8 controls is scored L0–L3. A PAI-8 assessment produces a per-control maturity score and an overall governance posture rating.

Unprepared

No formal AI safety controls. AI is deployed without governance, assessment, or documentation. Material risk of regulatory, reputational, or operational harm.

Basic

Controls are documented but inconsistently operational. Policies exist on paper but are not embedded in decisions. Evidence is sparse or absent.

Managed

Controls are operational with documented process, regular cadence, and evidenced application to real decisions. Suitable for most regulated environments.

Optimised

Controls are continuously improved with metrics, benchmarking against sector peers, and board-level governance review. Industry-leading posture.

Not sure where your organisation sits?

Commission a PAI-8 Assessment →

PAI-8 and PSF: Parallel standards

The two frameworks address different layers of AI safety. Neither replaces the other — a complete AI safety posture requires both.

PSF — Production Safety Framework

Technical deployment layer

›What the system does: inputs, outputs, data, monitoring
›D1-D8 technical domains with 40 criteria
›Framework tools and stacks are assessed against
›Credential pathways: AIDA, AIMA, CPAP, CPAA

Read the PSF →

PAI-8 — Organisational Governance Standard

Organisational governance layer

›What the organisation does: policies, oversight, audit
›C1-C8 governance controls with L0-L3 maturity scoring
›Framework organisations are audited against
›Auditor pathway: CAIA

CAIA auditor pathway →

Domain mapping — PSF ↔ PAI-8

PSF D1 Input Governance↔PAI-8 C2 Risk Assessment

PSF D3 Data Protection↔PAI-8 C3 Data Stewardship

PSF D4 Observability↔PAI-8 C7 Audit Trail

PSF D5 Deployment Safety↔PAI-8 C4 Model Validation

PSF D6 Human Oversight↔PAI-8 C5 Human Oversight

PSF D7 Security↔PAI-8 C6 Incident Response

PSF D8 Vendor Resilience↔PAI-8 C8 Vendor & Supply Chain

PSF D2 Output Validation↔PAI-8 C4 Model Validation

Work with PAI-8

Use the standard internally, commission an independent assessment, or pursue the auditor credential when formal proof is required.

CAIA auditor credential →Commission an Assessment Study Materials