Gap Closure Program
The AEEF framework provides standards, controls, and operating guidance. Most organizations still fail in implementation because they stop at documentation and do not convert standards into a tracked remediation program with owners, deadlines, and evidence.
This page closes that gap.
Use it with the repository root TODO.md, which is a framework-generic remediation backlog template.
For sovereign and multi-country positioning work (annex governance, coverage matrix, conformance terminology, and claim-boundary remediation), use the companion remediation plan at TODO-middle-east-sovereign-standards-remediation.md.
When to Use This Page
Use this page when you need to:
- convert a review or audit finding into a structured action plan
- implement AEEF controls in a real organization with evidence
- prioritize foundational controls before optimization work
- apply sector or regional overlays (for example banking, KSA, EU) without rewriting the core program
What This Adds to the Framework
This implementation layer provides:
- a remediation program model (
P0/P1/P2) - a core vs. overlay approach for reuse
- execution templates for control catalogs, audit packs, CAPA, and simulations
- a remediation tracker schema for consistent implementation evidence
Core vs. Overlay Model
Do not run every workstream at full depth on day one. Split implementation into:
Core Program (Always Applicable)
These actions are foundational in almost all environments:
- control catalog and ownership
- evidence model and retention linkage
- internal audit cadence
- release gates and runtime reliability controls
- incident response and tabletop readiness
- architecture baselines and vendor concentration review
- organizational roles, RACI, and approval SLAs
Overlay Programs (Context-Driven)
Enable overlays only when applicable:
- Regional/Jurisdiction overlays: KSA, EU, UAE, etc.
- Sector overlays: banking/finance, healthcare, public sector
- Channel/platform overlays: messaging, voice, app store ecosystems, marketplaces
- Deployment overlays: sovereign/in-country, multi-tenant, regulated cloud
For multi-country or sovereign deployments, validate profile availability and gaps before activating overlays:
Recommended Adoption Sequence
Step 1: Start the Program (Week 1)
- Appoint a remediation sponsor.
- Assign workstream leads.
- Create the remediation tracker.
- Define the implementation "definition of done" (policy + technical control + monitoring + evidence + test).
Step 2: Build the Core Backlog (Days 1-2)
- Use
TODO.mdto selectP0items. - Translate each item into tasks with owners and dates.
- Attach evidence fields up front (not later).
Step 3: Choose Overlays (Days 1-2)
- Complete the overlay selection template.
- Activate only the relevant overlay tasks.
- Add overlay-specific evidence requirements to the tracker.
- If required annexes are missing, log the gap explicitly and create an annex/remediation work item rather than assuming coverage.
Step 4: Implement and Validate (Days 3-10)
- Implement technical and process controls.
- Automate evidence collection for high-frequency controls.
- Run simulations (audit, incident, breach, hallucination/high-impact failure).
- Convert findings into CAPA and track to closure.
Required Program Artifacts (Templates)
Use the templates under templates/program/:
templates/program/ai-control-catalog-template.mdtemplates/program/ai-use-case-inventory-template.mdtemplates/program/jurisdiction-applicability-register-template.mdtemplates/program/ai-audit-evidence-pack-template.mdtemplates/program/ai-nc-capa-register-template.mdtemplates/program/ai-tabletop-report-template.mdtemplates/program/ai-reference-architecture-blueprint-template.mdtemplates/program/board-ai-review-pack-template.mdtemplates/program/profile-overlay-selection-template.md
The remediation tracker payload schema is in:
templates/schemas/ai-remediation-program.schema.json
Recommended additions for sovereign/multi-country programs:
templates/program/regulator-objection-log-template.md(when available)templates/program/national-annex-control-matrix-template.md(when available)
How This Maps to Existing AEEF Components
Use this page as an implementation wrapper around the existing framework:
| Program Need | Primary AEEF Components |
|---|---|
| Governance controls and evidence | Pillar 2: Governance & Risk |
| Regional claim boundaries, annex governance, coverage scope | Regional Scheme Governance, National Annex Specification, Regional Coverage Matrix |
| Runtime trust/reliability controls | PRD-STD-010, PRD-STD-012 |
| Model/data/privacy governance | PRD-STD-011, PRD-STD-014 |
| Multi-tenant and channel overlays | PRD-STD-013, PRD-STD-016 |
| Organizational readiness | Pillar 5: Organizational Enablement |
| AI product lifecycle implementation | AI Product Lifecycle |
| Transformation rollout sequencing | Transformation Implementation Hub |
90-Day Minimum Outcome (What "Implemented" Looks Like)
By day 90, a serious implementation SHOULD be able to show:
- a live AI use-case inventory and risk classification
- a control catalog with named owners and evidence sources
- at least one complete audit evidence pack for a high-priority AI system
- runtime SLOs, fallback, and on-call ownership for in-scope production AI features
- one mock audit and one incident tabletop with CAPA tracked to closure
Common Failure Modes (Avoid These)
- Policy-only completion: marking items done when only a document exists
- No evidence linkage: controls implemented but not provable
- Overlay overload: enabling every jurisdiction/sector overlay before core controls are stable
- Manual bottlenecks: too many approvals without automation or SLAs
- No validation: skipping simulations and discovering failures during real incidents
Next Steps
- Open the repository root
TODO.mdand select theP0core actions for your next 90 days. - Complete
templates/program/profile-overlay-selection-template.mdto activate only applicable overlays. - Create your control catalog and remediation tracker before implementing new controls.
- Schedule a mock audit and one incident tabletop before declaring the rollout "ready."