AICodeProvenanceReady

Methodology and compliance

How the readiness score is built

The score aggregates policy controls, evidence artifacts and AI-tool coverage. It makes governance levels readable without replacing a certified audit.

Updated: June 2026

Scoring formula — version 1.0.0

Each 'Yes' policy answer is worth 14 points. 'Partial' is worth 7 points.

Each evidence artifact marked 'Present' adds 8 points. Each 'Missing' artifact subtracts 6 points.

Tool control coverage (tools with documented controls / total tools) contributes up to 20 points.

Score capped 0–100. Risk: ≥76 → Low; ≥51 → Moderate; ≥26 → High; <26 → Critical.

Regulatory references

EU AI Act — Regulation (EU) 2024/1689 of 13 June 2024: traceability, human oversight and controls for general-purpose AI systems.

NIST AI Risk Management Framework 1.0 (2023): Govern, Map, Measure, Manage functions for AI systems.

ISO/IEC 42001:2023: AI management system standard covering policy, controls and artifact traceability.

SPDX 2.3 / CycloneDX 1.5: recognized SBOM formats for software supply-chain provenance.

Limits and disclaimers

This score is a declarative self-assessment indicator; it is not a formal security audit or regulatory certification.

Guidance is generic. No legal advice, guaranteed compliance or assured outcome is implied or promised.

The inventory is declarative: the product does not scan repositories, CI/CD pipelines or runtime configurations automatically.

Compliance matrix

Implementation status of regulatory requirements in the product. Scoring version: 1.0.0.

Requirement Status Evidence Last verified
Traçabilité des systèmes IA (Art. 9, 50, 53) Partial Registre IA dans le workspace, export CSV/JSON, scoring_version 1.0.0 2026-06-13
Supervision humaine (Art. 14) Partial Politique de revue humaine documentée (q3) 2026-06-13
Gestion des risques IA (Art. 9) Partial Score de risque (v1.0.0), plan d'action, export rapport 2026-06-13
AI Governance — Govern function Partial Registre outils IA avec périmètre, données et contrôles 2026-06-13
SBOM et provenance logicielle Partial Traçabilité artefacts SBOM, types reconnus dans workspace 2026-06-13

Sources and regulatory references

The references below underpin the readiness score. They are periodically verified and versioned.

Référence Version Effet Juridiction Vérifié le
EU AI Act 2024 2024-08-01 UE 2026-06-13
NIST AI RMF 1.0 1.0 2023-01-26 US 2026-06-13
ISO/IEC 42001:2023 2023 2023-12-18 International 2026-06-13
SPDX 2.3 2.3 2022-09-01 International 2026-06-13
CycloneDX 1.5 1.5 2023-06-23 International 2026-06-13

This score is calculated by a deterministic versioned algorithm (v1.0.0), not a LLM. No unsupervised AI output is used.