How to Use BAICS
A guide to understanding and implementing the Banking AI Controls Standard for your organization.
The Banking AI Controls Standard (BAICS) provides a comprehensive framework of risk controls specifically designed for AI systems in financial services. It helps organizations:
- Identify and mitigate AI-specific risks in banking and financial applications
- Establish consistent governance practices across AI implementations
- Align with existing standards like ISO/IEC 42001 and ISACA AI Audit Toolkit
- Provide auditors with clear evidence requirements for AI system assessments
Understanding Control Attributes
Each control in BAICS includes several attributes that provide comprehensive guidance for implementation and audit.
Control Description
The primary statement describing what the control requires. This is the core requirement that must be implemented.
Rationale
Explains why this control is important and the business or security justification for implementing it.
Risk Mitigated
Identifies the specific risks that this control addresses, helping organizations understand the potential impact of non-compliance.
Implementation Guidance
Practical recommendations and best practices for implementing the control effectively within your organization.
Evidence of Compliance / Auditor Guidance
Specifies what documentation, artifacts, or evidence should be available to demonstrate compliance with the control during audits.
Control Tiers
Controls are organized into three tiers based on their criticality and the level of AI system maturity. Each tier builds upon the previous one, creating a progressive approach to AI risk management.
The baseline set of controls that every organization using AI in financial services should implement. These controls address fundamental risks and establish essential governance practices. Start here if you are beginning your AI controls journey.
Includes all Standard tier controls plus additional controls for organizations with more mature AI implementations or higher-risk AI use cases. These controls provide enhanced protection and more sophisticated governance mechanisms.
The comprehensive set including all Standard, Advanced, and Hardened controls. This tier is recommended for organizations with critical AI systems, high regulatory scrutiny, or those seeking maximum protection. Represents the gold standard for AI risk management.
Scope of Applicability
Not all controls apply to every situation. The scope helps you identify which controls are relevant based on your role and how you interact with AI systems. You can select one or more scopes when filtering controls.
Select this scope if you are building a product that includes your own custom AI model. This applies when your organization develops, trains, or fine-tunes AI models internally. Controls in this scope address model development lifecycle, training data governance, and model validation requirements.
Select this scope if you are building a product that uses AI models from another provider(e.g., third-party APIs, foundation models, or vendor solutions). Controls in this scope focus on vendor assessment, API security, model output validation, and third-party risk management.
Select this scope if you are evaluating or using an AI product as an end user within your organization. This includes business users, oversight functions, and anyone interacting with AI-powered tools. Controls in this scope address user training, output verification, escalation procedures, and human oversight requirements.
- 1
Identify Your Scope
Determine whether you are a developer (custom or prebuilt models) or a user of AI systems.
- 2
Choose Your Tier
Start with Standard tier and progress to Advanced or Hardened based on your risk profile and maturity.
- 3
Review Applicable Controls
Use the Controls page to filter by your selected scope and tier to see relevant controls.
- 4
Implement and Document
Follow the implementation guidance and prepare evidence of compliance for each control.