VV.E.N.K.A.T Framework

Copy-ready working papers

Practitioner artifact templates

Use these field sets in a spreadsheet, GRC platform, architecture repository, or ticketing system. Keep stable IDs to preserve end-to-end traceability.

01

Baseline and target profile

Profile header

  • Profile ID, version, status, date, author, approver
  • Business capability and system boundary
  • Agents/models, data, events, spatial, graph, tools, users, environments
  • Stakeholders, jurisdictions, obligations, assumptions, exclusions
  • Business outcomes, risk tier, autonomy level, certification objective

One row per layer/capability

  • Layer and capability statement
  • Current maturity (Foundation/Managed/Optimized) and evidence IDs
  • Target maturity and target date
  • Current and target measures/SLOs
  • Owner, rationale, dependencies, confidence, review date

02

Gap assessment

Gap IDProfile/capabilityRelated control/riskCurrent state + evidenceTarget requirementGap statementRoot causeImpactPriorityOwnerRecommended treatmentDependenciesAcceptance criteriaStatus/date

Quality test: write gaps as verifiable differences, not solutions—for example, “E-02 duplicate-event behavior is untested for dispatch writes,” not “buy event software.”

03

Roadmap and transition plan

Roadmap itemGap/control/risk IDsOutcomeDeliverablesTransition architectureAccountable ownerResources/budgetDependenciesStart/targetMilestonesAcceptance evidenceBenefit metricResidual riskRAG/status

Sequence critical gates before broad autonomy. Record the certification release or reassessment to which each item contributes.

04

Evidence index

Evidence IDTitle/typeControl/test/finding IDsSource systemEvidence ownerCollection method/timePeriod coveredPopulation/sampleRepository linkHash/integritySensitivity/accessRetentionAssessor validationNotes

Prefer system-generated, period-wide evidence. Screenshots need source, timestamp, scope, and corroboration; mutable links should be snapshotted or hashed.

05

Control assessment record

Assessment/control/versionScope/applicabilityCriticality/gateOwner/operator/testerRequirement + procedurePeriod/population/sampleEvidence IDsDesign resultOperating resultScore/confidenceFindingRemediation/exceptionApprovalsNext test

06

AI risk register

Risk ID/categoryScenario: cause–event–impactAffected people/assetsLayer/systemInherent likelihood/impactObligationsControlsControl effectivenessResidual ratingRisk ownerTreatmentDue dateIndicators/triggersAcceptance authority/dateStatus/review

07

Control exception

Exception ID/statusControl/scopeBusiness justificationRoot causeRisk and affected partiesCompensating controlsMonitoring/thresholdOwnerApprover/authorityStart/expiryRemediation planReview cadenceCertification impactClosure evidence

Boundary: exceptions cannot waive mandatory critical-control gates. Expired exceptions are control failures until closed or formally renewed before expiry.

08

Assurance dashboard

Header and filters

  • Scope, environment, owner, reporting period, control/version baseline
  • Certification status/date/expiry and maturity by layer
  • Data freshness and last successful evidence refresh

Required views

  • Overall/layer weighted scores and mandatory-gate pass rate
  • Open findings by severity/age; overdue roadmap items
  • Risks above appetite; exceptions approaching expiry

Operational indicators

  • V: quality, freshness, lineage, access review
  • E: latency, lag, duplicates, DLQ, recovery
  • N: location confidence, infeasible routes, geofence accuracy
  • K: constraint, provenance, conflict and stale-claim rates
  • A: eval success, blocked actions, overrides, rollback, escalation
  • T: incidents, recourse, control tests, training, supplier assurance

Every tile needs definition, source, owner, threshold, refresh time, drill-through, and escalation action.

09

Readiness and certification report

  1. Executive decision: ready/not ready or grant/conditional/deny; authority, date, expiry.
  2. Scope: boundary, intended use, autonomy, environments, exclusions, suppliers, version.
  3. Criteria: suite/control version, standards, tailoring, threshold, mandatory gates.
  4. Method: assessor independence/competence, period, interviews, sampling, tests, limitations.
  5. Results: maturity and weighted score by layer; gate table; prior-finding closure.
  6. Findings: severity, evidence, impacted controls/risks, root cause, owner, due date.
  7. Exceptions and residual risk: authority, compensation, monitoring, expiry, conditions.
  8. Opinion: sufficient evidence, accurate scope, decision rationale, conditions, surveillance.
  9. Attestations: management completeness, assessor independence, certification authority approval.
  10. Appendices: control matrix, evidence index, tests, risks, exceptions, roadmap, change log.

See a completed decision example.