REASON

acf.identify-governance-gaps

ACF® governance gap analysis across the six maturity dimensions — an inventory + a process list in, a per-dimension maturity score, a list of gaps prioritised by severity, quick wins and remediation actions out.

!Warning

Preliminary analysis. The maturity score rests on a baseline that is not weighted by sector — an asset manager and a municipality get the same calibration. requires_human_review is always true. Gaps not explicitly declared by the inventory are inferred — confirm the inferred / declared distinction before acting.

When to use

Use this tool when you must answer the board-level question: “what does ACF® say we should have that we don’t?”. It takes an AI inventory (count of systems, high-risk, GPAI, known shadow AI) and a list of governance processes with their status (exists / documented), returns a maturity score per dimension D1-D6 and the prioritised list of gaps to close.

It is the audit tool. It serves to scope a roadmap, prioritise an AI governance budget, or prepare an AI committee review. First results are designed to land in an ACF-10 (Compliance Roadmap) card.

Input parameters

Two required blocks (inventory + processes), two optional context fields.

current_inventory{ ai_systems_count, high_risk_count?, gpai_used?, shadow_ai_known? }required

Snapshot of the AI inventory: total system count, high-risk count, GPAI presence, known shadow AI presence. Everything except ai_systems_count is optional — the tool distinguishes absent vs declared.

current_processes{ process: string, exists: boolean, documented?: boolean }[]required

List of evaluated governance processes. Recognised processes: ai_committee, executive_sponsor, ai_inventory, doctrine_published, kill_switch_drill, observability, ddao_appointed, raci, dpia, article_49_register, ai_act_qualification, annual_audit, incident_review.

sectorstring (≤80)

Organisation’s sector. Stored for traceability, not yet used to weight the score (cf. assumptions).

locale"en" | "fr"default: "en"

Language of the textual output.

Output schema

Maturity score (overall + per-dimension), gap list, priority order, quick wins, signed footer.

maturity_score{ overall: number, by_dimension: Record<string, number> }

Overall 0-100 score and per-dimension ACF® score (D1 to D6).

gaps{ dimension, severity: "low"|"medium"|"high"|"critical", description, remediation, fiches, estimated_effort_days }[]

Detailed list of identified gaps, each with its dimension, severity, remediation, related fiches and effort estimate in days.

priority_orderstring[]

Gap descriptions sorted by severity (critical → low) — directly usable as a committee agenda.

quick_winsstring[]

Gaps remediable in ≤ 3 effort-days — useful to kick off a governance sprint.

confidence"low" | "medium" | "high"

Global confidence of the analysis.

assumptionsstring[]

Explicit assumptions — notably the lack of sector weighting.

gaps_to_validatestring[]

Points to confirm in human review, including the inferred / declared distinction and the high-risk subset.

rationale_per_rule{ rule_id, rule_version, fired, evidence }[]

Trace of the fired rule with the number of processes evaluated.

requires_human_reviewtrue

Constant. No call returns false.

Example call

A bank with 14 AI systems including 2 high-risk, GPAI used, known shadow AI:

identify-governance-gaps.tstypescript

import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";

const transport = new StdioClientTransport({
  command: "npx",
  args: ["-y", "acf-mcp"],
});
const client = new Client({ name: "demo", version: "1.0" }, {});
await client.connect(transport);

const result = await client.callTool({
  name: "acf.identify-governance-gaps",
  arguments: {
    current_inventory: {
      ai_systems_count: 14,
      high_risk_count: 2,
      gpai_used: true,
      shadow_ai_known: true,
    },
    current_processes: [
      { process: "ai_committee", exists: true, documented: true },
      { process: "executive_sponsor", exists: true, documented: true },
      { process: "ai_inventory", exists: true, documented: false },
      { process: "doctrine_published", exists: false },
      { process: "kill_switch_drill", exists: false },
      { process: "observability", exists: true, documented: false },
      { process: "ddao_appointed", exists: false },
      { process: "raci", exists: false },
      { process: "dpia", exists: false },
      { process: "article_49_register", exists: false },
      { process: "ai_act_qualification", exists: false },
      { process: "annual_audit", exists: true, documented: true },
      { process: "incident_review", exists: false },
    ],
    sector: "banking",
    locale: "en",
  },
});

console.log(JSON.stringify(result.content, null, 2));

Response

response.jsonjson

{
  "maturity_score": {
    "overall": 38,
    "by_dimension": {
      "D1": 100,
      "D2": 50,
      "D3": 50,
      "D4": 0,
      "D5": 0,
      "D6": 50
    }
  },
  "gaps": [
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'dpia' is missing for D5.",
      "remediation": "Stand up the DPIA workflow with ACF-11 as the template.",
      "fiches": ["ACF-11"],
      "estimated_effort_days": 10
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "High-risk systems present but no DPIA process.",
      "remediation": "Stand up the DPIA workflow before any new high-risk go-live.",
      "fiches": ["ACF-11"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'article_49_register' is missing for D5.",
      "remediation": "Prepare the Article 49 register for any high-risk system before go-live.",
      "fiches": ["ACF-05", "ACF-11"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D5",
      "severity": "critical",
      "description": "Process 'ai_act_qualification' is missing for D5.",
      "remediation": "Run acf.classify-agent on each system to qualify under the AI Act.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D3",
      "severity": "high",
      "description": "Process 'kill_switch_drill' is missing for D3.",
      "remediation": "Run a quarterly kill-switch drill per ACF-14.",
      "fiches": ["ACF-07", "ACF-14"],
      "estimated_effort_days": 3
    },
    {
      "dimension": "D4",
      "severity": "high",
      "description": "Process 'ddao_appointed' is missing for D4.",
      "remediation": "Appoint a DDAO per N2+ agent with documented mandate.",
      "fiches": ["ACF-12"],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D4",
      "severity": "high",
      "description": "Process 'raci' is missing for D4.",
      "remediation": "Publish a RACI for agentic decisions including DDAO + DPO + CISO + sponsor.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D1",
      "severity": "high",
      "description": "Shadow AI exists in the organisation.",
      "remediation": "Run a discovery campaign + classify each shadow agent via acf.classify-agent.",
      "fiches": ["ACF-01"],
      "estimated_effort_days": 10
    },
    {
      "dimension": "D2",
      "severity": "medium",
      "description": "Process 'doctrine_published' is missing for D2.",
      "remediation": "Publish a doctrine note grounded in ACF® v1.0 to the relevant teams.",
      "fiches": [],
      "estimated_effort_days": 5
    },
    {
      "dimension": "D2",
      "severity": "medium",
      "description": "Process 'ai_inventory' exists but is undocumented.",
      "remediation": "Document 'ai_inventory' with the relevant ACF® card.",
      "fiches": ["ACF-01"],
      "estimated_effort_days": 2
    },
    {
      "dimension": "D3",
      "severity": "medium",
      "description": "Process 'observability' exists but is undocumented.",
      "remediation": "Document 'observability' with the relevant ACF® card.",
      "fiches": ["ACF-08"],
      "estimated_effort_days": 2
    },
    {
      "dimension": "D6",
      "severity": "medium",
      "description": "Process 'incident_review' is missing for D6.",
      "remediation": "Open a quarterly incident review forum with the AI committee.",
      "fiches": [],
      "estimated_effort_days": 5
    }
  ],
  "priority_order": [
    "D5: Process 'dpia' is missing for D5.",
    "D5: High-risk systems present but no DPIA process.",
    "D5: Process 'article_49_register' is missing for D5.",
    "D5: Process 'ai_act_qualification' is missing for D5.",
    "D3: Process 'kill_switch_drill' is missing for D3.",
    "D4: Process 'ddao_appointed' is missing for D4.",
    "D4: Process 'raci' is missing for D4.",
    "D1: Shadow AI exists in the organisation.",
    "D2: Process 'doctrine_published' is missing for D2.",
    "D2: Process 'ai_inventory' exists but is undocumented.",
    "D3: Process 'observability' exists but is undocumented.",
    "D6: Process 'incident_review' is missing for D6."
  ],
  "quick_wins": [
    "Process 'kill_switch_drill' is missing for D3.",
    "Process 'ai_inventory' exists but is undocumented.",
    "Process 'observability' exists but is undocumented."
  ],
  "confidence": "medium",
  "assumptions": [
    "Maturity baseline is unweighted across dimensions; sector-specific weights not yet calibrated."
  ],
  "gaps_to_validate": [
    "Confirm which gaps were inferred vs explicitly declared by your inventory.",
    "Run acf.classify-agent on the high-risk subset to consolidate the qualification."
  ],
  "requires_human_review": true,
  "rationale_per_rule": [
    {
      "rule_id": "identify-gaps.dimension-checklist",
      "rule_version": "2026-06",
      "fired": true,
      "evidence": "13 processes evaluated"
    }
  ],
  "doctrine_version": "ACF framework v1.0 / rules 2026-06",
  "doctrine_hash": "sha256:bf0b6d8e4731ebdc58f6d6338702c5b74af47874cf0ad3dc958cde5c5b30b9dc",
  "doctrine_signature": "ed25519:…",
  "doctrine_archive_url": "https://acfstandard.io/doctrine/v1.0/archive.json",
  "regulatory_snapshot": "EU AI Act (Reg. 2024/1689, incl. Digital Omnibus deferral) + GDPR (Reg. 2016/679) + DORA (Reg. 2022/2554) + NIS2 (Dir. 2022/2555) + ISO 42001:2023 — as of 2026-06-07",
  "generated_at": "2026-06-14T11:47:22.318Z",
  "disclaimer": "Preliminary qualification only — not legal advice. Human review required."
}

Common errors

InvalidNumber — ai_systems_count or high_risk_count is negative or non-integer. All counters must be integers ≥ 0.
InvalidProcessShape — an entry of current_processes does not match the { process, exists, documented? } shape. Check booleans and the presence of the process key.
DoctrineSnapshotMismatch — the requested doctrine_hash is not loaded. Update acf-mcp or point at the archived version.