Can a finding be reclassified after initial assessment?

Yes. If additional evidence emerges or if root cause analysis reveals the finding is more or less significant than initially assessed, the severity can be adjusted with documented justification.

How many findings are typical in an AI audit?

The number varies widely based on organizational maturity and audit scope. A first-time audit of a complex AI system might produce 15 to 30 findings. Mature organizations with established governance may see 5 to 15.

Should observations be tracked like other findings?

Observations should be recorded and considered at the next review cycle, but they do not require formal corrective action tracking. They serve as input for continuous improvement.

What if the root cause is beyond the organization's control?

Document the constraint and identify mitigating actions within the organization's control. For example, if a vendor cannot provide model transparency, the organization can implement additional output monitoring and contractual requirements.

How does finding classification differ between internal and external audits?

The classification criteria are similar, but external audits (especially conformity assessments) may use specific terminology required by the applicable standard or regulation. Internal audits can adapt terminology to organizational conventions.

Quick answer

AI audit findings should be classified by severity (critical, major, minor, observation) based on regulatory impact, potential harm, and systemic nature, with root cause analysis guiding prioritization of corrective actions.

Updated June 2026 · MmowW AI Compliance

Classifying AI Audit Findings: Severity Levels, Root Causes, and Prioritization (2026)

Why Classification Matters

Finding classification determines how quickly and intensively the organization responds. A well-designed classification system ensures that critical risks receive immediate attention while allowing measured responses to lower-priority issues. Without classification, all findings compete equally for resources, and the most important gaps may not be addressed first.

Severity Classification Framework

Level	Definition	Examples in AI Context	Response
Critical	Immediate risk of significant harm or regulatory violation; fundamental control failure	High-risk AI system deployed without conformity assessment; systematic discrimination in automated decisions; no incident reporting capability	Immediate corrective action; potential system suspension
Major	Significant gap in compliance framework; control exists but is materially ineffective	Risk assessment does not cover all required risk categories; monitoring exists but does not detect drift; incomplete technical documentation	Corrective action within 30-60 days
Minor	Partial gap or inconsistency; controls are mostly effective with specific weaknesses	Training records incomplete for some staff; data quality checks cover most but not all sources; minor documentation gaps	Corrective action within 60-90 days
Observation	Opportunity for improvement; no non-conformity but better practice exists	Monitoring frequency could be increased; additional fairness metrics would strengthen assessments; governance meeting minutes could be more detailed	Consider at next review cycle

Classification Criteria

Auditors should consider multiple factors when assigning severity levels.

Regulatory Impact

Does the finding represent a violation of a mandatory legal requirement? EU AI Act non-compliance for high-risk systems is inherently more severe than gaps against voluntary standards.

Potential Harm

Could the finding, if left unaddressed, result in harm to individuals? AI systems that affect health, safety, or fundamental rights warrant higher severity for equivalent gaps.

Systemic Nature

Is the finding isolated or does it indicate a systemic weakness? An isolated documentation gap is minor. The same gap appearing across all AI systems suggests a systemic process failure that may be major.

Recurrence

Has this finding appeared in previous audits? Recurring findings suggest that previous corrective actions were ineffective and may warrant escalation in severity.

Root Cause Analysis

Every finding should include a root cause analysis to ensure that corrective actions address the underlying problem rather than just the symptom.

Common Root Cause Categories

Process gaps: Missing or inadequate procedures
Competency gaps: Staff lack necessary skills or training
Resource constraints: Insufficient time, budget, or tools
Design issues: The AI system was designed without adequate consideration of compliance requirements
Communication failures: Requirements were not communicated to development teams
Third-party dependencies: Vendor limitations or lack of transparency
Change management failures: Updates to the AI system were not reflected in compliance documentation

Root Cause Analysis Techniques

Five Whys: Iteratively asking why the finding occurred
Fishbone diagram: Categorizing potential causes across people, process, technology, and data dimensions
Fault tree analysis: For complex findings with multiple contributing factors

Prioritization

After classification, prioritize corrective actions based on severity, root cause complexity, resource requirements, and dependencies between findings.

Prioritization Matrix

Priority	Criteria	Action
P1	Critical finding with active harm potential	Immediate escalation and remediation
P2	Major finding or critical with mitigating controls	Dedicated remediation project
P3	Minor findings that share a common root cause	Systematic process improvement
P4	Isolated minor findings and observations	Integrate into routine improvement cycle

Tracking and Closure

Maintain a findings register that tracks each finding from identification through corrective action to verified closure. Include severity, root cause, corrective action description, responsible party, due date, completion date, and verification evidence. Report the status of open findings to management regularly.

A finding is closed only when the corrective action has been implemented and verified as effective. Implementation alone is insufficient. Verify that the action actually resolves the identified gap.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.