Technology / SaaS (lending infrastructure) · 13 July 2026
NovaLend Technologies
Overall maturity
2.9 / 5
Defined
Gaps identified
10
3 critical · 5 high
Annex A themes
4 / 9
largely implemented or better
Priority actions
7
next 90 days
Certification readiness
NovaLend could not pass a stage 1 audit today, but the distance is shorter than most: the engineering controls (lifecycle, monitoring, logging) are largely in place - what is missing is the management system around them. The two stage 1 blockers are the absence of a documented AI impact assessment process and the fact that no internal audit of AI management has ever been performed. Both are documentation-and-process exercises, not engineering work.
Maturity by domain
Statement of Applicability
The nine Annex A control themes and their current implementation status, derived from your responses. Certification bodies request this document at stage 1.
What to fix first
Draft and approve the AI impact assessment procedure, then run it retrospectively on the two production models - this is your largest stage 1 blocker (artefact: procedure + two completed assessments).
Commission a first internal audit of the AI management system against your own policy set (artefact: audit plan, findings log, closure evidence).
Take the draft AI policy through executive approval and communicate it - an unapproved draft carries no weight with an auditor (artefact: approved policy with version history).
Define measurable AI management objectives with owners and a reporting cadence (artefact: objectives register reviewed at management review).
Document training-data provenance for the credit-scoring model, including usage rights for the bureau data (artefact: data provenance record).
Add AI-specific clauses to the two foundation-model supplier contracts at renewal: change notification, incident support, audit access (artefact: contract addenda).
Schedule the first formal management review of AI with the standard inputs - incidents, monitoring results, audit findings, objective progress (artefact: minuted review).
Findings by domain
AIMS Governance & Leadership
The bones of governance exist - a named risk owner, a risk committee slot, a drafted policy. An auditor, however, credits approvals and records, not intentions. Approving the policy and making objectives measurable converts existing goodwill into stage 1 evidence.
Strengths
Gaps (2)
The AI policy exists only as an unapproved draft; it has not been through executive sign-off or communicated to staff.
CriticalFix: Take the draft through executive approval, publish it internally, and set an annual review date. An auditor will ask for the approval record and the communication evidence, not just the document.
AI management objectives are aspirational statements without measures, owners, or tracking.
HighFix: Convert the three stated ambitions into measurable objectives with named owners and a quarterly reporting line into management review.
AI Impact Assessment
This is the domain standing between NovaLend and stage 1. Nothing is documented, so from an audit standpoint nothing exists - despite fair-lending analysis quietly happening in development. Adopt the procedure, run it retrospectively on both models, and define re-assessment triggers.
Strengths
Gaps (2)
No documented AI impact assessment process exists; impacts on borrowers are considered informally during development and nothing is recorded.
CriticalFix: Adopt an impact assessment procedure with defined triggers and criteria covering individuals, groups, and society. Run it retrospectively on both production models so completed assessments exist before stage 1.
No re-assessment triggers are defined - a model change or drift event would not force an impact review.
HighFix: Define triggers (drift threshold breach, purpose change, new user population, regulatory change) and wire them to the monitoring alerts that already exist.
AI System Lifecycle Controls
The strongest domain and a genuine differentiator: gated deployments, rollback plans, decision-level logging. The only material finding is inconsistent V&V records - a template and a repository, not a rebuild.
Strengths
Gaps (1)
Verification and validation is thorough but acceptance criteria vary by team and results are scattered across notebooks and tickets.
MediumFix: Standardise a V&V record template with defined acceptance criteria per model class and store completed records in the controlled document repository.
Data for AI Systems
Pipelines are reproducible, which is the hard part. The gap is evidentiary: provenance and usage rights for bureau data are known but not written down. One provenance record per dataset closes it.
Strengths
Gaps (1)
Provenance for the credit bureau training data is known informally but usage rights and transformations are not documented.
HighFix: Create a provenance record per training dataset: source, rights basis, transformation lineage. Attach it to the model documentation pack.
Transparency & Responsible Use
Human review of declines is a real oversight control. The disclosure gap is the inverse: the information exists but not where a borrower can find it. A plain-language notice with a contest path closes both A.8 and EU AI Act exposure.
Strengths
Gaps (1)
Borrower-facing AI disclosure is buried in the terms of service; there is no plain-language notice or recourse path.
HighFix: Add a plain-language AI notice at the decision point stating purpose, limitations, and how to contest an outcome. Log contests as AI concerns.
Third Parties & Customers
Customer-facing documentation is ahead of market; supplier contracts are behind it. Neither foundation-model contract contemplates AI-specific obligations - fix at renewal rather than mid-term.
Strengths
Gaps (1)
The two foundation-model supplier contracts predate AI diligence: no change-notification, incident-support, or audit-access clauses.
MediumFix: Add AI-specific clauses at renewal and record a responsibility allocation (who validates, who monitors, who answers for failures) for each supplier.
Audit & Certification Readiness
The weakest domain, and the one that gates stage 2. No internal audit has happened and documents live in three ungoverned tools. Consolidate first, then audit against the approved policy set.
Strengths
Gaps (2)
No internal audit of the AI management system has ever been performed.
CriticalFix: Plan and execute a first internal AIMS audit - scoped to the policy set and the two production models - with findings tracked to closure. Certification bodies will not schedule stage 2 without it.
AIMS documentation lives across three tools with no version or approval control.
HighFix: Consolidate into one controlled repository with versioning, approvals, and retention rules. Start with the policy set and impact assessments.
90-day remediation roadmap
Days 0-30 - Establish the management system core. Approve and communicate the AI policy. Convert ambitions into measurable objectives with owners. Adopt the impact assessment procedure and run it retrospectively on the credit-scoring and fraud models. Publish the plain-language borrower notice. Days 31-90 - Implement and evidence the Annex A controls. Consolidate AIMS documentation into one controlled repository. Produce provenance records for all training datasets. Standardise V&V records. Define drift and change triggers that re-open impact assessments. Execute the first internal AIMS audit and track findings to closure. Days 91-180 - Prove the loop. Hold a management review with the standard inputs and minute its decisions. Close audit findings with effectiveness checks. Add AI clauses to supplier contracts at renewal. Engage a certification body for stage 1, using the Statement of Applicability and this report as the briefing pack.