The standard every iDharma audit is measured against.
A published, evidence-based methodology for independently assessing whether the AI you run is accurate, fair, secure, and compliant — mapped to the frameworks that matter, so every finding is traceable to evidence, not opinion.
- Governance Medium
- Data provenance High
- Bias & fairness Low
- Security Medium
- Compliance High
Illustrative — how a completed assessment reads once the rubric is applied.
Five dimensions across your AI — governance, data, fairness, security, and compliance.
NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2, HIPAA, and India DPDP.
The iDharma team — independent of the systems being reviewed.
A prioritized, board-ready report with severity ratings and a fix-first roadmap.
Five dimensions, checked against evidence
Every audit rates your AI on the same five dimensions — the ones that decide whether a system is trustworthy in production.
Governance
Is there a written, owned AI policy? We check accountability, oversight, a current model inventory, and change control — who is responsible when the system is wrong.
Data provenance
Where training and input data come from — lineage, consent, quality, and whether the data itself carries bias or gaps that the model inherits.
Bias & fairness
Whether outputs have been tested for disparate impact across groups, how recently, and whether fairness is monitored rather than assumed.
Security
Resistance to adversarial and prompt-injection attacks, access controls, data protection, and tamper-evident logging over the system's lifetime.
Compliance
How the system maps to the regulations you actually answer to — the EU AI Act's high-risk obligations, HIPAA for health data, India DPDP, SOC 2, and sector-specific rules — and where the gaps are.
Findings trace to a clause, not an opinion
Each rating is tied to specific provisions of the frameworks below, so a board, a customer, or a regulator can see exactly what it's measured against.
NIST AI RMF
The Govern, Map, Measure, and Manage functions — our dimensions align to each.
ISO/IEC 42001
AI management-system controls: policy, roles, risk treatment, and continual improvement.
EU AI Act
High-risk obligations (Art. 9–15): risk management, data governance, logging, oversight, robustness.
SOC 2
Security, availability, and confidentiality criteria for the systems handling your data.
HIPAA
Protected health information handling where AI touches patient or member data.
India DPDP
The Digital Personal Data Protection Act — consent, purpose limitation, and data-principal rights.
From scope to report, in five steps
A productized process — scoped with you up front, evidence-led throughout, and never charged before you approve the scope.
Scope
We agree the systems, dimensions, and depth with you before anything is charged — you approve the scope first.
Evidence
We collect the documentation, data lineage, model cards, logs, and any prior assessments the system already has.
Testing
We probe the system where access allows — bias and fairness tests, adversarial and prompt-injection checks, and control verification.
Review
Findings are rated against the exposure rubric and cross-checked against the mapped standards, so nothing rests on a single reviewer's opinion.
Report
You receive a prioritized, board-ready report — a rating per dimension, findings with evidence, and a remediation roadmap.
What counts as proof
Evidence, not assertion
Every rating traces to something concrete — a document, a test result, a log. A verbal assurance on its own is not evidence.
Gaps aren't assumed away
Where a control can't be evidenced, it's rated as a gap — not quietly assumed compliant. Absence of proof is a finding.
Method is disclosed
Testing is hands-on where access allows and documentation-based where it doesn't — and the report states which was used for each finding.
How exposure is rated
Each dimension gets one of three exposure ratings, on defined criteria. The scale is the same one your AI Risk Snapshot uses.
| Rating | What it means |
|---|---|
| Low | Controls are documented, owned, and evidenced; the dimension meets the mapped standard. |
| Medium | Controls exist but are partial, informal, or carry gaps that need to be closed — not urgent, but not clean. |
| High | Controls are missing or inadequate; material exposure that warrants priority remediation. |
A read you can act on — and defend
A rating per dimension & overall
Low / Medium / High across all five dimensions, plus the overall exposure — the same picture your board sees at a glance.
Findings with evidence
Each finding carries its severity, the evidence behind it, and the standard clause it maps to.
A prioritized roadmap
What to fix first — sequenced by exposure, so remediation effort goes where the risk actually is.
Compliance mapping
How your system lines up against the frameworks that apply to you, and where the gaps sit.
The same methodology runs at three depths — Quick Scan, Compliance, and Risk. See what each tier covers →
Independent of the systems reviewed
Conducted by the iDharma team
Every audit is run by the iDharma team. We don't build or sell the AI we assess — that independence from the system under review is exactly what makes the report defensible to a board or a regulator.
Applied consistently
The same published methodology and rubric apply to every engagement, so two audits of comparable systems are comparable — the standard doesn't move with the reviewer.
Scope & limitations — stated plainly
- An iDharma audit is an independent, standards-based assessment — it is not a certification, accreditation, or legal advice, and it does not confer regulatory approval.
- It is a point-in-time review, based on the evidence provided and the scope agreed. AI systems change; a clean audit is a snapshot, not a permanent guarantee.
- Findings reflect the evidence available at the time. An audit reduces and surfaces risk — it does not eliminate it, and it doesn't guarantee a particular outcome with any regulator.
- Sample reports are illustrative and built for fictional companies to show format and depth; they are not records of real clients.
Published, owned, and versioned
This methodology is maintained by the iDharma team and published openly, so clients and their stakeholders can see exactly what an audit measures. Material changes bump the version, and the history is on the record below.
Superseded editions are kept on record and available on request.
See the standard applied to your AI.
An iDharma audit runs this methodology against the systems you actually operate — and hands you a clear, prioritized read you can act on and defend.
This page describes iDharma's verification methodology (current edition v1.1) and how our audits are structured. It is provided for transparency and is not a contract, warranty, or guarantee. An audit is an independent assessment against this published standard — it informs your decisions but is not a certification or a guarantee that any system is safe or compliant, and findings are specific to each engagement's scope. Nothing here is legal advice.