Verification Methodology · Version 1.1

The standard every iDharma audit is measured against.

A published, evidence-based methodology for independently assessing whether the AI you run is accurate, fair, secure, and compliant — mapped to the frameworks that matter, so every finding is traceable to evidence, not opinion.

Sample assessment Illustrative
  • Governance Medium
  • Data provenance High
  • Bias & fairness Low
  • Security Medium
  • Compliance High
Overall exposure High

Illustrative — how a completed assessment reads once the rubric is applied.

Version 1.1 Last updated 1 July 2026 Maintained by the iDharma team Published & open
What it assesses

Five dimensions across your AI — governance, data, fairness, security, and compliance.

Frameworks mapped

NIST AI RMF, ISO/IEC 42001, EU AI Act, SOC 2, HIPAA, and India DPDP.

Who conducts it

The iDharma team — independent of the systems being reviewed.

What you get

A prioritized, board-ready report with severity ratings and a fix-first roadmap.

What we assess

Five dimensions, checked against evidence

Every audit rates your AI on the same five dimensions — the ones that decide whether a system is trustworthy in production.

Governance

Is there a written, owned AI policy? We check accountability, oversight, a current model inventory, and change control — who is responsible when the system is wrong.

Data provenance

Where training and input data come from — lineage, consent, quality, and whether the data itself carries bias or gaps that the model inherits.

Bias & fairness

Whether outputs have been tested for disparate impact across groups, how recently, and whether fairness is monitored rather than assumed.

Security

Resistance to adversarial and prompt-injection attacks, access controls, data protection, and tamper-evident logging over the system's lifetime.

Compliance

How the system maps to the regulations you actually answer to — the EU AI Act's high-risk obligations, HIPAA for health data, India DPDP, SOC 2, and sector-specific rules — and where the gaps are.

Mapped to the standards that matter

Findings trace to a clause, not an opinion

Each rating is tied to specific provisions of the frameworks below, so a board, a customer, or a regulator can see exactly what it's measured against.

NIST AI RMFISO/IEC 42001EU AI Act SOC 2HIPAAIndia DPDP

NIST AI RMF

The Govern, Map, Measure, and Manage functions — our dimensions align to each.

ISO/IEC 42001

AI management-system controls: policy, roles, risk treatment, and continual improvement.

EU AI Act

High-risk obligations (Art. 9–15): risk management, data governance, logging, oversight, robustness.

SOC 2

Security, availability, and confidentiality criteria for the systems handling your data.

HIPAA

Protected health information handling where AI touches patient or member data.

India DPDP

The Digital Personal Data Protection Act — consent, purpose limitation, and data-principal rights.

How an audit is conducted

From scope to report, in five steps

A productized process — scoped with you up front, evidence-led throughout, and never charged before you approve the scope.

Scope

We agree the systems, dimensions, and depth with you before anything is charged — you approve the scope first.

Evidence

We collect the documentation, data lineage, model cards, logs, and any prior assessments the system already has.

Testing

We probe the system where access allows — bias and fairness tests, adversarial and prompt-injection checks, and control verification.

Review

Findings are rated against the exposure rubric and cross-checked against the mapped standards, so nothing rests on a single reviewer's opinion.

Report

You receive a prioritized, board-ready report — a rating per dimension, findings with evidence, and a remediation roadmap.

Evidence & testing standards

What counts as proof

Evidence, not assertion

Every rating traces to something concrete — a document, a test result, a log. A verbal assurance on its own is not evidence.

Gaps aren't assumed away

Where a control can't be evidenced, it's rated as a gap — not quietly assumed compliant. Absence of proof is a finding.

Method is disclosed

Testing is hands-on where access allows and documentation-based where it doesn't — and the report states which was used for each finding.

Scoring & ratings

How exposure is rated

Each dimension gets one of three exposure ratings, on defined criteria. The scale is the same one your AI Risk Snapshot uses.

RatingWhat it means
LowControls are documented, owned, and evidenced; the dimension meets the mapped standard.
MediumControls exist but are partial, informal, or carry gaps that need to be closed — not urgent, but not clean.
HighControls are missing or inadequate; material exposure that warrants priority remediation.
Overall exposure = the weakest link. If any single dimension is High, overall exposure is High; otherwise if any is Medium, it's Medium; otherwise Low. Overall risk is driven by the biggest gap, and stating it conservatively is the honest call — a system is only as trustworthy as its weakest dimension.
What the report delivers

A read you can act on — and defend

A rating per dimension & overall

Low / Medium / High across all five dimensions, plus the overall exposure — the same picture your board sees at a glance.

Findings with evidence

Each finding carries its severity, the evidence behind it, and the standard clause it maps to.

A prioritized roadmap

What to fix first — sequenced by exposure, so remediation effort goes where the risk actually is.

Compliance mapping

How your system lines up against the frameworks that apply to you, and where the gaps sit.

The same methodology runs at three depths — Quick Scan, Compliance, and Risk. See what each tier covers →

Who conducts the audit

Independent of the systems reviewed

Conducted by the iDharma team

Every audit is run by the iDharma team. We don't build or sell the AI we assess — that independence from the system under review is exactly what makes the report defensible to a board or a regulator.

Applied consistently

The same published methodology and rubric apply to every engagement, so two audits of comparable systems are comparable — the standard doesn't move with the reviewer.

As iDharma grows its bench of independent expert auditors, they will be listed here and held to this same published standard. Today, that work is done by the iDharma team.

Scope & limitations — stated plainly

  • An iDharma audit is an independent, standards-based assessment — it is not a certification, accreditation, or legal advice, and it does not confer regulatory approval.
  • It is a point-in-time review, based on the evidence provided and the scope agreed. AI systems change; a clean audit is a snapshot, not a permanent guarantee.
  • Findings reflect the evidence available at the time. An audit reduces and surfaces risk — it does not eliminate it, and it doesn't guarantee a particular outcome with any regulator.
  • Sample reports are illustrative and built for fictional companies to show format and depth; they are not records of real clients.
Governance & transparency

Published, owned, and versioned

This methodology is maintained by the iDharma team and published openly, so clients and their stakeholders can see exactly what an audit measures. Material changes bump the version, and the history is on the record below.

v1.1 Current1 Jul 2026
Formalized the Low/Medium/High exposure rubric and the weakest-link overall rule; expanded framework mapping to the EU AI Act and India DPDP.
v1.0 ArchivedJun 2026
Initial published methodology at audit launch — the five assessment dimensions and the core framework mapping.

Superseded editions are kept on record and available on request.

See the standard applied to your AI.

An iDharma audit runs this methodology against the systems you actually operate — and hands you a clear, prioritized read you can act on and defend.

This page describes iDharma's verification methodology (current edition v1.1) and how our audits are structured. It is provided for transparency and is not a contract, warranty, or guarantee. An audit is an independent assessment against this published standard — it informs your decisions but is not a certification or a guarantee that any system is safe or compliant, and findings are specific to each engagement's scope. Nothing here is legal advice.