Birchlow Assessment Framework v1.0

The assessment framework.

The only independently verified certificate covering DPIA evidence, bias documentation and ethical compliance in a single assessment.

Five domains. 100 points. One standard for AI governance in UK public sector procurement.

NHS Legal Requirements Compliance Mapping

How Birchlow domains map to the three NHS procurement legal requirements

Birchlow DomainNHS Legal RequirementPoints
Data GovernanceDPIA evidence25pts
Operational IntegrityBias documentation20pts
Transparency + AccountabilityEthical concern documentation35pts

Assessment Domains

01

Transparency

Maps to: Ethical concern documentation

25
points
1
Model Documentation
The vendor maintains a current model card or equivalent documentation describing the AI system's purpose, capabilities, known limitations and intended deployment contexts.
2
Explainability Standards
The vendor can demonstrate how the AI system produces outputs, with appropriate explainability mechanisms in place for the deployment context and risk level.
3
Capability Boundaries
Clear documentation exists defining what the system will and will not do, including failure modes, out-of-scope queries and confidence thresholds.
02

Data Governance

Maps to: DPIA evidence

25
points
1
Data Protection Impact Assessment
A completed and current DPIA exists for the AI system, covering training data, inference data and any personal data processed during deployment.
2
Data Lineage and Provenance
The vendor can demonstrate the origin, transformation and use of training and operational data, including any third-party data sources.
3
Retention and Deletion Controls
Documented data retention schedules exist and are enforced with verified deletion processes for personal data upon request or expiry.
03

Risk Management

Maps to: PPN 017 / G-Cloud risk controls

20
points
1
AI Risk Register
A live risk register specific to the AI system exists, covering model risks, data risks, deployment risks, and third-party dependencies, with assigned owners and review dates.
2
Incident Response Procedure
A documented incident response procedure exists for AI-specific failures, including model degradation, bias incidents, data breaches, and adversarial attacks.
3
Adversarial Testing
Evidence of red-teaming, adversarial testing, or equivalent stress-testing against the AI system prior to deployment and at defined intervals thereafter.
04

Operational Integrity

Maps to: Bias documentation

20
points
1
Bias Evaluation Documentation
Written bias evaluation reports exist covering protected characteristics relevant to the deployment context, with methodology, findings, and any mitigations applied.
2
Performance Monitoring
Continuous monitoring is in place for model performance in production, with defined thresholds for degradation alerts and documented escalation procedures.
3
Model Drift Controls
Processes exist to detect and respond to model drift, including scheduled re-evaluation intervals, retraining triggers, and rollback procedures.
05

Accountability

Maps to: Named governance leads

10
points
1
Named Governance Leads
A named individual or function holds accountability for AI governance within the organisation, with documented responsibilities and escalation paths.
2
Complaints and Escalation
A documented process exists for customers or affected parties to raise concerns about AI system outputs, with defined response times and resolution procedures.
3
Third-Party Audit Readiness
The vendor can demonstrate readiness for independent audit, with governance documentation accessible, version-controlled, and assigned to named owners.

Scoring bands

Platinum90–100

Exemplary governance. All domains fully evidenced. Recommended for high-risk public sector deployments.

Gold75–89

Strong governance with minor gaps. Suitable for most public sector procurement frameworks.

Silver60–74

Adequate governance with identified remediation requirements. Conditional acceptance on some frameworks.

ProvisionalBelow 60

Significant gaps identified. Certification issued with mandatory remediation plan and 6-month re-assessment.