Public-sector AI controls should define source visibility, human escalation, accessibility review, records retention, request auditability, and citizen-impact boundaries.
The checklist should be reviewed with service owners, technology, legal, policy, and frontline operators before live use.
Track each control as an operational artifact: owner, evidence, review cadence, failure mode, and remediation path.