# Q1 2026 Findings & Action Items Register

**Tenant:** Lumen.health
**Review:** Q1 2026 ISMS+AIMS Quarterly Review
**Issued:** 03 Apr 2026
**Maintained by:** Priya Ramaswamy, Compliance Lead

23 action items raised; 19 close in Q2 2026; 4 carry into Q3 2026.

---

## Action items closing in Q2 2026 (19)

### AI Governance (5)

| # | Action | Owner | Due | Acceptance criteria |
|---|---|---|---|---|
| AI-Q1-01 | Deliver RAG retrieval impact assessment | Lukas Berg | 30 Apr 2026 | Document published in Vanta + reviewed by Aisha |
| AI-Q1-02 | Refresh agent-runtime impact assessment | Lukas Berg | 31 May 2026 | Update to current Q1 agent stack |
| AI-Q1-03 | Refresh patient-intake guardrails impact assessment | Lukas Berg | 31 May 2026 | Document the Q1 guardrail policy changes |
| AI-Q1-04 | Confirm 7/7 AI systems inventoried in monthly snapshot | Lukas Berg | 30 Jun 2026 | Vanta `ai-system-inventory-current` test green |
| AI-Q1-05 | Trigger Q2 AIUC-1 quarterly evaluation | Lukas Berg | 30 Jun 2026 | Eval report uploaded to Vanta |

### Security & CISO (6)

| # | Action | Owner | Due | Acceptance criteria |
|---|---|---|---|---|
| SEC-Q1-01 | Execute IRP tabletop (per D-2026-Q1-04) | Aisha Khan | 02 May 2026 | Tabletop record + lessons-learned doc uploaded |
| SEC-Q1-02 | Execute DR tabletop (per D-2026-Q1-04) | Aisha Khan | 03 May 2026 | Tabletop record + RTO/RPO observation |
| SEC-Q1-03 | Execute pen-test (per D-2026-Q1-03) | Aisha Khan | 31 May 2026 | Final report received; remediation tickets opened for all High/Critical |
| SEC-Q1-04 | Rotate 3 MFA-exception service accounts to FIDO2 | Aisha Khan | 31 May 2026 | `mfa-on-all-prod-accounts` test green |
| SEC-Q1-05 | Re-score 6 vendors flagged in `vendor-risk-score-monthly` | Aisha Khan | 15 May 2026 | All 6 vendors with current monthly score |
| SEC-Q1-06 | Sign 3 contractor acceptable-use policies | Aisha Khan | 30 Apr 2026 | All 3 signed; `signed-acceptable-use-policy` test green |

### Engineering & CTO (5)

| # | Action | Owner | Due | Acceptance criteria |
|---|---|---|---|---|
| ENG-Q1-01 | Encrypt staging-db at rest (EG-002) | Marco Esposito | 15 May 2026 | `prod-db-encryption-at-rest` test green |
| ENG-Q1-02 | Re-run change-control evidence monthly check after tooling patch | Marco Esposito | 15 Apr 2026 | `change-control-evidence-monthly` test green |
| ENG-Q1-03 | Re-run TLS cert rotation evidence capture | Marco Esposito | 15 Apr 2026 | `tls-cert-rotation-evidence` test green |
| ENG-Q1-04 | Re-apply DLP policy and capture evidence | Marco Esposito | 30 Apr 2026 | `dlp-policy-applied-evidence` test green |
| ENG-Q1-05 | Document secure development evidence (CC8.1) | Marco Esposito | 31 May 2026 | `secure-development-evidence` test green |

### Privacy / DPO (3)

| # | Action | Owner | Due | Acceptance criteria |
|---|---|---|---|---|
| DPO-Q1-01 | Verify 2 pending DSAR deletion requests | Anne Verwoerd | 15 Apr 2026 | `customer-data-deletion-evidence` test green |
| DPO-Q1-02 | Update subprocessor list with new RAG vendor | Anne Verwoerd | 30 Apr 2026 | `subprocessor-list-current` test green |
| DPO-Q1-03 | Capture DSAR response time evidence (running average) | Anne Verwoerd | 30 Jun 2026 | `dsar-response-time-evidence` test green |

## Action items carrying into Q3 2026 (4)

| # | Action | Owner | Due | Reason for slip |
|---|---|---|---|---|
| AI-Q1-06 | Publish refreshed AIMS policy (per D-2026-Q1-05) | Lukas Berg | 30 Jul 2026 | Depends on legal review (target 20 Apr); allow Q2 to operationalise |
| AI-Q1-07 | AIUC-1 evidence-pack v2 (mapped to ISO 42001 A.9.2) | Lukas Berg | 30 Sep 2026 | Multi-quarter effort; coordinated with AIUC-1 evaluator |
| SEC-Q1-07 | Customer-communication-evidence (CC2.3) — quarterly update cycle | Aisha Khan | 30 Sep 2026 | Process change requires customer-ops + marketing coordination |
| ENG-Q1-06 | Disaster recovery test full annual (A1.2) | Marco Esposito | 30 Sep 2026 | DR tabletop in May is preparation; full test needs Q3 maintenance window |

## Vanta sync

All 23 action items have been pushed to the Vanta improvement log as evidence items. Owners receive daily Slack reminders 7 days before, 3 days before, and on the due date. Compliance Lead receives weekly status digest.

## Next checkpoint

**Mid-quarter review:** 15 May 2026, 09:00 BST (30-min stand-up).
**Full Q2 review:** 01 Jul 2026, 09:00 BST.

## Risk acceptance

No risks accepted at this review. All risks raised in `03-decisions-log.md` § Risks have mitigations assigned.