Vodafone Workspace
CISO Steering Pack
This page is the weekly review surface: decisions, concentration risks, top entities, and the export actions a group CISO actually needs.
Decisions this week
8
Items needing central approval or intervention
Entities for review
52
Active steering population
Provider lanes
3
AI provider concentration in use
Pack cadence
Weekly
Tuesday operating review
Steering decisions
Escalate VF AI Framework into group remediation review
Assign central engineering support and freeze unapproved production AI changes for 14 days.
The highest-exposure entities now combine critical repos, overdue actions, and unapproved AI systems.
Reduce Azure OpenAI concentration in high-risk systems
Approve a fallback routing pattern and require review of all customer-facing assistants in the top 10 entities.
Provider concentration is stacking operational and model-risk exposure into the same service chains.
Recover stale evidence collectors across the worst repo clusters
Prioritize evidence-collector and repo-scanner remediation in Tier 1 release paths before next steering meeting.
Stale evidence is preventing clean explanation of control status across multiple operating companies.
Close overdue temporary waivers on production AI systems
Force renew, close, or replace all overdue exceptions with explicit compensating controls.
The current waiver backlog is obscuring whether risky systems are genuinely governed or simply tolerated.
Mandate SOC 2 Type II for all Vodafone Egypt subprocessors
Require SOC 2 Type II attestation from every third-party subprocessor handling Vodafone Egypt customer data by end of Q2.
Subprocessor assurance gaps in the Egypt region are creating unquantified third-party risk across the Africa portfolio.
Review Azure OpenAI data residency compliance for EU entities
Audit all Azure OpenAI deployments across EU operating companies to confirm data residency alignment with GDPR and local DPA requirements.
Recent Azure region changes have introduced uncertainty about whether inference data remains within EU sovereign boundaries.
Extend exception waiver for legacy Vodacom billing system
Grant a 90-day extension on the existing production waiver while the billing platform migration completes Phase 2.
The legacy billing system cannot meet current control standards, but migration is underway and a hard cutoff would disrupt revenue-critical processes.
Approve updated AI model risk framework for Tier 1 systems
Ratify the revised model risk framework that introduces mandatory red-teaming, bias testing, and drift monitoring for all Tier 1 AI systems.
The current framework predates the scale of production AI deployment and lacks enforceable guardrails for the highest-impact systems.
Review packet contents
1. Top 10 entities by exposure and posture decline.
2. Tier 1 repo concentration and failing release lanes.
3. AI systems missing approval, prompt registration, or provenance confidence.
4. Overdue waivers and compensating controls that need renewal or closure.
5. Evidence freshness clusters blocking defensible assurance statements.
Provider concentration
Azure OpenAI
68 systemsMistral
69 systemsPerplexity
67 systemsEntities needing steering review
| Entity | Exposure | Critical repos | Overdue | AI gaps | Top concern |
|---|---|---|---|---|---|
| VF AI Framework | 133 | 4 | 2 | 3 | Change management |
| Vodafone Finance Platforms | 118 | 5 | 0 | 3 | Observability and evidence |
| Vodafone Ireland | 116 | 7 | 0 | 2 | Change management |
| Vodafone Developer Experience | 112 | 7 | 0 | 3 | Evidence collection |
| Vodafone CRM Platforms | 110 | 6 | 2 | 1 | Change management |
| Vodafone HR Platforms | 108 | 5 | 1 | 2 | AI governance |
| Vodafone Group Security | 107 | 4 | 2 | 3 | Identity controls |
| Vodafone Malta | 107 | 4 | 0 | 3 | Knowledge provenance |
| VF Digital & IT Innovation Center | 106 | 5 | 1 | 3 | Observability and evidence |
| VF Telemetry & Troubleshooting | 101 | 5 | 0 | 2 | Access control |
| Vodafone Procurement Systems | 99 | 6 | 1 | 2 | Observability and evidence |
| Vodafone Italy | 98 | 4 | 1 | 3 | Provider concentration |