Unified Multi-Framework AI Risk Register
Maintain a single AI risk register that consolidates obligations from multiple frameworks (NIST AI RMF, ISO 42001, EU AI Act, sector regulations) into a unified view, eliminating duplication and identifying where a single control satisfies multiple requirements.
Objective
Reduce compliance overhead and avoid control duplication by maintaining a single AI risk register that maps controls and obligations across all applicable frameworks, providing a unified view of AI risk and compliance status.
Maturity Levels
Initial
AI risks and obligations are tracked in separate siloed systems by different teams (legal, security, compliance, product). No unified view exists.
Developing
Separate risk registers exist for different frameworks or regulations. There is awareness of overlap but no systematic effort to unify or cross-reference.
Defined
A unified AI risk register maps all applicable framework requirements to internal controls. The register identifies where a single control satisfies multiple requirements and flags gaps where no control exists.
Managed
The register is maintained in a GRC tool or structured database that is accessible to all relevant stakeholders. Updates are triggered by framework changes, new deployments, and incident findings. Control effectiveness is assessed and recorded.
Optimizing
The register is integrated with the control testing program, so control effectiveness evidence feeds directly into the register. External auditors use the register as the primary governance artifact. The register is the authoritative source for board AI risk reporting.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Unified AI risk register covering all applicable framework requirements, with control mapping, ownership, and effectiveness status.
- —Evidence of quarterly register updates with dated change log.
- —Board or AI governance committee report based on register data showing aggregate risk and compliance posture.
Implementation Notes
Key steps
-
Identify all applicable frameworks and regulations. For most organizations this includes some combination of: NIST AI RMF, ISO/IEC 42001, EU AI Act (if applicable), sector-specific requirements (SR 11-7, MAS FEAT, FDA AI/ML), and voluntary commitments.
-
Extract discrete requirements from each framework. Each requirement should be a specific, testable obligation (not a principle).
-
Map requirements across frameworks. Identify where two or more frameworks require the same or substantially similar controls. A bias monitoring requirement in NIST AI RMF, ISO 42001, and the EU AI Act may all be satisfied by the same internal control.
-
Build the register structure:
- Columns: requirement ID, framework, requirement description, internal control(s) that satisfy it, control owner, control effectiveness status, last assessed, evidence pointer.
- Rows: one row per discrete requirement. Where a single control satisfies multiple requirements, it appears in multiple rows but links to the same control record.
-
Populate the register with current control status. This requires input from all relevant stakeholders: Legal (regulatory mapping), CISO (security controls), AI engineering (technical controls), Compliance (process controls).
-
Establish a maintenance process: the register must be updated when frameworks are updated, when new regulations become applicable, when new AI systems are deployed, and when control failures are identified.
-
Use the register as the primary input to board AI risk reporting (HOC-007) and the maturity assessment (BRD-005).
Technology options
A spreadsheet is viable for organizations with a small AI portfolio. For organizations with 10+ AI systems and 3+ applicable frameworks, a GRC platform (ServiceNow GRC, Archer, LogicGate) provides the workflow automation and evidence management needed to keep the register current.
Example Implementation
Unified AI Risk Register (excerpt)
| Req ID | Framework | Requirement | Internal control | Control owner | Effectiveness | Last assessed | Evidence |
|---|---|---|---|---|---|---|---|
| NIST-GOV-1.1 | NIST AI RMF | Establish AI governance policies and procedures | AI Governance Policy v4.0 + AI Governance Committee Charter | CAIO | Effective | 2026-04 | Policy doc + meeting minutes |
| ISO-6.1.2 | ISO 42001 | Risk assessment for AI systems | AI System Risk Classification (HOC-001) | CRO | Effective | 2026-03 | Risk register |
| EU-AIA-9 | EU AI Act | Quality management system for high-risk AI | AI Governance Committee + HOC-001 + CHM-002 | CAIO | Partially effective | 2026-04 | QMS gap assessment |
| SR11-7-A | SR 11-7 | Model risk management for all models including AI/ML | MON-001 + CHM-001 + CMP-010 | CRO | Effective | 2026-02 | Model risk report |
| MAS-FEAT-3 | MAS FEAT | Fairness assessment for AI in financial services | MON-003 + DGC-004 | CRO | Partially effective | 2026-01 | Bias monitoring report — Singapore scope only |
Cross-framework efficiency note: HOC-001 (AI Risk Classification) satisfies requirements in NIST AI RMF (GOVERN 1.1, MAP 1.1), ISO 42001 (6.1.2), and EU AI Act (Article 9). Maintaining one control satisfies three framework obligations.