Implementation Layer
AI Governance Controls
Operational controls for real-world enterprise AI systems — organized by domain, mapped to regulations, with maturity levels and implementation guidance.
Not sure where to start? Answer 3 questions and get a tailored compliance action plan.
What applies to me? →Human Oversight
Review gates, approval workflows, and override mechanisms for AI decisions.
7 controls
AGTAgentic AI
Goal constraints, action boundaries, and escalation paths for autonomous AI agents.
24 controls
SECSecurity
Adversarial input defense, prompt injection protection, and model access controls.
5 controls
ALCAudit & Logging
Immutable records of AI decisions, inputs, outputs, and model versions.
5 controls
CHMChange Management
Model release governance, version rollback, and change approval workflows.
5 controls
DGCData Governance
Training data provenance, privacy controls, and data retention policies.
6 controls
MONMonitoring & Drift
Performance drift detection, anomaly alerting, and operational dashboards.
6 controls
SAFSafety & Reliability
Graceful degradation, fail-safe defaults, and reliability under adversarial inputs.
6 controls
IRCIncident Response
Containment, investigation, and remediation procedures for AI system failures.
6 controls
PRCProcurement
Third-party AI vendor due diligence, contractual obligations, and offboarding.
15 controls
CMPRegulatory Compliance
Multi-jurisdiction regulatory mapping, standards monitoring, and compliance architecture for AI systems.
10 controls
BRDBoard & Executive Governance
Board education, committee charters, executive reporting, risk appetite, and enterprise-wide AI governance program design.
9 controls
MGVModel & Program Governance
Model lifecycle policy, intake and approval workflows, evaluation frameworks, and program-level AI governance maturity.
9 controls
SCTSector-Specific & Emerging
Healthcare, insurance, critical infrastructure, national security, and emerging-use-case controls not covered by domain-general frameworks.
9 controls
27 controls matching filters
Agentic AI
6 controlsAgent Permission Boundaries
Apply least-privilege principles to AI agents by explicitly defining and enforcing the tools, APIs, data sources, and actions each agent is authorized to access.
Multi-Agent Trust Hierarchy
Define explicit rules for which agents can instruct, invoke, or delegate authority to other agents in multi-agent systems.
Agent Environment Isolation
Run AI agents in isolated execution environments that limit their ability to access host systems, network resources, or data beyond what their task requires.
Agent and Non-Human Identity Management
Issue every AI agent a distinct, bounded identity with scoped credentials, a defined lifecycle, and access controls — rather than sharing service accounts or running under user identities.
Agent Behavior Monitoring and Anomaly Detection
Continuously monitor deployed agents for behavioral drift, unusual tool call patterns, unexpected resource consumption, and actions outside their defined operational envelope.
Agentic AI Security Assessment — CBRN and Cyber Espionage
Conduct a threat-model assessment of agentic AI deployments covering high-consequence misuse vectors, including chemical, biological, radiological, and nuclear (CBRN) facilitation and AI-orchestrated cyber espionage, and implement mitigations proportionate to the identified risk.
Audit & Logging
1 controlData Governance
2 controlsTraining Data Provenance
Track and document the origin, composition, licensing, and preprocessing history of data used to train or fine-tune AI models.
Cross-Border Data Transfer Controls for AI
Govern the international transfer of personal data through AI systems, including data sent to AI API providers, training pipelines, and cloud infrastructure in other jurisdictions.
Monitoring & Drift
2 controlsAI Bias and Fairness Monitoring
Continuously monitor AI system outputs for discriminatory patterns across protected demographic attributes in production.
Behavioral Anomaly Detection for Agentic Systems
Implement monitoring that detects when AI agents deviate from their expected behavioral envelope — unusual action sequences, unexpected resource access, or goal-directed behavior inconsistent with assigned tasks.
Safety & Reliability
2 controlsHallucination Detection and Mitigation
Implement controls to detect, reduce, and manage AI-generated factual errors and fabrications before they reach end users or inform decisions.
Post-Deployment Adversarial Testing Cadence
Schedule and execute recurring adversarial testing of production AI systems on a risk-tiered cadence, separate from and in addition to pre-deployment red-teaming.
Procurement
1 controlRegulatory Compliance
4 controlsMulti-Jurisdiction AI Regulatory Compliance Mapping
Maintain a structured map of AI regulatory obligations across all operating jurisdictions, identifying where requirements diverge, conflict, or demand simultaneous compliance.
EU AI Act Conformity Assessment and FRIA Process
Implement the EU AI Act's conformity assessment pathway for high-risk AI systems, including technical documentation, notified body engagement where required, and fundamental rights impact assessment.
AI Hardware Provenance and Export Control Compliance
Document the origin and supply chain of AI-relevant hardware (GPUs, specialized chips) and screen all AI infrastructure procurement against applicable export control regulations.
AI Use in Regulatory Reporting and Risk Modeling
Map all AI system use cases in regulatory reporting, stress testing, and risk modeling to supervisory expectations, and document how AI outputs are validated before submission to regulators.
Board & Executive Governance
2 controlsFederated AI Governance Design
Design the accountability model for AI governance across distributed deployments, defining the balance between central control and business unit autonomy, and the escalation path when BU-level governance is insufficient.
Unified Multi-Framework AI Risk Register
Maintain a single AI risk register that consolidates obligations from multiple frameworks (NIST AI RMF, ISO 42001, EU AI Act, sector regulations) into a unified view, eliminating duplication and identifying where a single control satisfies multiple requirements.
Model & Program Governance
2 controlsContinuous AI Assurance Function Design
Design and operate an ongoing AI assurance function that generates regular evidence of control effectiveness across the AI governance program, moving beyond point-in-time audits to a continuous model that provides the board, regulators, and enterprise customers with current assurance on AI governance posture.
RAI Benchmark-Aligned Evaluation Framework
Map internal AI system evaluations to published responsible AI benchmarks and standards (HELM Safety, AIR-Bench, FACTS, and equivalents) to produce evaluation evidence that is interpretable against an independent external standard by regulators, auditors, and enterprise customers.
Sector-Specific & Emerging
3 controlsClinical AI Governance Committee Charter
Establish a healthcare-specific AI governance committee with clinical and technical expertise, defined quorum and decision rights, escalation authority over AI systems involved in clinical decision support and patient care, and a review cadence aligned to FDA Software as a Medical Device (SaMD) guidance and applicable state clinical standards.
Critical Infrastructure AI Risk Assessment and Containment
Define a sector-specific risk assessment process for AI systems deployed in critical infrastructure environments — including energy, water, transportation, and financial market infrastructure — that addresses operational technology (OT) blast-radius containment, consequence-of-failure analysis, and cross-sector dependency risk distinct from standard enterprise AI risk frameworks.
National Security and Dual-Use AI Risk Assessment
Establish a risk assessment process for AI systems and AI research activities that could constitute dual-use technology — with applications in both commercial and national security or weapons contexts — addressing BIS export control obligations, ITAR compliance for defense applications, dual-use research of concern protocols, and foreign adversarial misuse monitoring.
