Implementation Layer

AI Governance Controls

Operational controls for real-world enterprise AI systems — organized by domain, mapped to regulations, with maturity levels and implementation guidance.

HOC

Human Oversight

Review gates, approval workflows, and override mechanisms for AI decisions.

6 controls

AGT

Agentic AI

Goal constraints, action boundaries, and escalation paths for autonomous AI agents.

8 controls

SEC

Security

Adversarial input defense, prompt injection protection, and model access controls.

5 controls

ALC

Audit & Logging

Immutable records of AI decisions, inputs, outputs, and model versions.

5 controls

CHM

Change Management

Model release governance, version rollback, and change approval workflows.

5 controls

DGC

Data Governance

Training data provenance, privacy controls, and data retention policies.

5 controls

MON

Monitoring & Drift

Performance drift detection, anomaly alerting, and operational dashboards.

5 controls

SAF

Safety & Reliability

Graceful degradation, fail-safe defaults, and reliability under adversarial inputs.

5 controls

IRC

Incident Response

Containment, investigation, and remediation procedures for AI system failures.

5 controls

PRC

Procurement

Third-party AI vendor due diligence, contractual obligations, and offboarding.

5 controls

Filter:

HOC AGT SEC ALC CHM DGC MON SAF IRC PRC

Low effort Medium effort High effort

Agent-relevant

Clear all

12 controls matching filters

HOC

Human Oversight

2 controls

HOC-003

low

AI Output Review Workflow

Define a structured, documented process for reviewing AI outputs before they are acted upon or distributed.

HOC-006

Agentlow

Override and Escalation Procedures

Document the procedures, authority levels, and logging requirements when humans reject, modify, or escalate AI-generated decisions.

SEC

Security

1 control

SEC-004

Agentlow

AI API Credential Management

Securely manage, rotate, and audit API keys and credentials used to access AI services and model providers.

ALC

Audit & Logging

1 control

ALC-003

low

AI Log Retention Policy

Define how long AI decision logs, audit trails, and system logs are retained, in what format, and the procedures for their eventual deletion.

CHM

Change Management

3 controls

CHM-001

Agentlow

AI Model Version Control

Track model versions, configurations, prompts, and deployment history so that any production state can be reproduced and compared.

CHM-004

low

AI Model Change Documentation

Record what changed between model versions, why the change was made, what testing was performed, and who approved the deployment.

CHM-005

low

Model Deprecation Procedure

Define the process for retiring AI models from production, including notification, data handling, audit trail preservation, and transition planning.

MON

Monitoring & Drift

1 control

MON-001

low

AI Performance Baseline

Establish documented, quantified performance baselines for production AI systems against which ongoing performance can be compared.

IRC

Incident Response

3 controls

IRC-001

Agentlow

AI Incident Classification

Define a taxonomy for AI incidents that categorizes events by type and severity, determining the appropriate response urgency and notification requirements.

IRC-004

Agentlow

AI Post-Incident Review

Conduct a structured review after every significant AI incident to identify root causes, contributing factors, and systemic improvements.

IRC-005

Agentlow

AI Incident Log and Tracking

Maintain a centralized, structured log of all AI incidents, near-misses, and governance concerns, accessible to the AI governance function.

PRC

Procurement

1 control

PRC-004

low

Vendor AI Incident Notification Requirements

Require AI vendors to notify the organization of incidents affecting their AI systems within defined timeframes and with specified information.