Resources // AI Governance // Reference Documentation
Reference Guide · 18 min read

The AI Governance Framework for Regulated Enterprises

How to operate a single, audit-ready AI program that satisfies NIST AI RMF 1.0, ISO/IEC 42001, and the EU AI Act — without running three parallel compliance projects.

On this page

1. What an AI governance framework actually is

An AI governance framework is the operating model that turns abstract principles — fairness, transparency, accountability, security — into enforceable controls and reproducible evidence. It is not a policy document. It is a closed loop: discover the systems in use, characterize their risk, apply controls proportional to that risk, log every decision, and feed the outcomes back into the next risk assessment.

Programs fail when they treat governance as a one-time policy exercise. Shadow AI in particular is a moving target — employees onboard new tools weekly. Continuous discovery is the foundation; everything else degrades without it.

2. The four operational pillars

Discovery

Passive identification of every AI system in use — SaaS, embedded, agentic. Build and maintain the AI-BOM.

Risk Scoring

Weighted, defensible 0–100 scores per system. Tunable factors so policy owners can justify decisions to auditors.

Policy Enforcement

Allow, redact, block, or escalate at the point of use. Dry-run every policy before enforcement.

Evidence & Audit

Immutable logs, control-coverage reports, and exportable bundles mapped to your obligations.

You can see all four pillars instrumented inside the live ShadowAI Sentinel dashboard, including the real-time SOC feed and the AI-BOM export.

3. Mapping NIST AI RMF, ISO 42001, and the EU AI Act

Run one control set. Map evidence to all three frameworks. The table below shows how core governance activities cross-walk:

ActivityNIST AI RMFISO/IEC 42001EU AI Act
AI inventoryMAP-1.16.1.2 / 8.3Art. 11 (technical documentation)
Risk assessmentMAP-5, MEASURE-26.1.4Art. 9 (risk management)
Logging & monitoringMEASURE-2.78.4Art. 12 (record-keeping)
Incident responseMANAGE-410.1Art. 73 (serious incidents)
Human oversightGOVERN-25.3 / 7.2Art. 14

4. Building a defensible risk score

A risk score is only useful if a policy owner can explain it. Use a weighted linear combination of independently observable factors:

risk = clamp(0, 100,
    w_vendor       * vendor_trust_inverse
  + w_sensitivity  * data_sensitivity
  + w_department   * department_exposure
  + w_training     * trains_on_input
  + w_residency    * region_risk
  + w_behavior     * anomaly_score
)

Default weights are documented and adjustable per organization. See the configurable weights in Settings → Risk Weights; pricing tier determines how many independent weight profiles you can run — review the deployment tiers.

5. A 90-day rollout plan

  1. Days 1–14
    Baseline discovery

    Deploy passive collectors. Do not enforce. Goal: a complete AI-BOM with first-pass risk scores.

  2. Days 15–30
    Policy authoring (dry-run)

    Write policies for the top-decile risk systems. Run in observe-only mode and tune for false positives.

  3. Days 31–60
    Graduated enforcement

    Promote dry-run policies to enforce. Stand up escalation workflows and the SOC alert feed.

  4. Days 61–90
    Evidence & attestation

    Generate the first quarterly control-coverage export. Walk through it with your auditor or AI risk committee.

Frequently asked questions

What is an AI governance framework?

An AI governance framework is the set of policies, controls, roles, and technical safeguards an organization uses to discover, evaluate, approve, monitor, and retire AI systems — including third-party tools accessed by employees (shadow AI). It maps risk decisions to recognized standards such as NIST AI RMF 1.0, ISO/IEC 42001, and the EU AI Act so that governance evidence is auditable and defensible.

How does NIST AI RMF relate to ISO/IEC 42001 and the EU AI Act?

NIST AI RMF is a voluntary US framework organized around four functions: Govern, Map, Measure, Manage. ISO/IEC 42001 is the first certifiable AI management system standard and aligns closely with Govern/Map. The EU AI Act is binding regulation that classifies AI systems by risk tier (minimal, limited, high, unacceptable) and prescribes obligations for high-risk and general-purpose AI. A mature program operates one control set and maps evidence to all three.

What controls cover shadow AI specifically?

Shadow AI controls fall under NIST AI RMF MAP-1 and MEASURE-2 (inventory + characterization), ISO/IEC 42001 clauses 6.1.4 and 8.3 (AI risk treatment and operational controls), and EU AI Act Article 9 (risk management) and Article 12 (logging). Operationally that means continuous discovery, per-tool risk scoring, data sensitivity classification on prompts, and immutable audit logs.

How should risk be scored for AI tools?

Use a weighted multi-factor model on a 0–100 scale. ShadowAI Sentinel combines vendor trust, data sensitivity, department exposure, training-on-input posture, region/residency, and behavioral anomalies. Each factor is independently tunable so policy owners can defend the score to auditors. Scores ≥80 should trigger automated containment or escalation.

What evidence do auditors expect for an AI governance program?

Auditors expect a current AI inventory (AI-BOM), documented risk assessments per system, written policies with version history, enforcement logs (allow/block/redact decisions), incident records with escalation timelines, and a control coverage report mapping every artifact to the relevant SOC 2, ISO 42001, and EU AI Act clauses.

Where do I start if I have no AI program today?

Start with discovery — you cannot govern what you cannot see. Deploy passive discovery (network, browser, identity) for two weeks to build a baseline AI-BOM, classify each system by risk tier, then write policies for the top decile of risk before broadening enforcement. Pair every policy with a dry-run period and an escalation workflow.

Put the framework into production

ShadowAI Sentinel ships the discovery, scoring, policy, and evidence pipeline described above out of the box. Open the dashboard to see live data, or pick a deployment tier that matches your environment.