Governance & guardrails

AI governance

AI governance is what keeps AI adoption from getting ahead of your ability to stand behind it. This is the hub: the plain definition, what it covers, the frameworks that matter, and links to the pages that go deep on each.

What AI governance covers

Strip away the framework branding and it is a short list of things every program needs:

  • Accountability. A named owner, and a policy your people can actually follow.
  • An inventory. Every AI system and vendor tool, including the ones a department signed up for without telling IT.
  • Risk tiering. More scrutiny on a model that affects a decision about a person, less on an internal drafting tool.
  • Controls. Access rules, data boundaries, and human oversight sized to the risk.
  • Monitoring. Watching systems in production for drift, misuse, and incidents, and a plan for when one happens.

That is the whole shape. The reason it is hard is not the list; it is doing it in a company that already has real systems, real vendors, and real pressure to ship. Surveys keep finding the same gap: most organizations have an AI policy, far fewer have incident playbooks or named roles behind it.

The frameworks that matter

You do not invent governance from scratch. Three named frameworks carry the field, and they were built to interoperate:

  • The NIST AI RMF is a voluntary US framework built on four functions (Govern, Map, Measure, Manage). It gives you a method and a vocabulary, with no certificate.
  • ISO/IEC 42001 is the certifiable international standard for an AI management system, for when a customer or regulator wants third-party proof.
  • The EU AI Act is binding law with deadlines, for any AI whose reach touches the EU market.

You do not pick one. You build one set of controls and map it to whichever of the three you have to answer to. We put all three side by side, capability by capability, in our AI compliance framework crosswalk, and worked the cost question honestly in our ISO 42001 certification cost guide.

Where a normal company starts

Not with a committee and a 40-page policy. With an inventory and a first risk tiering: list what you are running, decide what actually needs controls, and fix the biggest gaps first. Everything else builds on that. If you want a running start, our ISO 42001 checklist is ungated, and the fixed-scope version done for you is the AI risk assessment.

One line of hygiene: this page is general information, not legal advice. For obligations that apply to your specific systems, talk to counsel.

Questions people ask

What is AI governance in simple terms?
The rules and controls that decide how your company uses AI: who is allowed to use what, on which data, with what oversight, and who is accountable when something goes wrong. It is the difference between "we have AI everywhere" and "we know where our AI is and can stand behind it."
What are the pillars of AI governance?
Different frameworks number them differently, but they converge on the same handful: accountability (a named owner), a policy people can follow, an inventory of your AI systems, risk-based controls, human oversight, transparency, and ongoing monitoring. Chasing a specific pillar count matters less than covering all of them.
Who should own AI governance in a company?
It is cross-functional (legal, risk, compliance, security, and the business all have a stake) but someone has to be accountable, usually a named executive or a small committee with a clear charter. Governance that belongs to everyone belongs to no one; that is the most common way it stalls.
Is AI governance the same as AI compliance?
Related, not identical. Governance is the whole system of rules and oversight you run by choice. Compliance is the slice that answers to specific laws and standards you have to meet. Good governance makes compliance cheaper, because you built most of it once.

Tell us about the work.

A few lines is enough. We read every enquiry ourselves and reply within one business day.