Framework: 10 domains, 80 controls
Our proprietary framework maps the AI Act, ISO 42001 and NIST AI RMF into concrete, auditable controls.
- 10
- domains
- 5
- critical for readiness
- 80
- controls in total
- ~38
- mandatory
GOVGovernance & Accountability
Define roles, responsibilities and decision processes for AI.
★ Critical
Governance & Accountability
Define roles, responsibilities and decision processes for AI.
Covers
- •Owner for AI governance
- •Approval processes for new AI tools
- •Escalation paths and board reporting
Why it matters
Without clear accountability no governance works.
Example controls
- GOV-01 Formally assigned AI governance owner
- GOV-02 Defined tool approval process
- GOV-05 Escalation path for risky AI use cases
INVAI Inventory & Visibility
Know which AI tools, systems and models are used in the company.
★ Critical
AI Inventory & Visibility
Know which AI tools, systems and models are used in the company.
Covers
- •AI Bill of Materials (AI-BOM)
- •Approved vs. unapproved tools
- •Shadow AI monitoring
Why it matters
You can't govern what you don't see.
Example controls
- INV-01 Current AI-BOM across the company
- INV-04 List of approved vs. unapproved tools
- INV-06 Shadow AI detection process
DATData Governance for AI
Protect AI inputs and outputs — personal data, trade secrets, IP.
★ Critical
Data Governance for AI
Protect AI inputs and outputs — personal data, trade secrets, IP.
Covers
- •Data classification for AI
- •Rules for AI prompts
- •Vendor localization and DPA
Why it matters
Most real incidents happen via data leakage into AI.
Example controls
- DAT-02 Policy for AI input data
- DAT-04 Personal data detection in prompts
- DAT-05 DPA and data localization at AI vendors
SECSecurity & Access Control
Ensure AI tools are integrated securely with access control.
★ Critical
Security & Access Control
Ensure AI tools are integrated securely with access control.
Covers
- •Enterprise versions with SSO
- •Off-boarding and access revocation
- •Admin controls and audit logs
Why it matters
Personal ChatGPT accounts don't distinguish you from a former employee.
Example controls
- SEC-01 Use of enterprise versions with company IDP
- SEC-03 Admin control over major tools
- SEC-04 Revocation of AI access on departure
USEResponsible Use & Human Oversight
Define how people can and cannot use AI at work.
★ Critical
Responsible Use & Human Oversight
Define how people can and cannot use AI at work.
Covers
- •Acceptable Use Policy for AI
- •Human-in-the-loop for material outputs
- •Prohibitions and restrictions
Why it matters
The AI Act explicitly requires human oversight for high-risk systems.
Example controls
- USE-01 AI Acceptable Use Policy
- USE-02 List of prohibited uses
- USE-03 Human review for material AI outputs
RSKAI Risk Management
Assess and manage AI risk systematically, not ad hoc.
AI Risk Management
Assess and manage AI risk systematically, not ad hoc.
Covers
- •AI risk register
- •Classification of use case risk per AI Act
- •Risk review cycle
Why it matters
The AI Act requires controls proportional to use case risk.
Example controls
- RSK-01 AI risk register with owners
- RSK-02 AI Act category classification
- RSK-04 Quarterly risk review
VENVendor & Third-Party AI
Govern AI that comes in via vendors — platforms, SaaS, wrappers.
Vendor & Third-Party AI
Govern AI that comes in via vendors — platforms, SaaS, wrappers.
Covers
- •Vendor AI questionnaire
- •Sub-processor control
- •Contract term reconciliation
Why it matters
Today's SaaS is tomorrow's AI stack — and you still own the data.
Example controls
- VEN-01 AI addendum in contracts
- VEN-03 List of AI sub-processors
- VEN-05 Regular review of vendor AI features
TRNTraining & Awareness
Ensure people know what they can and cannot do with AI.
Training & Awareness
Ensure people know what they can and cannot do with AI.
Covers
- •AI literacy training (AI Act requirement)
- •Role-based training
- •Onboarding element
Why it matters
AI Act article 4 — mandatory AI literacy since February 2025.
Example controls
- TRN-01 Annual AI literacy training
- TRN-02 Role-based training for AI developers
- TRN-04 AI Acceptable Use in onboarding
INCIncident Response for AI
Be ready to respond to AI incidents — hallucinations, data leakage, compliance failure.
Incident Response for AI
Be ready to respond to AI incidents — hallucinations, data leakage, compliance failure.
Covers
- •AI incident playbook
- •Notification duties
- •Post-incident review
Why it matters
When an AI data leak happens, hours count — not days.
Example controls
- INC-01 Playbook for AI incidents
- INC-03 Notification to affected parties
- INC-05 Lessons learned register
DOCDocumentation & Evidence
Keep evidence you can show an auditor any day.
Documentation & Evidence
Keep evidence you can show an auditor any day.
Covers
- •Policy register
- •Version-controlled evidence
- •Audit trail
Why it matters
Auditors don't listen to stories, they want documents.
Example controls
- DOC-01 Central policy register
- DOC-03 Version history for AI policies
- DOC-05 Evidence log for mandatory controls