GOVERNANCE Owner: CISO / AI Governance Committee / Executive Leadership

AI Governance Controls

Establish the policies and human oversight required for safe AI adoption across the organization.

Framework Mapping

Controls from each source framework that map to this domain.

Framework Mapped Controls
ISO 42001
Cl.5 Leadership Cl.6 Planning A.2 AI Policy A.3 Internal Organization
NIST AI RMF
GV-1 Policies & Processes GV-2 Accountability GV-4 Org Culture MG-1 Risk Management
OWASP LLM
LLM09 Misinformation (governance implications)
OWASP Agentic
ASI08 Compliance & Regulatory

Controls

3 controls across Tier 1 (essential) and Tier 2 (advanced).

Tier 1 ISO A.2 ISO Cl.5 NIST GV-1 OWASP ASI08

AI Acceptable Use Policy
Tier 1 ISO A.5 ISO Cl.8 NIST MG-1 NIST GV-2

AI Deployment Validation and Approval
Tier 2 ISO Cl.6 ISO Cl.9 NIST GV-4 NIST MG-3 OWASP ASI08

AI Risk Self-Assessment

Audit Checklist

Quick-reference checklist items grouped by control.

  • Policy document is current (reviewed within 12 months), approved by executive leadership, and published to an accessible location
  • Employee acknowledgment rate exceeds 95% across all departments
  • AI tool classification matrix is maintained and updated when new tools are evaluated
  • Technical enforcement controls (DLP, network blocks, SSO) are active and validated
  • Monthly governance reports are produced and reviewed by the AI governance committee
  • A standardized pre-deployment validation checklist exists and covers security, fairness, data governance, performance, and operational readiness
  • Every production AI deployment in the past 12 months has a completed checklist with all required sign-offs on file
  • Approval authority matrix is documented and assigns independent approvers per domain
  • CI/CD pipeline enforces the approval gate and blocks unapproved deployments
  • Exception deployments have documented joint approval and remediation plans completed within 30 days
  • A standardized self-assessment framework with defined maturity levels and scoring criteria is documented
  • At least two self-assessments have been completed in the past 12 months (or one plus a triggered assessment)
  • Assessment results include period-over-period trend analysis showing maturity direction
  • Remediation plans exist for all controls scoring below target maturity with assigned owners and dates
  • Executive leadership has received and acknowledged assessment results within 30 days of completion