4 Governance Pillars
Knowing what AI systems you operate, where they run, what data they touch, and whether you can see their activity. The foundation everything else depends on.
Classifying AI systems by risk, applying proportionate controls, and ensuring regulatory compliance. Determines which governance requirements apply to each system.
Running AI governance operationally: onboarding new systems through an intake gate, monitoring performance and drift, responding to incidents, and generating audit evidence.
Defending AI systems from adversarial attack, insider threat, supply chain compromise, and agentic privilege abuse. Security-forward and built for the adversarial AI threat landscape.
5-Level Maturity Model
1
Initial
Ad hoc, no
formal process
formal process
Cannot demonstrate control existence to auditors
2
Developing
Aware, some activity,
inconsistent
inconsistent
Can demonstrate awareness, not consistent execution
3
Defined
Documented, repeatable,
assigned ownership
assigned ownership
Can demonstrate design and some operating effectiveness
4
Managed
Measured, monitored,
evidence-based
evidence-based
Can demonstrate operating effectiveness with evidence samples
5
Optimized
Continuous improvement,
proactive, integrated
proactive, integrated
Continuous audit-readiness; regulatory examination is a scheduled event, not a crisis
14 Governance Domains
| # | Domain | Pillar | Controls | |
|---|---|---|---|---|
| 01 | AI Asset Discovery | Visibility | 01.1–01.5 | |
| 02 | Risk Classification | Risk & Controls | 02.1–02.5 | |
| 03 | Controls & Enforcement | Risk & Controls | 03.1–03.6 | |
| 04 | RAG & Vector Security | Security | 04.1–04.5 | |
| 05 | Telemetry & Visibility | Visibility | 05.1–05.6 | |
| 06 | Rapid Remediation | Operations | 06.1–06.6 | |
| 07 | Regulatory Compliance | Risk & Controls | 07.1–07.5 | |
| 08 | Audit Evidence | Operations | 08.1–08.6 | |
| 09 | Insider Threat Controls | Security | 09.1–09.5 | |
| 10 | AI Onboarding & Intake | Operations | 10.1–10.5 | |
| 11 | Drift & Performance Monitoring | Operations | 11.1–11.5 | |
| 12 | Red Teaming & Adversarial Testing | Security | 12.1–12.5 | |
| 13 | Shift-Left AI Security | Security | 13.1–13.6 | |
| 14 | Agentic AI Governance | Security | 14.1–14.5 |
Regulatory Crosswalk
| Regulation | Primary Domains | Key Obligations & Deadlines |
|---|---|---|
EU AI Act |
02, 03, 06, 07, 08, 10, 11, 12, 13, 14 |
High-risk classification (Art. 6), conformity assessment (Art. 9), serious incident reporting 72h (Art. 73). High-risk obligations: Aug 2026. |
OCC / FFIEC |
06, 08, 10, 11 | Model risk management (SR 11-7 / OCC 2011-12), ongoing monitoring, 36-hour notification rule. |
GDPR |
01, 04, 07, 09, 14 | DPIA (Art. 35), automated decision rights (Art. 22), breach notification 72h (Art. 33). |
HIPAA |
04, 09, 11 | Technical safeguards (§164.312), workforce security (§164.308), AI models processing PHI. |
NIST AI RMF |
01, 02, 03, 05, 08, 12, 13 |
GOVERN, MAP, MEASURE, MANAGE across the AI lifecycle. |
ISO 42001 |
02, 03, 07, 08, 10, 11 | AI management system: policy, risk treatment, operational controls, monitoring, management review. |
CO SB205 / NYC LL144 |
02, 07, 11 | Algorithmic discrimination protections. NYC LL144 bias audits (effective Feb 2026). |
Free RAISE Maturity Assessment
- 70+ questions across all 14 domains
- Industry-weighted scoring
- Peer benchmarks included
- Regulatory exposure analysis
- Prioritized remediation roadmap
- Downloadable PDF report