GOVERN
Owner: CISO / AI Governance Committee / Board
Organizational AI Governance
Establish organizational structure, policies, roles, accountability, and risk appetite for AI systems.
Framework Mapping
Controls from each source framework that map to this domain.
| Framework | Mapped Controls |
|---|---|
| ISO 42001 |
Cl.5 Leadership
Cl.6 Planning
Cl.7 Support
A.2 AI Policy
A.3 Internal Organization
|
| NIST AI RMF |
GV-1 Policies
GV-2 Accountability
GV-3 Workforce DEIA
GV-4 Org Culture
GV-5 Stakeholders
GV-6 Supply Chain
|
| OWASP |
LLM05 Supply Chain
ASI04 Agentic Supply Chain
|
Controls
7 controls across Tier 1 (essential) and Tier 2 (advanced).
Tier 1
ISO A.2
NIST GV-1
AI Acceptable Use Policy
Tier 1
ISO Clause 6
NIST GV-1
AI Risk Appetite Statement
Tier 1
ISO A.3
NIST GV-2
Roles & Responsibilities Matrix
Tier 2
ISO A.9
NIST GV-6
Vendor/Model Evaluation Rubric
Tier 1
ISO A.4
AI Asset Inventory
Tier 2
ISO A.8
NIST GV-1
Enterprise LLM Use Policy
Tier 2
NIST GV-6
OWASP LLM05
AI Supply Chain Risk Management
Audit Checklist
Quick-reference checklist items grouped by control.
- ☐ Policy document exists, is current (updated within 12 months), and includes all required sections
- ☐ Executive approval documented with signature and date
- ☐ Policy published to accessible location with version control
- ☐ Training records show >90% completion for target audience
- ☐ Exception process documented and at least one exception request on file (or rationale for zero exceptions)
- ☐ Risk appetite statement exists and is current (within 12 months)
- ☐ Risk categories defined with low/medium/high thresholds and examples
- ☐ Approval authority matrix documented and aligned to risk levels
- ☐ At least 3 risk assessments on file demonstrating use of rubric
- ☐ Evidence of annual review or board-level approval
- ☐ RACI matrix exists covering all key governance activities
- ☐ Each activity has exactly one Accountable role assigned
- ☐ Escalation paths documented with timeframes
- ☐ Role descriptions include AI governance responsibilities in job descriptions or internal wikis
- ☐ Evidence of roles executing responsibilities (meeting minutes, approval records)
- ☐ Rubric document exists with weighted criteria and scoring guidance
- ☐ All active AI vendors have completed evaluations on file
- ☐ Evaluations include required documentation (security questionnaire, compliance certs)
- ☐ Approval records show scores met thresholds or exceptions documented
- ☐ Re-evaluation schedule exists and shows at least one re-evaluation completed
- ☐ Inventory exists with all required fields populated for each asset
- ☐ Inventory updated within last 90 days with evidence of review
- ☐ Discovery process documented and executed quarterly
- ☐ Asset owners assigned and have confirmed accuracy within review period
- ☐ Decommissioned systems marked as such and archived appropriately
- ☐ LLM use policy exists and defines prohibited data types with examples
- ☐ Approved tools list published and accessible to all employees
- ☐ Training delivered to employees with >80% completion rate
- ☐ Technical controls (DLP, blocklists) implemented to enforce prohibited data rules
- ☐ Sample audit of recent work products shows compliance with citation/review requirements
- ☐ Dependency maps exist for all critical AI systems
- ☐ Vendors classified by risk tier with corresponding due diligence
- ☐ SBOMs or Model Cards collected for all in-scope models
- ☐ Contracts include incident notification and audit rights clauses
- ☐ Monitoring configured for vendor status and security advisories