|
| 1 | +control_family,control_id,description,eu_ai_act_anchor,nist_ai_rmf_anchor,iso_42001_anchor,financial_anchor,evidence_artifacts,control_owner,review_frequency |
| 2 | +Governance & accountability,AIGOV-01,Board-approved AI governance charter and accountability model,Governance/accountability obligations,Govern,Leadership & planning controls,SR 11-7 governance + SMCR,Board minutes|charter|RACI,CRO/CAIO,Quarterly |
| 3 | +Inventory & tiering,AIGOV-02,Enterprise inventory and risk tiering for all AI systems,Risk classification/high-risk scoping,Map,Context & risk assessment controls,PRA/FCA model inventory expectations,Inventory export|tier rationale logs,Model Risk,Monthly |
| 4 | +Data governance,AIGOV-03,Lawful basis and lineage for training/serving datasets,Logging/traceability dependencies,Map+Measure,Operational data controls,GDPR + MAS/HKMA data controls,DPIA|TIA|lineage graph,CDO/Privacy,Monthly |
| 5 | +Validation & challenge,AIGOV-04,Independent validation before high-risk deployment,Conformity/performance support obligations,Measure+Manage,Evaluation & monitoring controls,SR 11-7 independent validation,Validation report|challenger tests,Model Validation,Per release |
| 6 | +Explainability & oversight,AIGOV-05,Human oversight and adverse-action explainability controls,Human oversight/transparency,Govern+Manage,Human-in-the-loop controls,FCRA/ECOA + Consumer Duty,Explanation logs|override audit,Business Owner,Per release |
| 7 | +Monitoring & incident response,AIGOV-06,Continuous monitoring with incident escalation workflows,Post-market monitoring/incident handling,Measure+Manage,Incident handling and improvement,Operational resilience expectations,Incident timeline|postmortem|notifications,SRE/CISO,Continuous |
| 8 | +Third-party & GPAI,AIGOV-07,Supplier assurance and contractual auditability,GPAI provider/deployer dependencies,Govern+Map,External provider controls,Outsourcing/third-party risk guidance,Contracts|assessments|exit plan,TPRM,Quarterly |
0 commit comments