Data Governance across three AI frameworks

// theme · data-governance

Data Governance

Training/validation/test data quality, bias, provenance, representativeness.

// Do once → satisfies all three

ONE dataset datasheet per training/validation/test set - source, licence, consent, representativeness, bias check, drift baseline.

Art.10 prescribes the substance; ISO A.7 demands the controls; NIST MAP/MEASURE want the evidence. A single datasheet is the artefact that proves all three.

ISO 42001

Annex A.7

NIST AI RMF

MAP 2.3 · MEASURE 2.10 · MEASURE 2.11

EU AI Act

Art.10

// Evidence auditors expect

✓ Dataset datasheet / data card (source, licence, consent, date)
✓ Bias and representativeness analysis per protected attribute
✓ Data-quality metrics (completeness, duplicates, label noise)
✓ PII inventory + lawful basis for training data

// Common pitfalls

⚠ Assuming 'we bought the data so it's fine' - EU Art.10 demands representativeness and bias examination regardless of source.
⚠ No record of training-data lineage when a regulator asks 12 months later.
⚠ Bias check only at launch, never re-run after retraining.

ISO 42001

Annex A.7 + A.4 require controls over data acquisition, quality and the resources used to train and run AI.

Annex A.4.3

Data resources

Document the data resources used by AI systems across the lifecycle.

Annex A.7.2

Data for development and enhancement

Manage the data used to develop and enhance AI systems across the lifecycle.

Annex A.7.3

Acquisition of data

Control how data is acquired for AI systems, including sourcing and legal basis.

Annex A.7.4