Governance & Accountability across three AI frameworks

// theme · governance

Governance & Accountability

Who owns AI risk, policies, roles, leadership commitment.

// Do once → satisfies all three

One AI Governance Charter naming an accountable executive, the AI policy, and a steering committee with a published RACI.

Leadership commitment, AI policy and assigned roles are the universal substrate every framework demands before any technical control matters.

ISO 42001

Cl.5.1 · Cl.5.2 · Cl.5.3 · Annex A.2 · Annex A.3

NIST AI RMF

GOVERN 1.1 · GOVERN 2.1 · GOVERN 2.2

EU AI Act

Art.17 · Art.26

// Evidence auditors expect

✓ Signed AI policy with version + owner
✓ RACI for AI roles (sponsor, product owner, model owner, risk, legal)
✓ Board / steering-committee minutes referencing AI risk
✓ Statement of Applicability (ISO Annex A) with justifications

// Common pitfalls

⚠ Treating ISO 42001 certification as the EU AI Act compliance - it is supporting evidence, not a defence.
⚠ AI policy that exists on paper but is not referenced by any project gate.
⚠ No named accountable executive - distributed ownership = no ownership.

ISO 42001

ISO 42001 makes governance an auditable management system: leadership commitment (Cl.5), AI policy (5.2), assigned roles (5.3), reviewed by top management (9.3).

Clause 4.1

Understanding the organization and its context

Identify internal/external issues relevant to the AI Management System (AIMS) and the intended outcomes.

Clause 4.2

Needs and expectations of interested parties

Identify interested parties (users, regulators, affected persons) and their requirements.

Clause 4.3

Scope of the AI Management System

Define which AI systems, processes and units are inside the AIMS boundary.

Clause 4.4

AI Management System

Establish, implement, maintain and continually improve the AIMS and its processes.

Clause 5.1

Leadership and commitment

Top management demonstrates commitment to the AIMS and accountability for outcomes.

Clause 5.2

AI policy

Establish an AI policy aligned with strategy, signed off by top management.

Clause 5.3

Roles, responsibilities and authorities

Assign and communicate AI roles, including authority for AIMS conformance.

Clause 6.2

AI objectives and planning

Set measurable AI objectives consistent with the AI policy.

Clause 7.1

Resources

Provide resources needed to establish and run the AIMS.

Clause 7.3

Awareness

Workforce is aware of AI policy, their contribution and risks of non-conformance.

Clause 7.4

Communication

Internal and external communications regarding AIMS.

Clause 9.2

Internal audit

Plan and conduct internal audits of the AIMS at planned intervals.

Clause 9.3

Management review

Top management reviews AIMS suitability, adequacy and effectiveness.

Clause 10.1

Continual improvement

Continually improve suitability, adequacy and effectiveness of the AIMS.

Annex A.2.2

AI policy

Document, approve and communicate an AI policy that sets the organisation's intent for responsible AI.

Annex A.2.3

Alignment of AI policy

Align the AI policy with other organisational policies (privacy, security, quality, ethics).

Annex A.2.4

Review of the AI policy

Review the AI policy at planned intervals and after significant change to keep it suitable.

Annex A.3.2

AI roles and responsibilities

Define, assign and communicate roles, responsibilities and authorities for AI activities.

Annex A.3.3

Reporting of concerns

Provide a mechanism for personnel to raise concerns about AI systems without fear of reprisal.

Annex A.4.2

Resource documentation

Identify and document the resources (data, tooling, compute, people) needed for each AI system.

Annex A.4.4

Tooling resources

Document the tools used to develop, deploy and operate AI systems.

Annex A.6.1.2

Objectives for responsible development

Set objectives that guide responsible development of AI systems across the lifecycle.

Annex A.9.2

Processes for responsible use

Define processes for the responsible use of AI systems within the organisation.

Annex A.9.3

Objectives for responsible use

Set objectives for the responsible use of AI systems, aligned with the AI policy.

NIST AI RMF

NIST AI RMF concentrates governance in the GOVERN function - culture, accountability and workforce - as an organisational outcome rather than a certifiable system.

GOVERN 1.1

Legal & regulatory requirements understood and managed

Policies and procedures address legal, regulatory and risk requirements for AI.

GOVERN 1.2

Characteristics of trustworthy AI integrated

Trustworthy AI characteristics integrated into organisational policies.

GOVERN 2.1

Roles, responsibilities, lines of communication

Roles and responsibilities are documented and communicated.

GOVERN 2.2

Senior leadership accountability

Executive leadership responsible for AI risk outcomes.