Secure Controls Framework
Download The SCF

Artificial Intelligence Governance

Artificial intelligence governance is the set of people, processes, and controls an organization uses to develop, buy, and operate AI systems responsibly. Good governance keeps AI trustworthy, transparent, and accountable while managing the risks that come with automated and autonomous decision making. As generative AI and third-party AI features spread through the enterprise, AI governance has moved from a research topic to a board-level compliance obligation.

The challenge is that AI requirements are arriving from many directions at once, including the NIST AI Risk Management Framework, ISO/IEC 42001, the EU AI Act, and a growing set of US state laws. The Secure Controls Framework (SCF) addresses this with a dedicated Artificial Intelligence and Autonomous Technology (AAT) domain, so you can satisfy multiple AI obligations with one tailored control set instead of managing each framework on its own.

The Basics

What AI Governance Is and Why It Matters

AI governance is often confused with AI ethics. Ethics describes the principles an organization wants to uphold, such as fairness and transparency. Governance is how those principles become operational: documented policies, assigned accountability, technical controls, and evidence that the controls are working. Without governance, AI principles stay on a slide and never reach the systems making real decisions.

A complete AI governance program covers the full lifecycle of an AI system, from the data used to train it through the decisions it makes in production. Most frameworks expect you to address the same core areas:

  • Transparency and explainability, so people affected by an AI decision can understand how it was made

  • Fairness and bias management across the data and the model

  • Data provenance and privacy, including how training data was sourced and consented

  • Human oversight and the ability to intervene in or override an automated decision

  • Security of AI systems against manipulation, prompt injection, and model theft

  • Third-party and embedded AI risk, since much of your AI exposure arrives through vendors

  • Monitoring and incident response built specifically for AI behavior

Frameworks & Standards

The Core AI Governance Frameworks

Three frameworks anchor most AI governance programs today. They are complementary rather than competing, and mature programs draw on all of them. A fourth, focused on generative AI, is quickly becoming just as important.

NIST AI Risk Management Framework

A voluntary US framework released in January 2023. It organizes AI risk work into four functions: Govern, Map, Measure, and Manage. It is descriptive and flexible, which makes it a strong starting point for building internal AI risk practices.

Voluntary

US

4 Functions

ISO/IEC 42001:2023

The first international management system standard for artificial intelligence. It defines an AI Management System using the same Plan, Do, Check, Act structure as ISO 27001, and organizations can be certified against it. Choose this when you need an auditable, certifiable program.

Certifiable

International

AIMS

EU AI Act

The European Union's risk-based AI law. It sorts AI systems into tiers from unacceptable risk through minimal risk and places the heaviest obligations on high-risk systems. Its reach extends to organizations outside the EU that place AI systems on the EU market, and its requirements phase in over several years.

Regulation

Risk-Tiered

Extraterritorial

NIST Generative AI Profile

A companion profile to the AI RMF that focuses on the specific risks of generative AI. It helps teams apply the Govern, Map, Measure, and Manage functions to large language models and other generative systems.

GenAI

NIST

Companion

US Regulatory Landscape

AI Regulation Is Accelerating Across the Western US

There is no comprehensive federal AI law in the United States, so states are setting the pace, and much of the momentum sits in the West. Organizations in or serving California, Colorado, Utah, and neighboring states should track these laws closely, because they apply based on where your users are, not just where your company sits. Effective dates in this area keep shifting, so confirm the current status of any statute before you rely on it.

CA

California

The AI Transparency Act (SB 942) requires large AI platforms to offer content-detection tools and to label AI-generated content. The Generative AI Training Data Transparency Act (AB 2013) requires developers to publish documentation about their training data. These build on the CCPA and CPRA privacy rules that already cover automated decision making.

SB 942

AB 2013

CPRA

CO

Colorado

The Colorado AI Act (SB 24-205) was one of the first broad state AI laws, targeting high-risk AI used in consequential decisions. It was later revised by SB 26-189, which reshapes the requirements around automated decision-making technology and is set to take effect on January 1, 2027.

SB 24-205

ADMT

UT

Utah

The Utah Artificial Intelligence Policy Act (SB 149) took effect in 2024 and requires businesses in regulated fields to disclose when a consumer is interacting with generative AI rather than a person.

SB 149

Disclosure

Why This Matters Nationwide

Because these laws apply based on where the affected people are, a company anywhere in the country can fall under California or Colorado requirements. A control-based approach lets you meet the strictest applicable rule once, rather than rebuilding your program state by state.

The SCF Approach

One Control Set for Every AI Obligation

The SCF includes a domain built specifically for artificial intelligence. The Artificial Intelligence and Autonomous Technology (AAT) domain exists to ensure trustworthy and resilient AI and autonomous technologies that inform, advise, or simplify tasks while minimizing emergent properties and unintended consequences. It anchors on AAT-01, AI and Autonomous Technologies Governance, and connects to the domains you already use for governance, risk, privacy, and third-party management.

Because the SCF is a metaframework, its Set Theory Relationship Mapping (STRM) methodology lets one AAT-based control set align with the leading AI frameworks and regulations at the same time. Instead of running separate programs for the NIST AI RMF, ISO/IEC 42001, and emerging state laws, you tailor one set of SCF controls and map it across all of them.

  • A purpose-built AAT domain for AI and autonomous technology governance

  • Alignment with the NIST AI RMF, ISO/IEC 42001, and other recognized AI frameworks

  • Integration with the Governance, Risk Management, Data Privacy, and Third-Party Management domains

  • Transparent, defensible mappings through the NIST IR 8477 STRM methodology

  • Free to use under Creative Commons licensing, with no registration required

Implementation

How to Stand Up an AI Governance Program

An AI governance program follows the same discipline as any other control program. These five steps take you from scattered AI use to a governed, defensible capability.

01

Inventory Your AI

Build a register of every AI system in use, including models you build, tools you buy, and AI features embedded in vendor products. You cannot govern what you have not counted.

02

Define Scope and Obligations

Determine which laws, regulations, and frameworks apply, then risk-tier each AI system by its potential impact on people and the business.

03

Select and Tailor SCF Controls

Start with the AAT domain and its related controls, then separate the minimum compliance requirements from the discretionary controls your risk appetite calls for.

04

Assign Human Oversight

Establish an AI governance committee, name accountable owners, and define where a human must stay in the loop on automated decisions.

05

Monitor and Improve

Run bias and impact assessments, test models before and after deployment, prepare AI-specific incident response, and update controls as laws change using the SCF Living Control Set.

Continue Learning

Explore Related SCF Resources

Now that you have a foundation for AI governance, go deeper into the parts of the SCF that make it work.

01

SCF Domains & Principles

See all 33 SCF domains and their principles, including the AAT domain built for artificial intelligence.

02

Relationship Mapping (STRM)

Understand the NIST IR 8477 methodology that makes SCF control mappings transparent and defensible.

03

Included Laws & Frameworks

Browse every law, regulation, and framework mapped into the SCF, from NIST to ISO to state privacy laws.

04

Download the SCF

Get the full SCF as an Excel workbook, CSV, or OSCAL JSON. Free, with no registration required.