The Basics
What AI Governance Is and Why It Matters
AI governance is often confused with AI ethics. Ethics describes the principles an organization wants to uphold, such as fairness and transparency. Governance is how those principles become operational: documented policies, assigned accountability, technical controls, and evidence that the controls are working. Without governance, AI principles stay on a slide and never reach the systems making real decisions.
A complete AI governance program covers the full lifecycle of an AI system, from the data used to train it through the decisions it makes in production. Most frameworks expect you to address the same core areas:
Transparency and explainability, so people affected by an AI decision can understand how it was made
Fairness and bias management across the data and the model
Data provenance and privacy, including how training data was sourced and consented
Human oversight and the ability to intervene in or override an automated decision
Security of AI systems against manipulation, prompt injection, and model theft
Third-party and embedded AI risk, since much of your AI exposure arrives through vendors
Monitoring and incident response built specifically for AI behavior
Frameworks & Standards
The Core AI Governance Frameworks
Three frameworks anchor most AI governance programs today. They are complementary rather than competing, and mature programs draw on all of them. A fourth, focused on generative AI, is quickly becoming just as important.
NIST AI Risk Management Framework
A voluntary US framework released in January 2023. It organizes AI risk work into four functions: Govern, Map, Measure, and Manage. It is descriptive and flexible, which makes it a strong starting point for building internal AI risk practices.
ISO/IEC 42001:2023
The first international management system standard for artificial intelligence. It defines an AI Management System using the same Plan, Do, Check, Act structure as ISO 27001, and organizations can be certified against it. Choose this when you need an auditable, certifiable program.
EU AI Act
The European Union's risk-based AI law. It sorts AI systems into tiers from unacceptable risk through minimal risk and places the heaviest obligations on high-risk systems. Its reach extends to organizations outside the EU that place AI systems on the EU market, and its requirements phase in over several years.
NIST Generative AI Profile
A companion profile to the AI RMF that focuses on the specific risks of generative AI. It helps teams apply the Govern, Map, Measure, and Manage functions to large language models and other generative systems.
US Regulatory Landscape
AI Regulation Is Accelerating Across the Western US
There is no comprehensive federal AI law in the United States, so states are setting the pace, and much of the momentum sits in the West. Organizations in or serving California, Colorado, Utah, and neighboring states should track these laws closely, because they apply based on where your users are, not just where your company sits. Effective dates in this area keep shifting, so confirm the current status of any statute before you rely on it.
CA
California
The AI Transparency Act (SB 942) requires large AI platforms to offer content-detection tools and to label AI-generated content. The Generative AI Training Data Transparency Act (AB 2013) requires developers to publish documentation about their training data. These build on the CCPA and CPRA privacy rules that already cover automated decision making.
CO
Colorado
The Colorado AI Act (SB 24-205) was one of the first broad state AI laws, targeting high-risk AI used in consequential decisions. It was later revised by SB 26-189, which reshapes the requirements around automated decision-making technology and is set to take effect on January 1, 2027.
UT
Utah
The Utah Artificial Intelligence Policy Act (SB 149) took effect in 2024 and requires businesses in regulated fields to disclose when a consumer is interacting with generative AI rather than a person.
Why This Matters Nationwide
Because these laws apply based on where the affected people are, a company anywhere in the country can fall under California or Colorado requirements. A control-based approach lets you meet the strictest applicable rule once, rather than rebuilding your program state by state.
The SCF Approach
One Control Set for Every AI Obligation
The SCF includes a domain built specifically for artificial intelligence. The Artificial Intelligence and Autonomous Technology (AAT) domain exists to ensure trustworthy and resilient AI and autonomous technologies that inform, advise, or simplify tasks while minimizing emergent properties and unintended consequences. It anchors on AAT-01, AI and Autonomous Technologies Governance, and connects to the domains you already use for governance, risk, privacy, and third-party management.
Because the SCF is a metaframework, its Set Theory Relationship Mapping (STRM) methodology lets one AAT-based control set align with the leading AI frameworks and regulations at the same time. Instead of running separate programs for the NIST AI RMF, ISO/IEC 42001, and emerging state laws, you tailor one set of SCF controls and map it across all of them.
A purpose-built AAT domain for AI and autonomous technology governance
Alignment with the NIST AI RMF, ISO/IEC 42001, and other recognized AI frameworks
Integration with the Governance, Risk Management, Data Privacy, and Third-Party Management domains
Transparent, defensible mappings through the NIST IR 8477 STRM methodology
Free to use under Creative Commons licensing, with no registration required
Implementation
How to Stand Up an AI Governance Program
An AI governance program follows the same discipline as any other control program. These five steps take you from scattered AI use to a governed, defensible capability.
01
Inventory Your AI
Build a register of every AI system in use, including models you build, tools you buy, and AI features embedded in vendor products. You cannot govern what you have not counted.
02
Define Scope and Obligations
Determine which laws, regulations, and frameworks apply, then risk-tier each AI system by its potential impact on people and the business.
03
Select and Tailor SCF Controls
Start with the AAT domain and its related controls, then separate the minimum compliance requirements from the discretionary controls your risk appetite calls for.
04
Assign Human Oversight
Establish an AI governance committee, name accountable owners, and define where a human must stay in the loop on automated decisions.
05
Monitor and Improve
Run bias and impact assessments, test models before and after deployment, prepare AI-specific incident response, and update controls as laws change using the SCF Living Control Set.
Continue Learning
Explore Related SCF Resources
Now that you have a foundation for AI governance, go deeper into the parts of the SCF that make it work.
01
SCF Domains & Principles
See all 33 SCF domains and their principles, including the AAT domain built for artificial intelligence.
02
Relationship Mapping (STRM)
Understand the NIST IR 8477 methodology that makes SCF control mappings transparent and defensible.
03
Included Laws & Frameworks
Browse every law, regulation, and framework mapped into the SCF, from NIST to ISO to state privacy laws.
04
Download the SCF
Get the full SCF as an Excel workbook, CSV, or OSCAL JSON. Free, with no registration required.
.png)
%20(white).png)