AI Governance Playbook
Open search
Controls

The minimum controls required to approve AI.

Use this section as a governance baseline. Each control maps to requirements in EU AI Act, NIST AI RMF, and ISO 42001.

Framework alignment

Controls are mapped to these recognized standards — the frameworks regulators and auditors expect.

EU AI Act

European regulation requiring risk classification, transparency, human oversight, and record-keeping for AI systems.

View guidance →

NIST AI RMF

US framework with four functions: Govern, Map, Measure, Manage — providing structure for AI risk management.

View standard ↗

ISO/IEC 42001

International standard specifying requirements for AI management systems including risk, data, and operational controls.

View standard ↗

Core controls

Data classification and zoning

Define green, amber, and red zones. Tie every AI use-case to a zone and deployment model.

EU AI Act Art. 10 (Data governance)NIST RMF MapISO 42001 A.5.4

Private tenant or on-prem for confidential data

Client and regulated data only in environments with contractual retention, logging, and access controls.

EU AI Act Art. 15 (Robustness)NIST RMF ManageISO 42001 A.6.2

Prompt security and DLP

Redaction, token filtering, and automated blocking before data leaves your network.

EU AI Act Art. 9 (Risk management)NIST RMF Manage 2.3ISO 42001 A.6.5

Audit logging and evidence

Log prompt, model, output, and reviewer decisions for each AI interaction.

EU AI Act Art. 12 (Record-keeping)NIST RMF Govern 1.5ISO 42001 A.7.3

Model risk and change control

Version control and approval before model updates or prompt template changes.

EU AI Act Art. 9 (Risk management)NIST RMF MeasureISO 42001 A.5.3

Human acceptance gates

No AI output is production-ready without accountable human signoff.

EU AI Act Art. 14 (Human oversight)NIST RMF Govern 1.4ISO 42001 A.4.2

Best practices

Prompt templates only

Disallow free-form prompting for sensitive workflows. Use approved templates with redaction.

Zero secrets in prompts

Never paste API keys, tokens, certificates, or internal URLs into chat systems.

Proof before trust

Require test results and diff-based code review for every AI-generated change.

Control the tools

Tools must prove file writes and test runs. If a tool is unavailable, treat output as unverified.

Governance checklist

Use this checklist to verify minimum governance requirements are in place.

AI use-case registry with risk rating

EU AI Act Art. 9

Vendor risk assessment and contractual data restrictions

NIST RMF Govern 4

Retention policy aligned with regulatory requirements

EU AI Act Art. 12

Security review for any AI integrations

ISO 42001 A.6

Training and usage policy for staff

EU AI Act Art. 4

Incident response plan for AI failures

NIST RMF Manage 4

Separation of environments (dev/test/prod)

ISO 42001 A.6.2

Continuous monitoring of model outputs

EU AI Act Art. 9

Need help implementing these controls?

Use the Governance Pack for copy-ready policy templates, or start with the Decision Flow to classify your use-cases.