NS-AIGF v1.0
A proprietary, structured, and automation-ready approach to AI governance for organisations deploying, developing, or procuring AI in regulated and high-impact environments — replacing fragmented compliance efforts and aspirational governance with a single, evidence-based, board-ready model for continuous AI accountability.
For most of the past decade, organisations deploying AI have operated on a fundamentally flawed premise: that having an AI ethics policy, a responsible AI statement, and a risk committee that meets quarterly constitutes AI governance. It does not. It constitutes AI governance theatre — the appearance of accountability without the operational substance that accountability requires.
That world is over. The EU AI Act entered into force in August 2024. ISO/IEC 42001, the world's first AI Management System standard, was published in December 2023. Regulators across 40+ countries reference the NIST AI RMF. AI governance is no longer an ethical aspiration — it is a regulatory obligation.
NS-AIGF v1.0 was designed from first principles as a purpose-built AI governance architecture for this regulatory environment. Every control was designed through four lenses: specificity (one auditable requirement per control), regulatory alignment (specific article or clause mapping), evidence clarity (what adequate evidence looks like at L1–L5), and maturity differentiation (distinct criteria distinguishing ad hoc intent from automated, continuously validated governance).
Domain Weights & Coverage
7 weighted governance domains across 60 controls. Domain weights reflect EU AI Act enforcement priorities and ISO 42001 certification requirements — not arbitrary allocation. D2 Risk Classification carries the highest weight because getting AI risk classification right is the prerequisite for all other compliance obligations.
Framework Specification
NS-AIGF v1.0 replaces voluntary principles with 60 specific, auditable controls — each with 300 control-specific maturity interpretations, a 5-level maturity scale, and simultaneous alignment to the EU AI Act, ISO/IEC 42001, and NIST AI RMF at the article and clause level.
Controls |
60 fully defined governance controls across 7 weighted domains — each addressing one auditable governance requirement with specific evidence standards at every maturity level. 300 control-specific interpretations eliminate assessor-dependent scoring. |
Maturity Scale |
L1 Initial (ad hoc, no structured evidence) → L2 Managed (manual, partially defined) → L3 Defined (standardised, repeatable — baseline for EU AI Act compliance and ISO 42001 certification readiness) → L4 Quantitative (automated, metrics-driven) → L5 Optimising (self-improving, predictive).
L1 InitialL2 ManagedL3 DefinedL4 QuantitativeL5 Optimising
|
Framework Alignment |
Every control maps simultaneously to all applicable frameworks at the specific article, clause, and function level: EU AI Act (Articles 9–14, 43, 50, 73) · ISO/IEC 42001 (§4–§10) · NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE functions). One control satisfies obligations across all three frameworks from a single evidence base. |
ISO 42001 Pathway |
Completing an NS-AIGF v1.0 assessment simultaneously completes a pre-certification readiness assessment. The ISO 42001 Readiness module maps domain scores directly to §4–§10 clauses and calculates a gap-to-certification score — the assessment IS the gap analysis. One improvement programme serves EU AI Act compliance, NIST AI RMF alignment, and ISO 42001 certification simultaneously. |
Scoring Formula |
Domain maturity scores = mean of all in-scope control scores within the domain. Overall score = sum of domain scores × domain weights. Priority Score = Gap × Domain Weight — a control in D2 with a 3-level gap scores 0.66; the same gap in D7 scores 0.24. Roadmap auto-sorts by priority to direct governance investment where it reduces the most risk. |
Assessment Tool |
Eight interconnected modules: 20-question Scoping Module (auto-applies control applicability logic), 7 Domain Assessment Modules, auto-generated Board Report, Prioritisation Engine, Evidence Register (collection date, expiry date, owner, status), ISO 42001 Readiness module, and Assessment History for longitudinal maturity tracking across multiple cycles. |
Delivery Model |
Structured engagement delivering 60-control baseline assessment, domain maturity scores, board governance report, prioritised improvement roadmap, ISO 42001 readiness indicator, and regulatory evidence packages per framework. Continuous reassessment cadence recommended quarterly for high-priority controls. |
The Operational Controls Principles Cannot Replace
The controls most consistently absent from enterprise AI governance programmes are not strategic — they are operational, technical, and specific. And they are the ones regulators are actively enforcing.
AI Inventory Ownership
A complete register of every AI system deployed, consumed, or integrated across the enterprise — with a named owner accountable for each system's governance compliance. Almost universally missing despite its fundamental importance. At L4, auto-updated through deployment pipeline integrations.
Prohibited Use Controls
Technical and procedural controls that actively prevent the 6 EU AI Act banned AI categories from reaching production — social scoring, real-time biometric surveillance, subliminal manipulation, emotional inference in workplaces. At L4, embedded in deployment pipelines and fire automatically.
Rollback Capability
When a model begins producing incorrect, biased, or harmful outputs in production, the organisation needs the ability to revert to a prior known-good version rapidly. Consistently one of the least mature and most consequential controls in initial assessments. The difference between L2 and L3 here could be the difference between a contained incident and a sustained public AI failure.
Shadow AI Detection
A significant proportion of AI usage in organisations with 100+ employees occurs without IT or governance awareness — ChatGPT, Copilot, Claude, and dozens of vertical-specific tools processing sensitive customer data, proprietary information, or regulated health records without DLP controls or audit trails. At L4, detection is continuous through CASB and network monitoring.
Data Drift Detection
Automated monitoring to detect when the statistical distribution of production data has drifted significantly from the training distribution — causing well-validated models to produce degraded, unreliable, or unsafe outputs silently over time. EU AI Act Art. 9 requires post-market monitoring. This is the technical mechanism through which that obligation is operationalised.
Prompt Injection Defence
OWASP LLM Top 10 #1 — consistently absent or immature in organisations deploying large language models. Prompt injection attacks override model instructions via malicious inputs, causing models to disclose confidential information, ignore safety guardrails, or perform actions outside their intended scope. At L4, automated testing is integrated into the deployment lifecycle.
AI Governance Maturity Assessment Tool
The delivery vehicle for NS-AIGF v1.0 — transforming a governance evaluation into a living management system. Eight interconnected modules automatically generate board-ready governance reporting, a prioritised improvement roadmap, ISO 42001 certification readiness indicators, and longitudinal maturity tracking across assessment cycles. The board report translates maturity scores into governance health narrative that audit committees can act on directly. The evidence register tracks every governance artifact with collection date, expiry date, owner, and status — transforming a week-long audit preparation exercise into a dashboard query. The governance programme generates management intelligence as a natural output of operations rather than as a separate, expensive reporting effort.