| Strategy, policy, legal obligations | Govern 1.1-1.2; Map 1.3 | 4.1, 5.2, 6.2, B.2.2, B.2.4 | Is AI policy tied to strategy, legal obligations, and risk appetite? |
| Risk appetite and treatment | Govern 1.3-1.5; Manage 1.2-1.3 | 6.1.1-6.1.4; 8.2-8.4; 9.3.3 | Which AI risks are accepted, mitigated, transferred, or avoided? |
| Accountability, roles, competence | Govern 2.1-2.3 | 5.1, 5.3, 7.1-7.4, 9.3, B.3.2 | Who owns AI decisions, evidence, escalation, and residual risk? |
| Inventory and resource readiness | Govern 1.6; Map 2.1 | B.4.2-B.4.6 | Do we know every material AI system, model, dataset, tool, and owner? |
| Context and impact assessment | Map 1.1; Map 3.1-3.3 | 6.1.4, 4.3, B.5.2-B.5.5 | Are intended use, impacted parties, and societal impacts documented? |
| Responsible design and oversight | Govern 3.2; Map 1.6; Map 3.5 | B.6.1.3, B.6.2.2, B.6.2.7, B.8.2 | Are human-AI roles, safeguards, and override paths explicit? |
| Data, provenance, TEVV | Map 2.3; Measure 2.1-2.5 | B.6.2.4, B.6.2.7, B.7.2-B.7.6 | Is the use case assurance-ready, not merely model-ready? |
| Monitoring, logs, incidents | Govern 4.3; Measure 2.4; Manage 4.1-4.3 | 9.1, B.6.2.6, B.6.2.8, B.8.3-B.8.5 | Are production telemetry, incident thresholds, and reporting channels in place? |
| Suppliers and model supply chain | Govern 6.1-6.2; Manage 3.1-3.2 | B.10.2-B.10.4, B.4.4, B.6.2.6 | Do vendor, model, data, and tooling risks meet our standard? |
| Improvement and corrective action | Measure 3.2; Manage 2.3; Manage 4.2 | 10.1, 10.2, 9.3.3 | Are lessons learned converting into control improvements? |