Learn

AI governance in plain English.

No jargon, no legalese. The ideas, the frameworks, and the words you need to hold your own in a buyer conversation or a board meeting. Written for leaders who do not have an InfoSec team.

Start here

AI governance in 10 minutes

AI governance is how your company decides, oversees, and documents the way it uses AI, so the use stays safe, legal, and trustworthy. It is not a product you buy. It is a small set of habits you can stand up in weeks.

Why it matters now: your customers, your insurers, and a growing list of regulators are starting to ask how you govern AI. The companies that can answer win deals and renew coverage. The ones that cannot create friction at exactly the wrong moment, in a security review or a renewal.

The good news for a mid-market firm: a basic program is five moving parts, not fifty. Get these five in place and you are ahead of most companies your size.

1

An owner

One named person accountable for AI governance.

2

An inventory

A living list of the AI tools and vendors you use.

3

A policy

A one-page acceptable use policy your staff has read.

4

A risk check

A short review before a new AI tool goes live.

5

Evidence

One place that holds the proof a buyer would ask for.

Frameworks

The frameworks, without the acronym soup

Buyers and auditors name these constantly. Here is what each one is, who needs it, and the single thing to remember. They overlap more than they compete.

NIST AI RMF

Voluntary framework
What it is
A free US framework built on four jobs: govern, map, measure, manage.
Who needs it
Anyone who wants a sensible way to organize AI governance. No certificate involved.
Remember
It is the common language. Use it to structure your program and show your work.

ISO 42001

Certifiable standard
What it is
The first international AI management system standard, certifiable through an independent audit.
Who needs it
Companies whose buyers want proof, not promises, that AI governance is real and repeatable.
Remember
This is the bar to build toward when a buyer asks for a certificate.

EU AI Act

Regulation
What it is
A risk-based EU law. A provisional agreement would move high-risk obligations to December 2, 2027, pending formal adoption.
Who needs it
Firms with EU customers or operations, or AI used in regulated, high-risk areas.
Remember
Find out whether any of your AI is high-risk. That answer drives everything else.

SOC 2

Audited report
What it is
A US audit report on how you handle security and trust. The de facto enterprise trust bar.
Who needs it
Anyone selling to enterprise buyers. AI questions are increasingly folded into the same review.
Remember
If you already do SOC 2, AI governance is the next column buyers add to the questionnaire.

NIST CSF

Voluntary framework
What it is
A widely used cybersecurity framework that predates the AI ones and often sits underneath them.
Who needs it
Most firms use it as the security backbone buyers expect before they even ask about AI.
Remember
Good security hygiene makes AI governance far easier. They reinforce each other.
Glossary

Plain-English glossary

The terms that show up in security questionnaires and board decks, defined the way you would explain them to a colleague.

AI governance
How a company decides, oversees, and documents its use of AI so it stays safe, legal, and trustworthy.
AI inventory
A living list of the AI tools and systems you use, who owns each, and what data they touch.
Shadow AI
AI tools employees use without approval or oversight, often free consumer apps.
High-risk AI
Under the EU AI Act, AI used in sensitive areas like hiring, credit, or insurance that carries extra duties.
Acceptable use policy
A short document telling staff what they can and cannot do with AI tools.
Human in the loop
Keeping a person in charge of reviewing or approving important AI-assisted decisions.
Data classification
Sorting your data by sensitivity so you know what can and cannot go into AI tools.
Sub-processor
A company your AI vendor relies on in turn. Their access is part of your risk.
AI impact assessment
A short review of what could go wrong before you put an AI use case live.
Trust center
A public page where you show buyers your security and governance posture so they can self-serve.

See where you stand

Now that the words make sense, find out how your own AI governance looks, from the outside and the inside.

Take the readiness assessment Run the surface scan