AI Governance Frameworks
A practical, comparative guide to the major global AI governance frameworks — what they cover, how they differ, and how organisations can combine them to build defensible, ethics-led AI programmes.
1. What is AI governance?
AI governance is the system of laws, policies, standards, technical controls and oversight mechanisms that determine how artificial intelligence is developed, deployed and monitored. It sits at the intersection of law, ethics and engineering, and exists to make AI systems safe, fair, accountable, transparent and aligned with fundamental rights.
Strong AI governance protects people from harm, gives organisations a defensible basis for deploying AI at scale, and helps regulators, investors and the public trust the technology.
2. What is an AI governance framework?
An AI governance framework packages governance principles into a structured set of requirements an organisation can implement. A useful framework typically combines:
- Principles — fairness, transparency, accountability, human oversight, safety, privacy.
- Risk classification — how to categorise AI use cases by potential harm.
- Lifecycle controls — data governance, model evaluation, documentation, monitoring, incident response.
- Roles and accountability — who is responsible for what across business, legal, data science and security teams.
- Audit and assurance — evidence that obligations are being met.
3. The EU AI Act
The EU AI Act is the world's first comprehensive, horizontal binding regulation of AI. It applies extraterritorially to any provider or deployer placing AI systems on the EU market or whose output is used in the EU.
It takes a risk-based approach:
- Unacceptable risk — prohibited practices (e.g. social scoring, certain real-time biometric identification).
- High risk — strict obligations around risk management, data quality, documentation, human oversight, accuracy, robustness and cybersecurity.
- Limited risk — transparency duties (e.g. labelling AI-generated content, disclosing chatbot interactions).
- Minimal risk — largely unregulated, with voluntary codes encouraged.
General-purpose AI (GPAI) models carry their own tier of obligations, with heavier duties for models that present systemic risk.
4. NIST AI Risk Management Framework
The U.S. National Institute of Standards and Technology's AI Risk Management Framework (AI RMF) is voluntary, operational and widely-adopted internationally. It structures AI risk management around four functions:
- Govern — culture, policies, accountability, roles.
- Map — context, stakeholders, intended and unintended uses.
- Measure — test, evaluate, validate and verify AI risk.
- Manage — prioritise and respond to risks across the lifecycle.
NIST's companion Generative AI Profile extends the framework with controls tailored to foundation and generative models.
5. UNESCO Recommendation on the Ethics of AI
Adopted by all 193 UNESCO Member States in 2021, the Recommendation is the most widely-endorsed normative instrument on AI ethics. It grounds AI governance in human rights, human dignity, environmental sustainability and cultural diversity, and sets out eleven policy action areas — from data governance and gender equality to communication and information, and economy and labour.
Its Readiness Assessment Methodology (RAM) and Ethical Impact Assessment (EIA) give governments and organisations concrete tools to operationalise the principles.
6. OECD AI Principles & G7 Hiroshima Process
The OECD AI Principles (2019, updated 2024) were the first intergovernmental standard on AI and inform most national strategies. The G7 Hiroshima AI Process builds on them with a Code of Conduct for organisations developing advanced AI systems, covering risk identification, transparency reporting and information sharing.
7. ISO/IEC 42001 — AI management systems
ISO/IEC 42001 is the first certifiable management-system standard for AI, modelled on ISO 27001. It gives organisations a Plan-Do- Check-Act structure for building, operating and continually improving an AI Management System (AIMS) — and a way to evidence governance maturity to regulators, partners and customers.
8. Side-by-side comparison
| Framework | Type | Scope | Best for |
|---|---|---|---|
| EU AI Act | Binding law | EU market | Legal compliance, high-risk AI |
| NIST AI RMF | Voluntary standard | Global | Operational risk management |
| UNESCO Recommendation | Soft-law normative | 193 Member States | Ethics & human-rights baseline |
| OECD Principles / G7 | Intergovernmental | Global | Cross-border alignment |
| ISO/IEC 42001 | Certifiable standard | Organisational | Assurance & certification |
9. Building a strategic AI governance programme
For most organisations these frameworks are complementary, not competing. A robust programme typically:
- Anchors ethics in UNESCO and OECD principles.
- Uses NIST AI RMF to operationalise risk across the lifecycle.
- Maps binding legal obligations — the EU AI Act first, then sectoral and national laws.
- Adopts ISO/IEC 42001 to evidence the management system.
- Bakes documentation, human oversight and post-market monitoring into product processes.
Dr. Jon Truby, PhD advises governments, regulators and global organisations on exactly this kind of integrated AI governance design. Explore the research and publications for deeper analysis, or get in touch to discuss your programme.
10. Frequently asked questions
What is AI governance?
AI governance is the system of laws, policies, standards and internal controls that direct how AI is designed, deployed and monitored so it is safe, fair, accountable and rights-respecting.
What is an AI governance framework?
A structured set of principles, risk-management processes and control requirements — such as the EU AI Act, NIST AI RMF or UNESCO Recommendation — used to govern AI across its lifecycle.
Which framework should we adopt?
Most organisations combine several: binding laws like the EU AI Act for legal compliance, NIST AI RMF for day-to-day risk management, UNESCO and OECD for ethical baselines, and ISO/IEC 42001 to evidence maturity.