root@ceqa:~$ cd /library/ai-governance/

AI Governance

Practical, standards-aligned guides for governing, assessing risk, and preparing for AI-related incidents across jurisdictions.

AI Governance

AI governance teams need a playbook that connects policy research, risk mitigation, emergency response, and cross-jurisdiction coordination; this page curates structures, checklists, and templates so practitioners keep AI ecosystems accountable while accelerating disciplined programs.

1) Foundations: What "good" looks like

Effective governance layers the NIST AI RMF, the Generative AI Profile, the OECD AI Principles, and ISO/IEC 23894 and 42001 to align lifecycle checkpoints and management controls with emergency doctrine when AI incidents escalate; map RMF functions on top, treat OECD principles as the charter, and use the profile for use-case guardrails.[1][2][10][5][6]

Policy to Practice: Run monthly joint reviews so policy, safety, and operations confirm RMF control changes include updated runbooks, communication cues, and resourcing before posture shifts.[5][6]

Quick-start checklist

  • [ ] Governance charter approved by executive sponsor and aligned to OECD principles.[10]
  • [ ] Enterprise risk register entry for each material AI system linked to RMF functions.[1]
  • [ ] Model inventory with lineage, purpose, owner, and dependency tags for cascade analysis.[2]
  • [ ] Data lineage documentation covering training, fine-tuning, and evaluation datasets.[1]
  • [ ] Evaluation plan with quality, safety, and resilience thresholds by system criticality.[2]
  • [ ] Incident playbook tied to NIMS/NRF activation protocols.[5][6]
  • [ ] Disclosure plan covering regulators, partners, and public communications.[6]

2) Governance operating model (people, roles, RACI)

Anchor the operating model on a small core covering policy, legal, safety, security, operations, and communications, with policy leads aligning frameworks, legal managing obligations, security and safety governing technical controls, operations owning runbooks, and communications keeping partners informed.

Activity Policy Lead Legal Security & Safety Operations Communications
Model onboarding review A C R R I
Change control for model updates R C A R I
Incident escalation triage C R A R C
Regulatory and public disclosure C A C I R
Post-incident lessons learned A C R R C

RACI legend: R=Responsible, A=Accountable, C=Consulted, I=Informed; update when scope shifts.

3) Risk mapping & vulnerability assessment of critical societal systems

Anchor AI risk reviews to critical societal functions. Map NIST CSF 2.0 Identify and Govern outcomes to each AI-supported mission, then trace CISA National Critical Functions dependencies that could cascade if the system fails, cataloging assets, pathways, human handoffs, and integrations before rating likelihood and impact.[3][14]

  1. Identify the mission or service outcome and its supporting functions.
  2. Inventory AI use cases, models, data stores, interfaces, and tool flows.
  3. Map threats per component including adversarial misuse, error, and process failure.
  4. Evaluate likelihood and impact with NIST CSF tiers and note cascade potential via CISA NCF dependencies.[3][14]
  5. Select controls that reduce likelihood, detect anomalies, or limit blast radius, assign owners, and document residual risk with acceptance authority.

Checklist: Run this sweep quarterly to confirm risk treatments hold.

  • [ ] Data poisoning detection and recovery safeguards validated through recent tests.[3]
  • [ ] Model drift monitoring thresholds tuned to service-level objectives and retraining cadence.[2]
  • [ ] Jailbreak and prompt injection exposure scanning performed against current abuse tactics.[2]
  • [ ] Tool-use authorization logic hardened for high-risk actions and logged for audit.[3]
  • [ ] Supply-chain integrity checks for models, datasets, and infrastructure images documented.[15]
  • [ ] Content provenance gaps flagged, with fallbacks for manual verification in critical channels.[16]
  • [ ] Access control and key management for orchestrators reviewed for least privilege.[3]
  • [ ] Business continuity dependencies mapped for cross-sector partners via CISA NCF taxonomy.[14]
  • [ ] Incident notification contacts validated with live confirmation drills.
  • [ ] Third-party evaluation evidence (safety, bias, resilience) updated in the model inventory.[1]

4) Disaster preparedness & AI incident response (NIMS/NRF-aligned)

When an AI incident threatens public services or safety, fold response into the National Incident Management System (NIMS) and National Response Framework (NRF) and clarify how triggers escalate through the emergency operations center into Incident Command System (ICS) roles.[5][6]

ICS role alignment for AI incidents: Operations handles containment and rollback; Planning tracks model state and documentation; the Public Information Officer coordinates messaging on status and advisories; Legal confirms disclosure duties and regulator interactions; Safety monitors responder wellbeing and mitigation side effects.

AI Incident Annex outline

  • Triggers: Activation thresholds such as anomaly scores, confirmed misuse, or external advisories.
  • Roles: Named leads and backups for each ICS role plus governance liaisons.
  • Communications and messaging: Notification matrices for agencies, partners, regulators, press, and approved statements, FAQs, and fact sheets.
  • Technical triage: Checklist for isolating models, data, and tools while preserving evidence.
  • Decision points and disclosures: Criteria for rollback, feature flags, notifications, mutual aid, and timelines with documentation for statutory and voluntary notices.
  • Exercise cadence: Annual HSEEP-aligned drills validating assumptions and training needs.[7]

5) Scenario planning & tabletop exercises

Use Homeland Security Exercise and Evaluation Program (HSEEP) doctrine to keep AI tabletop exercises scoped, measurable, and repeatable alongside traditional hazards.[7]

Scenario 1: Content integrity crisis Obj: Stress-test detection, takedown, and counter-messaging for synthetic media during briefings.[7][14][16]; MSEL: Bot amplification, deepfake briefing clip, partner authenticity inquiry; Injects: Forensic request on provenance gaps, platform legal notice, hotline surge; Evaluation: Verification time, message accuracy, escalation speed, provenance updates.

Scenario 2: Critical infrastructure assistive-AI misoperation Obj: Test operations and security halting an assistant misconfiguring energy setpoints.[3][5][14]; MSEL: Spike in automated work orders, anomalous telemetry, emergency operations center alert; Injects: Vendor patch notice, conflicting human override, media outage question; Evaluation: Isolation speed, partner coordination, completeness of engineering review.

Scenario 3: Model update introduces unsafe tool use in emergency comms Obj: Ensure change control blocks risky tool permissions and communications issue fast corrections; MSEL: Release note expanding integrations, post-release anomaly reports, citizen complaints; Injects: Legal compliance query, state partner confirmation request, analytics showing repeated misuse; Evaluation: Rollback execution, clarity of public correction, disclosure timing, regulatory documentation.

After-Action and Improvement Plan template

Section Prompt
Objectives State objective and status (met, partial, unmet).
Insights Note strengths, gaps, dependencies, and root causes.
Corrective actions List task, owner, resources, deadline.
Validation plan Specify follow-up test, method, timing.[7]

6) Early-warning indicators & cascade risks

Pair leading and lagging indicators with dependency maps linked to the CISA National Critical Functions taxonomy.[14]

Leading indicators

  • Model output anomalies or drift and fairness deltas exceed baselines for sensitive intents.[1][2]
  • Provenance-missing media surges tied to your organization or mission.[16]
  • Unexplained tool calls or lateral movement attempts logged in orchestrators.[3]
  • Vendor vulnerability advisories affecting shared components.[15]

Lagging indicators

  • Confirmed abuse pattern signatures in production environments.[2]
  • Customer complaints or media and regulator inquiries about safety-critical advice.
  • Repeated fallback to manual operations or emergency dispatch support.[5]
Indicator or signal Dependent critical function Cascade mitigation
Provenance-missing media surge Provide public safety information Activate comms playbook and coordinate cross-jurisdiction PIOs.[14][16]
Tool-call anomalies against emergency systems Manage emergency services Coordinate operations and security for containment and notify mutual aid partners.[3][5]

7) Cross-jurisdictional obligations at a glance

Track regulatory and ethical instruments to anticipate legal commitments and interoperability needs; the checklist highlights key jurisdictions.

  • EU AI Act risk categories require mapping systems to prohibited, high, limited, or minimal risk, then sequencing conformity assessments, technical documentation, and post-market monitoring for staged deadlines.[4]
  • Council of Europe AI Convention centers human rights, democracy, and rule of law, so embed impact assessments and oversight channels for member-state work.[12]
  • OECD AI Principles offer interoperability language for transparency, accountability, and robustness to anchor multinational charters.[10]
  • UNESCO Recommendation on the Ethics of AI reinforces cultural and societal values for education, cultural, and media partners.[18]
  • United States landscape: Executive Order 14110 launched NIST safety workstreams but was rescinded in 2025; continue using the NIST AI RMF, Generative AI Profile, and sectoral guidance for continuity.[17][1][2]

This overview is not legal advice; verify timelines via the linked notices with counsel.

8) Information integrity & provenance

Deploy content provenance to protect trust in public communications and high-risk advisories using the C2PA Content Credentials specification, which embeds cryptographic attestations about creators, tools, and edits while supporting rapid verification without exposing sensitive metadata.[16] Pair provenance signals with CISA mis-, dis-, and malinformation playbooks to help partners validate assets.[19]

How to adopt Content Credentials

  1. Select a signing authority and configure key management with separation of duties for credential issuance.[16]
  2. Integrate signing into publishing workflows with automated export hooks.
  3. Provide verification training and UI cues so staff, partners, and the public understand signed outputs, and document exceptions with manual verification steps.

Content Credentials prove origin and modification history but not accuracy, so keep editorial review, fact checking, and rapid correction paths. Share the roadmap with local and state partners and point them to CISA's MDM toolkit for aligned messaging.[19]

9) Supply chain & model/infra dependencies

AI supply chains blend software, datasets, infrastructure, and expertise, so apply NIST SP 800-161 Cybersecurity Supply Chain Risk Management with NIST CSF 2.0 governance outcomes to classify vendors, validate provenance, monitor lifecycle health, and treat models, datasets, evaluation tooling, agents, plugins, and hosting as separate supply paths with distinct controls.[15][3]

Core controls:

  • Require SBOMs or model cards plus dataset attestations covering licensing, privacy posture, and update cadence for every external component.[15]
  • Segment hosting and enforce infrastructure-as-code baselines with integrity checks.[3]
  • Track vendor incident history, escalation paths, and monitoring feeds for vulnerabilities and policy changes, including subcontractors.

Supplier due-diligence checklist:

  • [ ] Criticality tier and fallback targets documented.[3]
  • [ ] Assurance evidence mapped to RMF controls.[1][15]
  • [ ] Access and logging aligned to zero trust architecture.[3]
  • [ ] Contracts cover notification timelines, cooperation, audit rights.
  • [ ] Business continuity, disaster recovery, and security testing evidence reviewed.
  • [ ] Subprocessor lists and vetting records current.
  • [ ] Data residency, retention, deletion commitments and regulatory attestations validated per jurisdiction.
  • [ ] Performance and risk metrics feed vendor dashboards.

10) Translating technical risk into policy: brief template

Turn technical findings into actionable policy briefings that decision makers absorb quickly by pairing qualitative insights with quantified risk statements so leadership evaluates options without revisiting the technical deep dive.

Templates: Copy this outline into briefing documents so memos surface context, risk, and recommended action on a single page.

Policy brief outline

  1. Context: Summarize system scope, mission impact, and key obligations.[4][10][12][18]
  2. Risk statement: Describe the issue plainly with likelihood, impact, and affected stakeholders.[1][3]
  3. Options: List at least two actions with required resources, authority, and timing.
  4. Recommendation: Name the preferred option, rationale, and dependency on partners or frameworks.
  5. Costs and benefits: Quantify financial, operational, and reputational considerations.
  6. Timeline: Set milestones for immediate, near-term, and long-term work.
  7. Dependencies: Flag upstream or downstream systems, vendors, and agencies needing coordination.[14][15]
  8. References: Link to authoritative sources, risk registers, exercise findings, and annexes.

11) Metrics & maturity

Use a five-level rubric aligned to the NIST AI RMF functions to understand capability growth and escalation thresholds.[1]

Level 1 - Ad hoc: Govern charter informal (<50% attendance); Map covers production models; Measure relies on reactive spot checks; Manage depends on ad hoc responders; Escalation trigger: deployment without documented owner.

Level 2 - Repeatable: Govern roles assigned but resourcing unstable (75% seats filled); Map logs lineage for high-risk systems; Measure automates drift alerts for priority models; Manage keeps a draft annex without drills; Escalation trigger: monitoring gap beyond 30 days.

Level 3 - Defined: Govern committee meets monthly and closes action logs; Map spans lifecycle assets; Measure dashboards track leading indicators; Manage exercises the annex annually using HSEEP; Escalation trigger: unresolved exercise findings beyond 90 days.[7]

Level 4 - Managed: Govern metrics feed enterprise risk reports; Map links dependencies to CISA NCF partners; Measure reviews KPIs and KRIs weekly with auto escalation; Manage synchronizes playbooks with mutual aid partners; Escalation trigger: repeated indicator breaches without mitigation plan.[14]

Level 5 - Optimized: Govern adapts policies from incident intelligence; Map updates in near real time via DevOps; Measure predicts drift, abuse, and supply chain risk; Manage contributes lessons to national communities; Escalation trigger: innovation risk outruns governance cadence and prompts strategic review.[11][13]

12) Resources & exercises

Keep these resources in a shared workspace for coordinated programs and exercises.

  • FEMA HSEEP doctrine, templates, and evaluation guides.[7]
  • FEMA Continuity Guidance Circular aligning AI resilience with continuity requirements.[8]
  • Cal OES Continuity Planning for state and local coordination expectations.[9]
  • AI Incident Database cases informing risk libraries, tabletop injects, and escalation criteria.[11]
  • NIST U.S. AI Safety Institute strategic vision and consortia outputs on evaluation benchmarks and measurement practices.[13]

References

[1] NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0). 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf

[2] NIST. AI RMF: Generative AI Profile (NIST.AI.600-1). 2024. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf

[3] NIST. Cybersecurity Framework 2.0. 2024. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

[4] European Union. Artificial Intelligence Act (Regulation (EU) 2024/1689). 2024. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

[5] FEMA. National Incident Management System (NIMS). 2017. https://www.fema.gov/sites/default/files/2020-07/fema_nims_doctrine-2017.pdf

[6] FEMA/DHS. National Response Framework, 4th ed. 2019. https://www.jcs.mil/Portals/36/Documents/Doctrine/Interorganizational_Documents/nrf_4th_2019.pdf

[7] FEMA. Homeland Security Exercise and Evaluation Program (HSEEP) resources. 2025. https://www.fema.gov/emergency-managers/national-preparedness/exercises/hseep

[8] FEMA. Continuity Guidance Circular. 2018. https://www.iroquois.org/wp-content/uploads/2019/09/FEMA_Continuity_Guidance_Circular_2018.pdf

[9] Cal OES. Continuity Planning. n.d. https://www.caloes.ca.gov/office-of-the-director/operations/planning-preparedness-prevention/planning-preparedness/continuity-planning/

[10] OECD. OECD AI Principles (updated 2024). 2024. https://oecd.ai/en/ai-principles

[11] Responsible AI Collaborative. AI Incident Database. 2024. https://incidentdatabase.ai/

[12] Council of Europe. Framework Convention on AI (CETS No. 225). 2024. https://rm.coe.int/1680afae3c

[13] NIST. U.S. AI Safety Institute - Strategic Vision. 2024. https://www.nist.gov/document/aisi-strategic-vision-document

[14] CISA. National Critical Functions. 2024. https://www.cisa.gov/topics/risk-management/national-critical-functions

[15] NIST. SP 800-161r1 (upd.1) Cybersecurity Supply Chain Risk Management. 2024. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf

[16] C2PA. Technical Specification v2.2. 2025. https://spec.c2pa.org/specifications/specifications/2.2/specs/_attachments/C2PA_Specification.pdf

[17] NIST. EO 14110 page (note on rescission Jan 20, 2025). 2025. https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence

[18] UNESCO. Recommendation on the Ethics of AI. 2024. https://www.unesco.org/en/articles/recommendation-ethics-artificial-intelligence

[19] CISA. Disinformation Stops With You (MDM resources). 2023. https://www.cisa.gov/resources-tools/resources/disinformation-stops-you-infographic-set