{ "$schema": "https://www.slavin.ai/data/ai-governance-baseline-schema.json", "dataset": { "name": "AI Governance Minimum Baseline — 12 Controls", "version": "2026-06", "publisher": "Slavin AI (SLAtech LTD)", "publisherUrl": "https://www.slavin.ai/", "license": "CC-BY-4.0", "lastUpdated": "2026-06-14", "description": "Machine-readable list of the 12 minimum AI governance controls Slavin AI considers mandatory before deploying any AI system to production. Each control includes purpose, owner, evidence type, and mappings to NIST AI RMF 1.0, ISO/IEC 42001:2023, and EU AI Act Article references.", "audience": ["CISO", "AI Risk Lead", "AI Platform Team", "Compliance"], "methodology": "Derived from cross-mapping the 90 NIST AI RMF subcategories to the ISO/IEC 42001 management system controls and EU AI Act articles applicable to high-risk systems. The 12 chosen are the intersection: controls that appear in all three frameworks AND that we have repeatedly seen missing in production pre-deployment reviews." }, "controls": [ { "id": "GOV-01", "name": "Model Registry", "purpose": "Single authoritative inventory of every AI model in production with version, owner, training data hash, and approval status.", "owner": "AI Platform Team", "evidence": "Versioned registry entry with model card, training data hash, eval results, approval timestamp.", "nist_ai_rmf": ["GOVERN-1.5", "GOVERN-4.1", "MAP-2.2"], "iso_42001": ["A.6.2.4 Resource documentation"], "eu_ai_act": ["Article 11 Technical documentation"] }, { "id": "GOV-02", "name": "Data Lineage", "purpose": "Full provenance of training and reference data: source, licence, transformations, retention.", "owner": "Data Engineering", "evidence": "Lineage graph or table; licence inventory; retention schedule.", "nist_ai_rmf": ["MAP-2.3", "MEASURE-2.10"], "iso_42001": ["A.7.4 Data quality"], "eu_ai_act": ["Article 10 Data and data governance"] }, { "id": "GOV-03", "name": "Evaluation Harness", "purpose": "Automated quality, safety and fairness tests on a versioned golden set; runs continuously on production samples.", "owner": "AI Platform Team", "evidence": "Versioned eval suite; nightly run results; regression alerts.", "nist_ai_rmf": ["MEASURE-2.3", "MEASURE-2.5", "MEASURE-2.11"], "iso_42001": ["A.6.2.5 Verification and validation"], "eu_ai_act": ["Article 9 Risk management", "Article 15 Accuracy"] }, { "id": "GOV-04", "name": "Human-in-the-Loop (HITL) for High-Stakes", "purpose": "Defined cases where an AI output cannot be acted on without a documented human review.", "owner": "Business Owner", "evidence": "List of HITL-required decisions; review logs; escalation SLA.", "nist_ai_rmf": ["GOVERN-1.6", "MANAGE-3.1"], "iso_42001": ["A.9.4 Human oversight"], "eu_ai_act": ["Article 14 Human oversight"] }, { "id": "GOV-05", "name": "Audit Log", "purpose": "Tamper-evident log of every AI inference: input hash, model version, output, confidence, downstream action.", "owner": "AI Platform Team", "evidence": "Immutable log store; query interface; retention policy.", "nist_ai_rmf": ["MEASURE-2.8", "MANAGE-2.3"], "iso_42001": ["A.6.2.7 Operational records"], "eu_ai_act": ["Article 12 Record-keeping"] }, { "id": "GOV-06", "name": "Incident Response", "purpose": "Defined runbook for AI-specific incidents: hallucination at scale, model degradation, data leak, abuse.", "owner": "Security + AI Platform", "evidence": "Runbook; severity matrix; tabletop exercise log.", "nist_ai_rmf": ["MANAGE-2.4", "MANAGE-4.3"], "iso_42001": ["A.8 Incident management"], "eu_ai_act": ["Article 62 Reporting of serious incidents"] }, { "id": "GOV-07", "name": "Prompt and System-Prompt Versioning", "purpose": "Every production prompt template is version-controlled, reviewed, and tested before activation.", "owner": "AI Platform Team", "evidence": "Prompt repository; review record; change log linked to deployments.", "nist_ai_rmf": ["GOVERN-1.5", "MAP-4.1"], "iso_42001": ["A.6.2.4 Resource documentation"], "eu_ai_act": ["Article 11 Technical documentation"] }, { "id": "GOV-08", "name": "Role-Based Access Control (RBAC) on AI Resources", "purpose": "Inference APIs, fine-tuning jobs, and model artifacts gated by least-privilege RBAC.", "owner": "Security", "evidence": "RBAC policy; periodic access review; audit of privileged calls.", "nist_ai_rmf": ["GOVERN-3.2", "MANAGE-3.2"], "iso_42001": ["A.7.2 Access management"], "eu_ai_act": ["Article 15 Cybersecurity"] }, { "id": "GOV-09", "name": "PII Filtering and Redaction", "purpose": "Inbound prompts and outbound responses are scanned for PII; redaction or rejection enforced per policy.", "owner": "Privacy + AI Platform", "evidence": "Filter ruleset; redaction logs; false positive/negative metrics.", "nist_ai_rmf": ["MAP-2.3", "MEASURE-2.10"], "iso_42001": ["A.7.4 Data quality", "A.7.5 Data protection"], "eu_ai_act": ["Article 10 Data and data governance", "GDPR Article 25 Data protection by design"] }, { "id": "GOV-10", "name": "Hallucination and Quality Monitoring", "purpose": "Production-traffic sampling with automated and human-rated quality scoring; alert on drift.", "owner": "AI Platform Team", "evidence": "Sampling configuration; quality dashboard; alert thresholds.", "nist_ai_rmf": ["MEASURE-2.3", "MEASURE-2.7"], "iso_42001": ["A.6.2.6 Monitoring"], "eu_ai_act": ["Article 15 Accuracy", "Article 17 Post-market monitoring"] }, { "id": "GOV-11", "name": "Drift Detection", "purpose": "Statistical detection of input or output distribution shift vs training baseline.", "owner": "AI Platform Team", "evidence": "Drift metric definitions; rolling computation; investigation log on breach.", "nist_ai_rmf": ["MEASURE-3.1", "MEASURE-3.3"], "iso_42001": ["A.6.2.6 Monitoring"], "eu_ai_act": ["Article 17 Post-market monitoring"] }, { "id": "GOV-12", "name": "Rollback Procedure", "purpose": "Documented and tested procedure to revert to a prior model version or to a non-AI fallback within a defined SLA.", "owner": "AI Platform Team", "evidence": "Procedure document; rollback drill log; fallback decision criteria.", "nist_ai_rmf": ["MANAGE-2.4", "MANAGE-4.1"], "iso_42001": ["A.6.2.8 Continual improvement"], "eu_ai_act": ["Article 9 Risk management"] } ], "maturity_levels": { "description": "5-level maturity model for measuring overall AI governance maturity.", "levels": [ { "level": 1, "name": "Ad-hoc", "description": "Controls exist informally; no documentation; owner not clear." }, { "level": 2, "name": "Documented", "description": "Each control has a written policy and an owner; not consistently measured." }, { "level": 3, "name": "Measured", "description": "Control performance is instrumented; metrics reviewed monthly; gaps tracked." }, { "level": 4, "name": "Audited", "description": "Independent review (internal or external) verifies controls quarterly." }, { "level": 5, "name": "Continuous", "description": "Automated enforcement; metrics fed back into roadmap; drift triggers re-baseline." } ] }, "see_also": { "interactive_assessment": "https://www.slavin.ai/AI-Maturity-Assessment.aspx", "framework_writeup": "https://www.slavin.ai/AI-Governance.aspx", "eu_ai_act_checklist": "https://www.slavin.ai/EU-AI-Act-Checklist.aspx", "decision_framework": "https://www.slavin.ai/Article-Build-vs-Buy-AI.aspx" } }