Home · Synthesis · cl-ai-governance-lifecycle

AI governance lifecycle — GOVERN function and inventory

DPDPA EU AI Act ISO 42001 MeitY AI NIST AI RMF

Primary statement

AI governance lifecycle per NIST AI RMF GOVERN-1 (policies, processes, procedures across MAP/MEASURE/MANAGE) + GOVERN-1.1 (legal/regulatory) + GOVERN-1.4 (risk management process) + GOVERN-1.5 (ongoing monitoring) + GOVERN-1.6 (AI inventory). EU AI Act + ISO 42001 + DPDPA + MeitY. The GOVERN function anchors AI governance.

Audit-fatigue payoff

A unified AI governance lifecycle — policies + regulatory tracking + risk management + monitoring + inventory — satisfies AI governance requirements across all 5 contributing frameworks. NIST AI RMF GOVERN-1.x form the canonical structure.

Strictness matrix

Scope

Scope: policies, processes, procedures, and practices ACROSS the organisation related to mapping, measuring, managing AI risks. Full organisational scope. Ceiling source: nist_ai_rmf:GOVERN-1 Rationale: NIST AI RMF GOVERN-1 organisation-wide scope is comprehensive.

Threshold

Threshold: mechanisms to INVENTORY AI systems across the organisation. Inventory is the operational threshold — without it, governance is theoretical. Ceiling source: nist_ai_rmf:GOVERN-1.6 Rationale: NIST AI RMF GOVERN-1.6 inventory threshold is the audit-defensible qualifier.

Method

Method: AI risk management process (identification + analysis + evaluation + treatment + monitoring + communication) + legal/regulatory tracking (GOVERN-1.1) + ongoing monitoring (GOVERN-1.5) + AI inventory (GOVERN-1.6) including in-house + procured + third-party SaaS + EU AI Act QMS + ISO 42001 AIMS. Ceiling source: nist_ai_rmf:GOVERN-1.4 Rationale: NIST AI RMF GOVERN-1.x is the canonical method anchor.

Frequency

Ongoing monitoring: continuous. Periodic review: planned intervals (annual). Inventory refresh: continuous through change management. Ceiling source: nist_ai_rmf:GOVERN-1.5 Rationale: Continuous monitoring with annual review is the cadence.

Evidence

Evidence: AI governance policy + AI inventory + regulatory tracking + risk management process + monitoring records + periodic review minutes. Ceiling source: nist_ai_rmf:GOVERN-1.6 Rationale: NIST AI RMF GOVERN-1.6 with inventory is comprehensive.

Auditor test pattern

Step 1: Inspect AI governance policy. Step 2: Inspect AI inventory; verify coverage of in-house + procured + SaaS. Step 3: Verify regulatory tracking. Step 4: Verify risk management process. Step 5: Inspect periodic review minutes.

Common findings

Common findings: (1) AI inventory incomplete — SaaS AI not catalogued; (2) Regulatory tracking ad-hoc; (3) Risk management process not AI-specific; (4) Periodic review absent.