Demo · sample data, not for production use · request the real tool →

Control catalog

Controls organized by NIST AI RMF function. Each control declares which risk tier(s) must implement it and the ISO 42001 clause(s) it satisfies. The control bundle a use case must implement is derived from its tier.

GOVERN · 4 controls

A culture of risk management is cultivated and present.

GOVERN
  • AI-GV-1.1AI policy approved by senior leadership
    Tier 1Tier 2Tier 3

    A written AI use policy approved at the C-suite or board level, reviewed annually.

    GOVERN 1.1 · ISO 42001: 5.2, 5.3

  • AI-GV-1.2AI risk owner assigned per use case
    Tier 1Tier 2Tier 3

    Each registered use case has a named owner accountable for its risk posture.

    GOVERN 1.2 · ISO 42001: 5.3

  • AI-GV-2.1AI training delivered to operators and stewards
    Tier 1Tier 2

    Personnel with AI responsibilities have completed role-appropriate training in the last 12 months.

    GOVERN 2.1 · ISO 42001: 7.2, 7.3

  • AI-GV-3.1Pre-deployment review board approves Tier 1 systems
    Tier 1

    Tier 1 systems require AI Review Board sign-off before going live; minutes retained.

    GOVERN 3.1 · ISO 42001: 8.2, 8.3

MAP · 3 controls

Context is recognized and risks related to context are identified.

MAP
  • AI-MP-1.1Use-case registered with intended purpose and stakeholders
    Tier 1Tier 2Tier 3

    Registry entry includes purpose, business owner, affected stakeholder groups, and data inputs.

    MAP 1.1 · ISO 42001: 6.1.2, 8.2

  • AI-MP-2.1Impact assessment documented
    Tier 1Tier 2

    Documented assessment of impact on individuals, groups, and the organization, including foreseeable misuse.

    MAP 2.1 · ISO 42001: 6.1.4

  • AI-MP-3.1Data lineage and provenance recorded
    Tier 1Tier 2

    Source datasets, licensing, collection method, and known biases of training/grounding data are documented.

    MAP 3.1 · ISO 42001: 7.5, 8.1

MEASURE · 4 controls

Identified risks are assessed, analyzed, or tracked.

MEASURE
  • AI-MS-1.1Validity and reliability metrics defined and tracked
    Tier 1Tier 2

    Documented accuracy / quality metrics with thresholds, monitored on a published cadence.

    MEASURE 1.1 · ISO 42001: 9.1

  • AI-MS-2.1Bias and fairness testing across protected groups
    Tier 1

    Disparate-impact testing across protected attributes performed prior to deployment and on a recurring basis.

    MEASURE 2.1 · ISO 42001: 6.1.4, 9.1

  • AI-MS-3.1Adversarial robustness testing
    Tier 1

    Red-team or adversarial evaluation against documented threat model; findings tracked.

    MEASURE 3.1 · ISO 42001: 8.2

  • AI-MS-4.1Privacy and data-protection review completed
    Tier 1Tier 2

    DPIA or equivalent privacy review covering training data and prompts; signed off by privacy lead.

    MEASURE 4.1 · ISO 42001: 6.1.4, 8.2

MANAGE · 4 controls

Risks are prioritized and acted upon based on a projected impact.

MANAGE
  • AI-MG-1.1Human override and contestability path
    Tier 1

    Affected individuals can contest an AI-driven decision; documented escalation path.

    MANAGE 1.1 · ISO 42001: 8.2, 10.2

  • AI-MG-2.1Production monitoring and drift detection
    Tier 1Tier 2

    Operational telemetry on input distribution, output rates, and quality metrics with alert thresholds.

    MANAGE 2.1 · ISO 42001: 9.1

  • AI-MG-3.1Incident response runbook for AI failures
    Tier 1Tier 2

    Documented procedure for hallucination, bias, leak, or downtime incidents; rehearsed annually.

    MANAGE 3.1 · ISO 42001: 10.2

  • AI-MG-4.1Decommissioning and rollback plan
    Tier 1

    Plan to disable, replace, or roll back the system; data retention/deletion specified.

    MANAGE 4.1 · ISO 42001: 8.2