The standards landscape
Three frameworks dominate enterprise AI governance: the EU AI Act, the NIST AI Risk Management Framework, and ISO/IEC 42001. They are complementary - the AI Act is law; NIST is guidance; ISO/IEC 42001 is a management system.
Banking-sector model risk frameworks (SR 11-7, PRA SS1/23) predate the AI era but apply to AI systems. Healthcare AI carries FDA and HHS-OCR overlays. Public-sector AI carries transparency expectations from the UK Algorithmic Transparency Standard and OECD AI Principles.
The operating model
An effective AI governance operating model has four moving parts: an AI Risk Committee accountable to the board, a control catalogue mapped to the applicable frameworks, an attestation cycle that captures evidence quarterly, and a reviewer rota that processes assurance reviews on a known cadence.
Without these four, the AI policy decays within two quarters and the inventory drifts.
Documentation that wins review
Five artefacts pass first review reliably: model description with intended use and limitations; training and fine-tuning lineage; evaluation harness with regression behaviour over time; residual-risk register; and an operating runbook with kill-switch criteria.
Documentation is engineered, not authored. We write it as the code is written, with version-control history forming the audit history.