Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Guide

Setting up an AI governance framework: from scattered rules to control

Adopted 2026-06-21 · ≈ 2 min read · Dirk Baaijen

The AI Act, the GDPR and standards such as ISO/IEC 42001 call not for scattered measures but for coherent governance. This guide lays out the building blocks — inventory, roles, policy, literacy, risk and rights assessment, monitoring — and how to start in proportion to your risk.

Short answer: AI governance is not a single measure but a coherent system: knowing which AI you use, who is responsible, which rules apply, how you assess risk and how you adjust. The AI Act prescribes the individual duties; standards such as ISO/IEC 42001 and the NIST AI RMF provide the structure to make them manageable. You don't have to start big — but you do have to start coherently.

Why a framework, not scattered actions

The obligations come from several directions at once: AI literacy (Art. 4), risk management (Art. 9), deployer duties (Art. 26), the fundamental-rights assessment (Art. 27), monitoring and incident reporting (Art. 72-73), plus the GDPR. Tackle them as separate projects and you get overlap, gaps and no overview. A framework reduces the duties to one set of processes and one line of accountability.

The building blocks

  1. Inventory. Map every AI system — including bought-in tools and generative assistants. See AI system inventory.
  2. Classification. Determine each system's regime: prohibited, high-risk, transparency-bound or minimal. The self-scan does this with reference to the source.
  3. Roles and ownership. Appoint someone accountable (the board, an AI officer or committee) and assign an owner per system. Without an owner every measure fades.
  4. Policy. Set clear rules: acceptable use, procurement, human oversight, handling of data and of generative AI.
  5. Literacy. Make sure those who work with AI understand the system — an applicable duty, and the basis for effective oversight.
  6. Risk and rights assessment. Combine the FRIA (where required) with a DPIA for personal data.
  7. Monitoring and incidents. Set up logging, periodic review and a reporting route for serious incidents.
  8. Lifecycle and suppliers. Ensure updates, retraining and contractual terms keep tracking the system — see AI in contracts.

Lean on an existing standard

You don't have to reinvent the wheel. ISO/IEC 42001 provides a certifiable management system (AIMS) with exactly this cycle; the NIST AI RMF orders risk management into govern, map, measure and manage. If you already run ISO 27001 for information security, you'll recognise the structure and can hook AI governance onto it rather than beside it.

Start in proportion

Match the weight to your risk. An SME with a few generative assistants needs a register, a use policy and literacy. An organisation that builds or deploys high-risk systems needs the full package. The order is always the same: first see what you have, then classify, then assign and assure.

Governance is not a document but a rhythm: inventory, assess, adjust, repeat. The organisation that sets that rhythm now faces no surprises at the next new rule — or the next supervisory question.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 4 (literacy), 9 (risk management), 26 (deployer), 27 (FRIA), 72-73 (monitoring and incidents).
  2. https://www.iso.org/standard/42001
    ISO/IEC 42001:2023 — certifiable management system for AI (AIMS), with a cycle of risk assessment, controls and improvement.
  3. https://www.nist.gov/itl/ai-risk-management-framework
    NIST AI Risk Management Framework: voluntary framework with the functions govern, map, measure and manage.

Share on LinkedIn

Read next

A

America's financial sector writes its own AI rulebook: the FS AI RMF and its 230 control objectives

On 12 February 2026 the Cyber Risk Institute and the Financial Services Sector Coordinating Council launched the Financial Services AI Risk Management Framework — 230 control objectives that adapt the NIST AI RMF for banks and insurers. It is industry-led and voluntary, not regulation.

A

International AI governance beyond the EU: treaty, principles and standards

The AI Act is not the only framework that matters. The Council of Europe Convention, the OECD Principles, the NIST AI RMF and ISO/IEC 42001 form the international layer of AI governance. This analysis sorts out what legally binds, what sets norms, and what can be certified.

U

NIS2 duty of care: the security measures

Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.