An AI governance framework is the documented system of policies, roles, controls and review processes that determines how an organisation develops, procures and deploys AI. A practical 2026 framework for Indian enterprises has six layers: policy → roles → inventory → risk → controls → review. It is built to satisfy ISO 42001, the NIST AI RMF and India's DPDP/MeitY regime in a single artefact stack — because procurement teams, regulators and your own board will all ask for slightly different views of the same underlying system.
- AI governance framework
- The end-to-end management system covering who decides what about AI in an organisation, the policies they enforce, the controls operationalising those policies, and the review cadence that closes the loop. Distinct from ad-hoc AI ethics statements: a framework is operational, named and evidenced.
- Six layers: policy → roles → inventory → risk → controls → review. Skip any one and the framework collapses.
- Map to ISO 42001 (the management-system standard), NIST AI RMF (the practice taxonomy), DPDP and MeitY advisories for Indian context.
- Most enterprises do "policy" and "ethics" well, "inventory" and "review" badly. The middle layers are where the value lives.
- A working framework can be built in 90 days. A perfect framework can't be built in 24 months.
- Without a named Chief AI Officer or equivalent, the framework will not survive its first contact with a real product team.
The six layers in detail
Layer 1 — Policy
A board-ratified, one-page AI policy. States what AI may and may not be used for, the principles governing use (fairness, accountability, transparency, safety, privacy), and the authority structure. One page on purpose — longer policies don't get read. For the principle layer see our companion essay on the four principles of responsible AI.
Layer 2 — Roles
A named Chief AI Officer (or equivalent) accountable to the board. A cross-functional AI Council. A system-owner registry — one named individual per production AI system. DPO and CISO sit on the Council ex-officio. This layer is the one most often skipped; when it is, every decision escalates and nothing ships.
Layer 3 — Inventory
A living register of every AI system in the organisation — models in production, models in development, third-party AI in use (this is the one always under-counted), and shadow AI (employees using ChatGPT on their own). Without inventory, the rest of the framework is fiction.
Layer 4 — Risk
A repeatable AI risk assessment process. Twelve categories (accuracy, bias, privacy, security, misuse, transparency, explainability, robustness, third-party, environmental, oversight, societal) scored on likelihood × severity × detectability. See our AI risk assessment template.
Layer 5 — Controls
Each identified risk maps to at least one control. Controls are implementation — bias tests, eval suites, model cards, HITL workflows, incident-response runbooks, third-party AI questionnaires. Controls must produce evidence, dated, owner-named.
Layer 6 — Review
Quarterly AI Council review. Annual board-level review. Triggered review whenever regulation changes or a major incident occurs. The review layer is what converts the framework from documentation into a management system.
How the six layers map to ISO 42001 and NIST AI RMF
| Layer | ISO 42001 clause/control | NIST AI RMF function |
|---|---|---|
| Policy | Clause 5 — Leadership; Annex A.2 — Policies | GOVERN |
| Roles | Clause 5.3 — Roles; Annex A.3 — Internal organisation | GOVERN |
| Inventory | Annex A.4 — Resources; A.5 — Impact assessment | MAP |
| Risk | Clause 6.1 — Risk; Annex A.6 — AI system impact | MAP + MEASURE |
| Controls | Annex A.7–A.10 — Operations | MANAGE |
| Review | Clause 9 — Performance evaluation; Annex A.11 | GOVERN (continuous) |
The 90-day build
- Days 1–14: Policy drafted, board briefed, CAIO named.
- Days 15–30: AI Council convened. System-owner registry populated.
- Days 31–60: Inventory complete (including shadow AI surfacing). First risk assessments run on top 5 systems by impact.
- Days 61–80: Controls operationalised for high-risk systems. Evidence formats agreed.
- Days 81–90: First quarterly review held. Board sees first AI governance report. Framework is live.
What kills frameworks in practice
- No CAIO equivalent. Without single-point accountability, every escalation diffuses.
- Inventory left to "later". Without inventory, you cannot risk-assess; without risk assessment, controls are guessed.
- Quarterly reviews that never happen. The framework dies the day the review slips.
- Treating it as a compliance project. The CISO can host the framework; AI governance must be owned by a business leader who can make product trade-offs.
- Buying a tool first. Tools come after roles, inventory and process. Tools without those produce inflated dashboards and false comfort.
The Indian-context additions
DPDP Act alignment, MeitY advisory tracking, NITI Aayog #AIForAll attestation, sectoral overlays (RBI for financial services, SEBI for market intermediaries, IRDAI for insurance) — these belong as a sub-layer under controls. Our policy engine auto-generates the Indian-context overlays from your sector input.
Frequently asked
- What is an AI governance framework?
- The end-to-end management system covering who decides what about AI in an organisation, the policies they enforce, the controls operationalising those policies, and the review cadence that closes the loop. Operational, named and evidenced — distinct from ad-hoc ethics statements.
- What are the layers of an AI governance framework?
- Six: policy, roles, inventory, risk, controls, review. Skip any layer and the framework collapses. Most enterprises do policy and ethics well but inventory and review badly — and that's where the value lives.
- How long does it take to implement an AI governance framework?
- A working framework can be built in 90 days using the six-layer template. A perfect framework can't be built in 24 months. Ship working, iterate.
- Who owns AI governance in an organisation?
- A named Chief AI Officer or equivalent, accountable to the board. Without single-point accountability, every escalation diffuses and the framework dies on first contact with a product team.
Build your AI governance framework with Dr. Sodhi.
One hour with the Brain Doctor & Brand Doctor. We walk the six layers against your actual organisation and you leave with a 90-day rollout plan. ₹2,500/hour.
Dr. Nitnem Singh Sodhi is a Lead Auditor for ISO/IEC 42001, 27001 and 27701, accredited by ANSI/ABICB since March 2025.
— Bharat NeuroTech · /dr-sodhi