Governance Framework
Effective March 2026
ASI maintains a comprehensive ai governance framework that governs every AI system we operate — from our incident classification pipeline to our Control Effectiveness Scoring engine. We apply the same rigorous governance standards to our own systems that we use to evaluate the governance maturity of the organizations we assess. This document describes how we structure, manage, audit, and improve those systems.
Our ai governance framework is grounded in established international standards and adapted to the specific requirements of an AI-powered security intelligence organization. Our approach aligns with three primary frameworks:
The nist ai rmf (AI Risk Management Framework) provides our primary risk identification and mitigation structure, mapped across Govern, Map, Measure, and Manage functions.
iso 42001, the international standard for AI management systems, informs our governance structure, documentation practices, and continuous improvement processes.
The eu ai act shapes our approach to transparency, human oversight, and explainability requirements for AI systems that may affect European entities or organizations.
Our framework does not treat these standards as compliance checkboxes. They inform how we design governance controls from the ground up, applied by our team as operational practices rather than documentation exercises.
ASI's ai governance operates across three layers, each with distinct ownership, review cadences, and accountability mechanisms.
Every AI model in production has a corresponding model card documenting its purpose, training methodology, known limitations, input/output specifications, and performance benchmarks. System cards document end-to-end system behavior where models are composed into larger pipelines — such as our incident classification workflow. We maintain version control on all model artifacts and input/output logging for every production inference. No model is deployed without a completed model card reviewed by our methodology team.
Operational governance covers the day-to-day functioning of AI systems in production. Our analysts follow defined review cycles for model outputs, conduct anomaly monitoring against expected distribution patterns, and maintain documented human override protocols. When an analyst identifies an output that appears inconsistent with available evidence, they have both the authority and the obligation to flag, override, and escalate. Human oversight is a structural feature, not a discretionary option.
Strategic governance aligns AI capabilities with our organizational mission and values. Our ai ethics board function — operated by senior methodology and leadership staff — reviews proposed capability expansions, evaluates the implications of new model deployments, and ensures that the evolution of our AI systems remains consistent with our responsible ai commitments. Strategic governance includes annual reviews of this framework document and our ai principles, incorporating lessons from our operational experience and updates to applicable standards.
Data governance is the foundation of trustworthy AI. Every dataset that enters our systems is subject to provenance tracking, access controls, and documented lineage. We maintain records of where each data source originates, when it was collected, how it was processed, and which models or outputs it has influenced.
No personal data is used for model training. Our training datasets consist exclusively of publicly available information: disclosed AI security incident reports, published vulnerability disclosures, regulatory filings, and other open-source intelligence. Before any dataset is admitted to a training pipeline, it is reviewed for personal data contamination and processed through our anonymization verification workflow.
Our AI security incident database contains records of publicly disclosed incidents. Access to raw incident data is controlled and audited. Assessment data submitted through our readiness tools is handled under separate data governance controls — it is not used for model training, not shared with third parties for commercial purposes, and retained only for the periods documented in our Privacy Policy.
We maintain full data lineage documentation for our scoring pipeline. Any analyst or governance reviewer can trace a specific score component back to its underlying signals and source data. Access to production datasets is role-based, reviewed quarterly, and de-provisioned when no longer needed.
Every model deployed in production at ASI follows a defined lifecycle: inception, development, validation, deployment, monitoring, and — when necessary — retirement. No model bypasses any stage of this lifecycle. Our methodology team owns the model governance process end to end.
Every production model has a model card that documents: the model's intended purpose and use cases, the training data sources and preprocessing steps, known limitations and failure modes, performance benchmarks on held-out evaluation sets, fairness evaluation results, and the human oversight mechanisms that apply to its outputs. Model cards are updated with each version release and reviewed during our governance audit cycles.
Where models are composed into larger systems — such as our multi-stage incident classification pipeline — we maintain a system card that documents end-to-end system behavior, the interaction between model components, the points where human oversight intervenes, and the aggregate performance characteristics of the system as a whole. System cards complement model cards and are required for any AI system that produces outputs used in customer-facing assessments.
Our operations team monitors production models for performance drift on an ongoing basis. Statistical process control methods track output distributions against established baselines. When drift exceeds defined thresholds, models are flagged for analyst review and, if necessary, revalidation or retraining. Degraded models are not left in production — they are either remediated or retired.
Our ai risk management practice is structured around the four functions of the nist ai rmf: Govern, Map, Measure, and Manage. This is a continuous practice, not a point-in-time assessment.
We identify AI-related risks across four categories: performance risks (model accuracy, robustness, and reliability), fairness risks (differential outcomes across organizational types or geographies), security risks (adversarial manipulation of model inputs or outputs), and operational risks (system failures, data quality degradation, or human override failures). Each risk category has defined monitoring indicators and escalation thresholds.
Identified risks are logged in our risk register with assigned owners, mitigation plans, and review dates. High-severity risks — particularly those that could affect the accuracy of scores used in underwriting contexts — are escalated to our strategic governance layer for immediate review. Our risk management process feeds directly into our model governance and methodology improvement cycles.
AI accountability at ASI means that for every risk identified and every mitigation applied, there is a named individual responsible for the outcome. We do not distribute accountability to the point of diffusion. Our governance documentation names the team and role accountable for each AI system, each data pipeline, and each model in production.
Our Control Effectiveness Scoring (CES) engine is the most consequential AI system we operate. Changes to scoring weights, signal collection criteria, or factor definitions follow a formal governance process before taking effect in production.
Any proposed change to the CES methodology is documented as a methodology revision proposal. The proposal must specify the nature of the change, the evidence supporting it, and the expected impact on score distributions. Before approval, proposed changes are backtested against our historical assessment dataset to measure their effect on existing scores. Changes that produce large distributional shifts without supporting evidence are rejected.
Every version of our scoring methodology is version-controlled and archived. Our analysts can reproduce any historical assessment using the methodology version that was active at the time it was conducted. This auditability is essential for our credibility with insurance and enterprise clients who rely on score consistency over time.
New signal categories are subject to the same governance process as methodology changes. Before a new signal type is incorporated into production scoring, our team evaluates its reliability, its potential for bias, and its coverage across the organizations in our database. Signals with low coverage, high noise, or potential for discriminatory proxy effects are not admitted to production without additional review.
ASI maintains active ai compliance monitoring across the regulatory jurisdictions relevant to our operations and our clients. Our regulatory alignment is not a one-time mapping exercise — it is an ongoing practice managed by our methodology and governance team.
The nist ai rmf is our primary governance reference for US operations. Our Govern, Map, Measure, and Manage functions are designed to align with NIST's framework structure. We treat the NIST AI RMF not merely as a reference but as the backbone of our ai risk management practice, updating our internal controls as NIST releases supplementary guidance and profiles.
iso 42001 provides our management system structure for AI governance internationally. Its requirements for documented AI policy, organizational roles and responsibilities, risk assessment processes, and continuous improvement align with our existing governance controls. We use iso 42001 as our reference for validating that our governance documentation is complete and internally consistent.
The eu ai act introduces transparency and human oversight requirements for AI systems that may affect individuals or organizations in the European Union. Our assessment of AI systems used by EU-based entities is conducted with attention to the EU AI Act's risk classification categories. Our internal AI systems that produce outputs potentially relevant to EU entities are governed with transparency and explainability requirements consistent with the Act's high-risk system provisions.
Our team monitors regulatory developments in the United States, European Union, United Kingdom, and other key jurisdictions on an ongoing basis. When new ai compliance requirements emerge — whether through legislation, regulatory guidance, or court decisions — we assess their applicability to our systems and update our governance controls accordingly. We do not wait for enforcement to drive compliance.
Our internal audit cadence covers model performance, data governance controls, human oversight protocols, and regulatory alignment on a defined review cycle. Audit findings are documented, assigned to owners, and tracked to resolution. We do not consider an audit cycle complete until all findings are remediated or formally accepted as tolerable risks with compensating controls.
We are committed to third-party review of our governance framework as our organization matures. Our public reporting commitments include maintaining this governance documentation as a living resource, updating it when material changes occur to our systems or practices, and publishing a summary of our governance audit outcomes annually.
Questions about our ai governance practices? Contact our team at trust@aisecurityintelligence.com. For our foundational principles, see our Responsible AI Principles.
This framework is reviewed and updated on a defined annual cycle, or whenever material changes occur to our AI systems, methodologies, or applicable regulatory requirements. Last reviewed: March 2026.