Integrated AI Governance Process Framework

Peter Haenni

2 min read
Integrated AI Governance Process Framework
SIPOC process map auto generated by the ProcessHorizon web app

This process map provides an operational AI governance process framework that integrates key international AI governance standards:

  • ISO/IEC 42001 AI Management System (AIMS)
  • ISO/IEC 42005 AI System Impact Assessment (AIIA)
  • ISO/IEC 23894 AI Risk Management
  • ISO/IEC 38507 AI Governance Guidance for Boards
  • NIST AI RMF Risk Management Framework (U.S. focused but globally influential)
  • OECD AI Principles Ethical and policy foundation
  • EU AI Act Regulatory benchmark for risk-tiered compliance

1. Strategic Alignment and Oversight

ISO/IEC 38507, OECD, ISO/IEC 42001

  • Establish AI governance roles and policies aligned with organizational strategy
  • Ensure board-level oversight of AI via ISO/IEC 38507
  • Embed ethical principles and stakeholder expectations into the organization’s AI policy
  • Identify regulatory obligations (e.g. EU AI Act classifications)

2. AI Risk & Impact Scoping

ISO/IEC 23894, ISO/IEC 42005, NIST AI RMF, EU AI Act

  • Conduct contextual analysis: purpose, domain, affected stakeholders
  • Perform AI system impact assessment (ISO/IEC 42005) — covering:
    • Human rights
    • Socioeconomic impacts
    • Environmental concerns
    • Disproportionate effects on vulnerable groups
  • Classify system according to EU AI Act risk tiers (unacceptable, high, limited, minimal)

3. Governance-by-Design (Design Phase Integration)

ISO/IEC 42001, ISO/IEC 23894, OECD Principles

  • Integrate AI ethics, safety & robustness requirements in design specs.
  • Use the AIMS (ISO/IEC 42001) to embed controls like:
    • Bias detection
    • Explainability
    • Data quality assurance
  • Create mechanisms for stakeholder feedback loops and participatory design

4. Development and Validation

NIST AI RMF, ISO/IEC 42001, ISO/IEC 42005

  • Apply assurance methods: validation, verification, testing, and stress scenarios
  • Conduct risk treatment (ISO/IEC 23894): avoid, mitigate, transfer, accept
  • Re-assess stakeholder impact if design evolves significantly

5. Deployment and Monitoring

ISO/IEC 42001, ISO/IEC 42005, NIST AI RMF

  • Deploy AI systems with real-time monitoring and fallback controls.
  • Continuously track:
    • Model drift and performance
    • Unintended impacts
    • Stakeholder complaints or harms
  • Periodically re-run impact assessments and adapt controls

6. Incident Response and Continuous Improvement

ISO/IEC 42001, NIST AI RMF

  • Define a protocol for:
    • Incident detection and classification
    • Stakeholder communication
    • Legal and regulatory reporting
  • Feed lessons learned into:
    • Risk treatment strategies
    • Policy updates
    • Training

7. Documentation and Audit Readiness

ISO/IEC 42001, ISO/IEC 23894, EU AI Act

  • Maintain traceable documentation across the AI lifecycle.
  • Ensure auditability of:
    • Design decisions
    • Risk and impact assessments
    • Stakeholder engagement efforts

Using the following link you can access this sandbox SIPOC model in the ProcessHorizon web app and adapt it to your needs (easy customizing) and export or print the automagically created visual AllinOne SIPOC map as a PDF document or share it with your peers: https://app.processhorizon.com/enterprises/5v4tzWKDYcjH1FAAVUc2zGid/frontend