AI governance frameworks, for founders who need to ship.
AI ethics and governance has moved from a board-deck slide to a procurement blocker. Enterprise buyers, regulators, and insurers now ask the same question in different words: which AI governance framework do you operate under, and can you prove it. This guide is how we think about answering that — shaped by the operators we back and the regulatory surface they ship into.
The frameworks that matter in 2026
Four reference points cover the working surface for most AI-native companies. Pick one as the spine, layer the others as they become relevant — don't try to comply with all of them in parallel.
NIST AI Risk Management Framework (AI RMF 1.0)
Voluntary, function-based (Govern, Map, Measure, Manage). The most operator-friendly starting point: it doesn't prescribe controls, it forces you to map AI risks to your actual product surface and business context. Pair with the Generative AI Profile for LLM-specific risks.
ISO/IEC 42001:2023 — AI Management Systems
Certifiable management-system standard, modeled on ISO 27001. Useful once you're selling into regulated buyers or larger enterprises — auditors recognize it, and it forces continuous improvement instead of one-off policy work.
EU AI Act
Risk-tiered regulation (prohibited, high-risk, limited, minimal) with extraterritorial reach. High-risk obligations start applying through 2026–2027. If your product touches employment, credit, education, biometrics, or critical infrastructure, treat this as table stakes — not a future problem.
Sectoral overlays
SOC 2, HIPAA, PCI-DSS, DORA, MAS FEAT, and emerging model-specific guidance (FINRA, FDA, MHRA) sit on top of horizontal frameworks. Customers in regulated verticals will ask about these directly; the AI framework only complements them.
Implementing without slowing the company down
The companies that scale governance well treat it as part of the engineering org, not a parallel compliance function. Five moves separate programs that survive an audit from programs that survive a customer incident.
Inventory what is actually "AI" in your stack
Build a single source of truth for every model, prompt, dataset, and third-party AI vendor. Tag by purpose, data sensitivity, decision impact, and EU AI Act risk tier. Most governance failures are inventory failures.
Pick one horizontal framework as the spine
Default to NIST AI RMF early; layer ISO/IEC 42001 once enterprise procurement starts asking. Don't run both as parallel programs — map one to the other and maintain a single control set.
Tie controls to the SDLC, not a policy PDF
Model evaluation gates, red-team checklists, dataset lineage, prompt-injection tests, and human-in-the-loop thresholds belong in CI and ticketing — not a Confluence page nobody opens. Governance you can't enforce in code isn't governance.
Instrument for evidence from day one
Log model version, input class, output, reviewer, and override on every consequential decision. Auditors, customers, and post-incident reviews all need the same trail; building it later costs an order of magnitude more.
Govern third-party models like vendors
Foundation-model providers are sub-processors. Track model versions, deprecation schedules, data-use terms, and region of inference. A silent model swap from your provider is a governance event.
Where we invest behind this
AI-native governance is one of the three themes we underwrite with conviction. As AI moves into decision-making systems, governance, auditability, and trust become the differentiating layer — and the operators who treat regulation as moat compound faster than the ones who treat it as overhead.
If you're building in this space, we'd like to hear from you.