Leanpub Header

Skip to main content
Go to Leanpub.com

AI Governance Frameworks : NIST AI RMF - ISO 42001 - EU AI ACT - OECD AI PRINCIPLES

Implement the Four AI Governance Frameworks That Regulators, Clients, and Boards Expect

Srinivas Bommena

Four AI governance frameworks. One practical guide. Get compliance-ready before regulators, clients, and boards demand it.

Minimum price

$7.99

$9.99

You pay

$9.99

Author earns

$7.99
$

...Or Buy With Credits!

You can get credits with a paid monthly or annual Reader Membership, or you can buy them here.
PDF
About

About

About the Book

AI governance has moved from a conference talking point to a board-level obligation — and the practitioners responsible for delivering on it are often working with incomplete, contradictory, or over-simplified information.

This guide cuts through the noise. It gives risk managers, compliance officers, AI leads, consultants, and executive learners a clear, honest account of the four frameworks they are most likely to encounter in practice: the NIST AI Risk Management Framework, ISO/IEC 42001:2023, the EU AI Act, and the OECD AI Principles.

Each framework is covered in depth — what it is, what it actually requires, how organisations are using it, and where practitioners most commonly go wrong. Every chapter closes with a quick-start checklist you can act on immediately.

Running throughout the book is a fictional but realistic case study: NovaCred, a Singapore-headquartered FinTech whose credit scoring engine, CreditIQ, lands squarely in the EU AI Act's high-risk category — mid-integration with a German bank client, and with no conformity assessment in place. You'll follow NovaCred from compliance gap to certification-ready, and see exactly which steps apply to your own organisation's situation.

A dedicated chapter tackles the question practitioners almost always ask but rarely find answered: how do these four frameworks relate to each other, and in what order should you implement them? The book closes with a concrete 90-day action plan so you can move from understanding to action.

The appendices include ready-to-use templates: an AI System Inventory Register, NIST AI RMF Risk Register, ISO 42001 Gap Analysis Scorecard, EU AI Act Compliance Gap Tracker, OECD Policy Mapping worksheets, a 14-dimension Framework Comparison Master Table, and a glossary of 35 key terms.

Who this book is for: Risk managers and compliance officers being asked to assess AI governance maturity for the first time. AI leads and technical architects who need to understand governance obligations without weeks inside standards documents. Consultants building AI governance practices. MBA students and executive learners developing strategic fluency in this space.

No machine learning background required — but a willingness to engage with specifics is.

Share this book

Feedback

Email the Author

Author

About the Author

Srinivas Bommena

Srinivas is a Generative AI Practitioner and Educator specializing in the architectural design and rigorous evaluation of LLM-powered applications. With deep experience in developing multi-agent frameworks and hybrid RAG architectures, he focus on bridging the gap between experimental AI and production-ready systems.

He is the creator of popular technical practice tests on Udemy, including the AWS Certified GenAI Developer - Professional series, and have developed comprehensive frameworks for AI project estimation and compliance. His work frequently involves industry-leading evaluation tools such as RAGAS, Giskard, and Guardrails.ai.

Driven by the mission to help IT professionals navigate the "mindset shift" required for the AI era, Srinivas provides systematic, data-driven methodologies for building AI that is not only innovative but reliable and compliant with emerging standards like the EU AI Act.

Contents

Table of Contents

Table of Contents

Preface1

1. Why AI Governance Now 4

1.1   The regulatory moment 4

1.2   The three governance failure modes 6

1.3   A map of the four frameworks 7

1.4   How the frameworks relate to each other 9

1.5   How to read this guide 9

2. NIST AI Risk Management Framework 10

2.1   What the NIST AI RMF is — and what it is not 10

2.2   The four functions 11

2.3   The playbook — making the framework actionable 13

2.4   Common implementation mistakes 14

2.5   NovaCred in action: NIST AI RMF applied to CreditIQ 15

2.6   Quick-start checklist 17

3. ISO/IEC 42001:2023 18

3.1   The management system model — why it is different 18

3.2   The ten clauses — what auditors actually look for 19

3.3   The certification journey 21

3.4   Certificate theatre vs. genuine governance 22

3.5   NovaCred in action: ISO 42001 gap analysis to certification 23

3.6   Quick-start checklist 25

4. EU AI Act 26

4.1   The fundamental shift — law, not guidance 27

4.2   The four risk tiers 28

4.3   Classifying your AI systems — the Annex III analysis 29

4.4   High-risk AI obligations — the twelve requirements 30

4.5   What almost certainly qualifies as high-risk AI 32

4.6   The August 2026 deadline — what 'wait and see' actually costs 33

4.7   NovaCred in action: CreditIQ classification and compliance gap 33

4.8   Quick-start checklist 35

5. OECD AI Principles 36

5.1   What the OECD AI Principles are 37

5.2   The five principles — explained for practitioners 37

5.3   Three levels of adoption 38

5.4   How the OECD Principles underpin every other framework 39

5.5   The 2024 update — what changed and why it matters 40

5.6   NovaCred in action: policy mapping exercise 41

5.7   Quick-start checklist 43

6. Using All Four Frameworks Together 44

6.1   The layered architecture 45

6.2   The duplication traps — and how to avoid them 46

6.3   Framework selection — where to start 47

6.4   The integration points — where frameworks share the most ground 48

6.5   NovaCred: the 12-month integrated roadmap 49

6.6   The framework selection decision tree 51

7. Your 90-Day Action Plan 52

7.1   The 90-day plan 53

7.2   Beyond day 90 — the ongoing governance cycle 55

7.3   Certifications worth pursuing in 2026 56

7.4   Building the leadership argument 57

Appendices

App. A   AI System Inventory Register 61

App. B   NIST AI RMF Risk Register 64

App. C   ISO 42001 Gap Analysis Scorecard 67

App. D   AI System Impact Assessment (ASIA) 70

App. E   EU AI Act Classification & Compliance Gap Tracker 74

App. F   OECD AI Principles Policy Mapping 76

App. G   Framework Comparison Master Table 78

App. H   Glossary of Key Terms 80

Table of Contents Preface1 1Why AI governance now4 1.1The regulatory moment4 1.2The three governance failure modes6 1.3A map of the four frameworks7 1.4How the frameworks relate to each other9 1.5How to read this guide9 2NIST AI Risk Management Framework10 2.1What the NIST AI RMF is — and what it is not10 2.2The four functions11 2.3The playbook — making the framework actionable13 2.4Common implementation mistakes14 2.5NovaCred in action: NIST AI RMF applied to CreditIQ15 2.6Quick-start checklist17 3ISO/IEC 42001:202318 3.1The management system model — why it is different18 3.2The ten clauses — what auditors actually look for19 3.3The certification journey21 3.4Certificate theatre vs. genuine governance22 3.5NovaCred in action: ISO 42001 gap analysis to certification23 3.6Quick-start checklist25 4EU AI Act26 4.1The fundamental shift — law, not guidance27 4.2The four risk tiers28 4.3Classifying your AI systems — the Annex III analysis29 4.4High-risk AI obligations — the twelve requirements30 4.5What almost certainly qualifies as high-risk AI32 4.6The August 2026 deadline — what 'wait and see' actually costs33 4.7NovaCred in action: CreditIQ classification and compliance gap33 4.8Quick-start checklist35 5OECD AI Principles36 5.1What the OECD AI Principles are37 5.2The five principles — explained for practitioners37 5.3Three levels of adoption38 5.4How the OECD Principles underpin every other framework39 5.5The 2024 update — what changed and why it matters40 5.6NovaCred in action: policy mapping exercise41 5.7Quick-start checklist43 6Using all four frameworks together44 6.1The layered architecture45 6.2The duplication traps — and how to avoid them46 6.3Framework selection — where to start47 6.4The integration points — where frameworks share the most ground48 6.5NovaCred: the 12-month integrated roadmap49 6.6The framework selection decision tree51 7Your 90-day action plan52 7.1The 90-day plan53 7.2Beyond day 90 — the ongoing governance cycle55 7.3Certifications worth pursuing in 202656 7.4Building the leadership argument57

Appendices

App. A — p.61 AI System Inventory Register App. B — p.64 NIST AI RMF Risk Register App. C — p.67 ISO 42001 Gap Analysis Scorecard App. D — p.70 AI System Impact Assessment (ASIA) App. E — p.74 EU AI Act Classification & Compliance Gap Tracker App. F — p.76 OECD AI Principles Policy Mapping App. G — p.78 Framework Comparison Master Table App. H — p.80 Glossary of Key Terms (35 terms) Table of Contents — AI Governance Frameworks Preface1 1 Why AI governance now 4 1.1The regulatory moment4 1.2The three governance failure modes6 1.3A map of the four frameworks7 1.4How the frameworks relate to each other9 1.5How to read this guide9 2 NIST AI Risk Management Framework 10 2.1What the NIST AI RMF is — and what it is not10 2.2The four functions11 2.3The playbook — making the framework actionable13 2.4Common implementation mistakes14 2.5NovaCred in action: NIST AI RMF applied to CreditIQ15 2.6Quick-start checklist17 3 ISO/IEC 42001:2023 18 3.1The management system model — why it is different18 3.2The ten clauses — what auditors actually look for19 3.3The certification journey21 3.4Certificate theatre vs. genuine governance22 3.5NovaCred in action: ISO 42001 gap analysis to certification23 3.6Quick-start checklist25 4 EU AI Act 26 4.1The fundamental shift — law, not guidance27 4.2The four risk tiers28 4.3Classifying your AI systems — the Annex III analysis29 4.4High-risk AI obligations — the twelve requirements30 4.5What almost certainly qualifies as high-risk AI32 4.6The August 2026 deadline — what 'wait and see' actually costs33 4.7NovaCred in action: CreditIQ classification and compliance gap33 4.8Quick-start checklist35 5 OECD AI Principles 36 5.1What the OECD AI Principles are37 5.2The five principles — explained for practitioners37 5.3Three levels of adoption38 5.4How the OECD Principles underpin every other framework39 5.5The 2024 update — what changed and why it matters40 5.6NovaCred in action: policy mapping exercise41 5.7Quick-start checklist43 6 Using all four frameworks together 44 6.1The layered architecture45 6.2The duplication traps — and how to avoid them46 6.3Framework selection — where to start47 6.4The integration points — where frameworks share the most ground48 6.5NovaCred: the 12-month integrated roadmap49 6.6The framework selection decision tree51 7 Your 90-day action plan 52 7.1The 90-day plan53 7.2Beyond day 90 — the ongoing governance cycle55 7.3Certifications worth pursuing in 202656 7.4Building the leadership argument57 Appendices App. A — p.61 AI System Inventory Register App. B — p.64 NIST AI RMF Risk Register App. C — p.67 ISO 42001 Gap Analysis Scorecard App. D — p.70 AI System Impact Assessment (ASIA) App. E — p.74 EU AI Act Classification & Compliance Gap Tracker App. F — p.76 OECD AI Principles Policy Mapping App. G — p.78 Framework Comparison Master Table App. H — p.80 Glossary of Key Terms (35 terms)

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

Download Sample PDF

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $14 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub