NIST AI RMF — MAP 1.1
Maintain an inventory of AI systems
List every AI/automated tool, what it does, what data it ingests, and who it affects. This inventory is the spine of every other obligation.
NIST AI RMF — GOVERN 1.1
Adopt a written AI-use policy
Publish an internal policy: approved tools, prohibited uses, human-review rules, and who owns AI risk. Use the policy-template generator to start.
EU AI Act — High-risk Art. 9 / NIST MEASURE
Run a high-risk impact assessment
Document foreseeable harms, bias testing, and mitigations before the system makes consequential decisions. High-risk uses carry the heaviest obligations.
EU AI Act — Art. 14 (Human oversight)
Guarantee meaningful human oversight
Ensure a person can review, override, and be accountable for consequential AI outputs. Never let the model be the final word on someone's rights.
NIST AI RMF — MAP 2.3
Data governance for training/input data
Know the provenance, quality, and lawful basis for data going into the system. Personal data triggers privacy-law obligations too — cross-check Privacy Readiness.
EU AI Act — Art. 50 (Transparency)
Disclose AI to affected people
Tell people when they're interacting with AI or seeing AI-generated content. Label chatbots and synthetic media.
NIST AI RMF — GOVERN 6.1
Vendor due diligence
Get the vendor's model documentation, data-handling terms, and incident process in writing. You stay accountable for tools you buy.
This is a readiness & documentation workflow, not legal advice. Risk tiers mirror the EU AI Act for orientation. Consult counsel for binding compliance in your jurisdiction.