Designing an AI Governance Program: A Control-Based Model for Risk and Compliance
Abstract
As organizations increasingly use artificial intelligence (AI) for organizational decision-making, cybersecurity, and compliance, the limits of principle-based AI governance have become clear. Frameworks have revealed limitations in principle-oriented AI governance approaches. While frameworks such as the NIST AI Risk Management Framework provide broad, high-level guidance, many organizations still lack practical, auditable mechanisms to operationalize AI governance within their enterprise governance, risk, and compliance (GRC) programs. This research introduces a control-based AI governance model that embeds AI oversight into existing internal controls and risk management structures. The model organizes governance through administrative, technical, and operational controls, including integrating AI risk assessment, compliance mapping, and continuous monitoring throughout the AI lifecycle. Governance controls are mapped to the NIST AI Risk Management Framework and NIST Special Publication 800-53 to demonstrate compatibility and traceability, without requiring demonstration of operational compatibility or mandating specific technologies. This study presents a practical, technology-neutral approach to help organizations implement AI governance and align it with their GRC efforts, promoting an agnostic approach that advances the operationalization of AI governance and its integration with enterprise GRC practices.
Published
Issue
Section
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who publish with this journal agree to the following terms: RAIS Journal of Social Sciences is given by the author the right of the first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal. Authors retain copyright. If the author cites from his own article published in RAIS Journal of Social Sciences, then he is encouraged to cite the name of the RAIS Journal of Social Sciences, volume, and page. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access). This journal provides immediate open access to its content, in this way, we make research freely available to the public and support a greater global exchange of knowledge.
PRIVACY STATEMENT
The names and email addresses entered in this journal site will be used exclusively for the stated purposes of this journal and will not be made available for any other purpose or to any other party.
