The AIRA Framework: A Structured Approach to AI Risk and Governance for Enterprise

Why another AI governance framework?

The AI governance framework landscape is crowded. NIST AI RMF, ISO 42001, the EU AI Act's requirements, OECD principles, industry-specific guidance from financial regulators — each framework provides valuable guidance, and each covers different ground. The problem for enterprise AI governance practitioners is integration: how do you build a governance program that satisfies multiple frameworks simultaneously, operates as a coherent whole rather than a collection of parallel compliance exercises, and adapts as the regulatory landscape changes?

AIRA (AI Integrated Risk Architecture) was developed to answer this question. It is not a replacement for the existing frameworks — it is a methodology for integrating them. An organisation that implements AI governance through AIRA produces artefacts and controls that simultaneously satisfy ISO 31000 risk management requirements, align with the NIST AI RMF core functions, and meet the EU AI Act deployer obligations. The integration is deliberate: each AIRA deliverable maps explicitly to the requirements of each framework it satisfies.

Phase 1: Assess

The Assess phase has a single non-negotiable output: a complete, current, and accurate AI system inventory. This is the foundation on which all subsequent governance is built, and it is where most enterprise AI governance programs fail. Organisations begin implementing governance controls — policies, vendor questionnaires, training programs — before they understand what they are governing. The result is governance that addresses the AI systems management knows about, not the AI systems the organisation actually uses.

A complete inventory requires active discovery, not passive collection. Business units have procured AI tools through software purchasing processes that bypass central technology review. Data science teams have built and deployed models that are not registered anywhere. Third-party systems include AI components that were not disclosed at procurement. The Assess phase uses a structured discovery methodology — combining technology scanning, business unit interviews, vendor contract review, and financial system analysis — to surface the full AI footprint before governance is designed.

Phase 2: Implement

The Implement phase builds governance controls proportionate to the risk profile identified in the Assess phase. AIRA's risk-proportionality principle is its most important differentiator from compliance-led approaches. Not every AI system requires the same governance controls — a generative AI tool used for internal document drafting requires different governance from a credit scoring model used in loan approvals. The Implement phase designs controls at the right level of rigor for each system's actual risk, rather than applying maximum governance to everything (which creates unsustainable compliance burden) or minimum governance to everything (which creates unacceptable risk).

Phase 3: Review

The Review phase introduces the independence requirement that distinguishes AIRA from self-certification governance models. Governance controls must be reviewed by parties who did not design them — whether internal audit, risk management functions, or external advisors — against defined effectiveness criteria. The criteria are specific: a control is effective if it is operating as designed, producing the intended risk reduction, and being applied consistently to the AI systems it was designed to govern. A policy that exists but is not being applied is not an effective control — and the Review phase is specifically designed to identify this gap.