Questions about AI governance, answered.

AI governance is the framework of policies, processes, controls, and accountability structures that an organization puts in place to ensure its AI systems are deployed responsibly, comply with applicable regulations, and operate within defined risk tolerances. It covers the full AI lifecycle: from model selection and vendor due diligence, to monitoring in production, incident response, and ongoing audit documentation.

Effective AI governance is not a one-time policy document — it's an operational discipline that bridges legal, technical, and business functions. Organizations that treat governance as a compliance checkbox typically end up with what practitioners call "governance theater": policies that exist on paper but don't affect how AI decisions are actually made.

Regulated industries — healthcare, financial services, and defense — face compounding risk from AI deployment. Existing regulations like HIPAA, SR 11-7, and CMMC 2.0 were not written for large language models or autonomous AI systems. This creates a governance gap: the AI is live, but the controls, documentation, and accountability structures don't exist yet.

Regulators are actively filling that gap with enforcement guidance. Organizations without a defensible AI governance program face audit findings, contract eligibility issues, and reputational liability when AI systems produce adverse outcomes. The 62% of AI governance programs that are ineffective are taking on significant unquantified risk.

These three disciplines are related but distinct. AI governance is the overarching structure — the policies, accountability, and decision-making processes for AI. AI risk management is the operational practice of identifying, assessing, and mitigating risks from specific AI systems (bias, security vulnerabilities, model drift, third-party vendor exposure). AI compliance is the narrower obligation to satisfy specific regulatory or contractual requirements — HIPAA, CMMC, SOC 2, ISO 42001, NIST AI RMF.

A mature AI GRC program (Governance, Risk, and Compliance) integrates all three. Altiri's Strategic AI Alignment Framework is designed to operationalize all three disciplines simultaneously rather than treating them as separate workstreams.

The Strategic AI Alignment Framework is Altiri's proprietary methodology for operationalizing AI governance in regulated enterprises. It maps to NIST AI RMF functions (Govern, Map, Measure, Manage) and adds implementation layers specific to healthcare, financial services, and defense.

The framework covers: AI inventory and classification, risk scoring and tiering, policy architecture, vendor due diligence protocols, board reporting templates, and audit readiness documentation. It is the delivery vehicle for all Altiri engagements. Learn more about the framework →

A virtual Chief AI Officer (vCAIO) is a fractional executive who provides dedicated AI governance leadership to an organization without the cost or commitment of a full-time hire. A vCAIO owns your AI strategy, governance program, and compliance posture — attending leadership meetings, advising the board, building frameworks, managing vendor risk, and ensuring regulatory alignment.

Altiri's vCAIO model runs $3,000–$10,000/month depending on engagement scope, compared to a full-time CAIO at $300,000–$400,000+ annually in salary and equity. The fractional model is especially effective for mid-market regulated organizations that need C-suite-level AI expertise but don't yet have the volume to justify a full-time hire. See the full business case for fractional AI leadership →

Altiri operates on a fractional retainer model with three tiers. Foundation ($3,000/month) provides 5 hours/week — ideal for organizations starting their governance program. Operational ($6,000/month) provides 10 hours/week and includes full GRC program build-out. Enterprise ($10,000/month) provides 15 hours/week with C-suite integration and board reporting.

All tiers include access to the Strategic AI Alignment Framework, policy templates, and Altiri's AltiriOS platform for ongoing governance management. See full pricing and tier details →

No. Altiri operates on month-to-month retainer agreements with a 30-day notice period. There are no multi-year lock-ins or termination fees.

The Foundation tier is designed as a starting point — many clients scale to Operational or Enterprise as their governance program matures. Altiri also offers a standalone AI Readiness Assessment as a one-time engagement for organizations that want to understand their current posture before committing to ongoing services.

Altiri focuses on three regulated verticals:

Healthcare — HIPAA AI governance, clinical AI oversight, health system and digital health company compliance. Includes PHI risk assessment for AI tools and clinical decision support oversight.

Financial Services — SR 11-7 model risk management, SEC/FINRA AI governance, hedge fund and wealth management AI risk. Includes model validation frameworks for LLMs.

Defense — CMMC + AI layering, DoD contractor AI governance, CUI protection in AI systems. Includes AI-specific controls mapped to CMMC Level 2 and Level 3.

HIPAA applies to AI systems that touch Protected Health Information (PHI) — including AI tools used for clinical decision support, patient communication, coding automation, and prior authorization. Standard HIPAA BAA requirements apply when PHI is processed by an AI vendor.

However, HIPAA was not designed for AI-specific risks: model bias, training data lineage, hallucination in clinical contexts, and autonomous decision-making without human review. Healthcare organizations using AI need governance controls that go beyond HIPAA's minimum requirements, including AI-specific risk assessments, vendor AI use agreements that address model training data practices, and clinical oversight policies for AI-generated recommendations.

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework requiring defense contractors to demonstrate cybersecurity controls protecting Controlled Unclassified Information (CUI). CMMC focuses on cybersecurity practices, not AI governance — but AI systems used by defense contractors introduce new attack surfaces and data handling risks that existing CMMC controls do not address.

Defense contractors deploying AI need to layer AI governance controls on top of their CMMC program: AI system classification that identifies CUI exposure, policies governing the use of CUI in AI training data, model access controls and audit trails, and incident response procedures for AI system failures involving sensitive data. Altiri's Defense AI Governance service addresses this layering specifically.

SOC 2 audits assess controls over security, availability, processing integrity, confidentiality, and privacy. AI systems — particularly vendor-supplied AI tools — introduce risks across all five trust service criteria. Auditors increasingly expect organizations to have documented AI governance controls: vendor AI due diligence, data processing agreements, model monitoring, and incident response for AI failures.

Altiri aligns AI governance documentation to SOC 2 control language so that AI governance evidence is audit-ready and maps directly into your existing SOC 2 program. This prevents the common scenario where an organization builds a governance program that doesn't produce the artifacts auditors actually need.

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework published by the National Institute of Standards and Technology that provides organizations with a structured approach to managing risks from AI systems. It defines four core functions:

Govern — establish organizational policies, accountability, and culture around AI risk. Map — identify AI systems and their risk context, stakeholders, and potential impacts. Measure — assess and analyze identified risks using quantitative and qualitative approaches. Manage — prioritize, respond to, and communicate about risks.

The NIST AI RMF is increasingly referenced in regulatory guidance and procurement requirements across healthcare, financial services, and federal contracting. Read Altiri's NIST AI RMF implementation guide for regulated industries →

NIST AI RMF is a risk management framework — it helps you identify, assess, and manage AI risks. It's voluntary, US-centric, and doesn't result in a certification. ISO 42001 is a management system standard — it defines requirements for an AI Management System (AIMS) that can be formally certified by an accredited external auditor.

NIST AI RMF is widely used by federal contractors and US-regulated industries. ISO 42001 is internationally certifiable and increasingly required in European and global procurement contexts. Most regulated enterprises in the US start with NIST AI RMF as their operational foundation and pursue ISO 42001 certification as a market differentiation signal when competing globally or bidding on international contracts.

ISO/IEC 42001:2023 is the first internationally recognized management system standard specifically designed for AI. It defines requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). Unlike NIST AI RMF — a voluntary risk management guide — ISO 42001 is certifiable: organizations can engage an accredited third-party auditor to verify conformance and receive a formal certificate recognized globally.

Certification involves a gap assessment, AIMS implementation (policies, risk processes, objectives, monitoring), an internal audit, and Stage 1/Stage 2 audits by an accredited certification body. ISO 42001 is increasingly referenced in European procurement requirements and global enterprise contracts as evidence of AI governance maturity. US organizations competing for international contracts or working with EU-based partners should consider ISO 42001 as a strategic differentiator.

AI TRiSM (AI Trust, Risk, and Security Management) is a framework coined by Gartner to describe the discipline of managing trustworthiness, explainability, fairness, reliability, security, and privacy of AI models across their lifecycle. It emerged from recognition that traditional enterprise risk frameworks don't adequately address the unique failure modes of AI: model drift, adversarial attacks, training data poisoning, hallucination, and opaque decision-making.

AI TRiSM operationalizes governance at the model level — not just the policy level. For regulated enterprises, this translates into specific controls: model cards documenting capabilities and limitations, bias assessments for high-stakes decision AI, explainability documentation for clinical or credit decisions, red-teaming for adversarial robustness, and continuous model performance monitoring. Altiri incorporates AI TRiSM principles into the operational layer of all governance programs.

SR 11-7 (Supervisory Guidance on Model Risk Management) was issued by the Federal Reserve and OCC in 2011 to govern how financial institutions identify, validate, and manage model risk. Large language models clearly qualify as models under its broad definition. Applying SR 11-7 to LLMs requires:

Model inventory and risk tiering — classifying each LLM by its use case and potential impact on financial outcomes. Independent model validation — conceptual soundness assessment, ongoing output monitoring, and outcomes analysis. Governance documentation — development documentation, validation reports, use case approval, and defined limitations. The challenge is that traditional SR 11-7 validation was designed for parametric statistical models, not probabilistic transformer-based architectures. Financial services firms need adapted validation frameworks for LLMs — a core component of Altiri's financial services practice.

The EU AI Act is a comprehensive regulation enacted by the European Union in 2024 that categorizes AI systems by risk level — unacceptable, high, limited, and minimal — and imposes corresponding requirements. High-risk AI systems (clinical decision support, credit scoring, hiring, critical infrastructure) face mandatory conformity assessments, technical documentation, human oversight requirements, and post-market monitoring.

The Act has extraterritorial reach: it applies to AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the developer or deployer is based. US organizations in healthcare, financial services, or defense that sell to, operate in, or partner with EU entities may be directly subject to EU AI Act requirements. Altiri tracks EU AI Act compliance obligations for US clients with international exposure and incorporates Act requirements into governance programs when relevant.

AI governance ROI appears in three categories:

Risk reduction: Documented governance programs reduce the likelihood of regulatory findings, which cost $50,000–$5M+ in healthcare and financial services. A single HIPAA enforcement action for a data breach involving PHI processed by an ungoverned AI tool can exceed the entire cost of a multi-year governance program.

Deal enablement: Enterprise prospects and government contracts increasingly require demonstrated AI governance posture as a procurement condition. Organizations that can produce governance documentation close regulated-sector deals faster and eliminate a common late-stage deal objection.

Operational efficiency: Structured AI oversight reduces the cost of ad hoc risk reviews and enables faster, more confident AI adoption decisions. Organizations with governance programs approve new AI tools in days, not months.

A mature AI governance program reduces enterprise AI risk through four mechanisms:

1. Inventory and classification — you can't govern what you don't know exists. A complete AI system registry covering all deployed tools, models, and vendor AI integrations is the mandatory foundation. Most organizations discover 40–60% more AI exposure during the inventory phase than they expected.

2. Risk tiering — not all AI is equal. High-stakes clinical, credit, or targeting AI requires stronger controls, human oversight requirements, and monitoring cadence than internal productivity tools. Risk tiering ensures controls are proportionate.

3. Vendor due diligence — third-party AI vendors represent your largest uncontrolled risk surface. Most enterprise AI risk doesn't come from models your team built — it comes from SaaS tools using AI in ways that aren't disclosed. Documented diligence processes contain that exposure.

4. Monitoring and incident response — AI systems drift and fail in production. Governance programs define what failure looks like, who is accountable for detecting it, and what the response protocol is before an adverse event occurs.

The visible costs of an AI governance failure — regulatory fines, breach notifications, litigation — are often dwarfed by hidden costs that accumulate before any incident occurs. These include:

Shadow AI proliferation — employees adopt unsanctioned AI tools that process regulated data outside any compliance review. Typically discovered only during audits, at significant remediation cost. Vendor model training exposure — SaaS AI tools train on your data by default unless explicitly opted out in the contract. Most organizations haven't reviewed their AI vendor agreements. Compounding technical debt — AI systems deployed without documented risk assessments become audit liabilities as regulatory scrutiny increases. Deal friction — lack of governance documentation delays or kills enterprise and government contracts that require AI risk attestations.

Altiri's inventory-first approach typically surfaces 40–60% more AI exposure than clients initially report.

The board case for AI governance rests on three pillars:

Regulatory liability quantification: Work with legal to model the financial exposure from a single enforcement action involving AI-processed regulated data. In healthcare, a HIPAA enforcement action involving PHI can range from $100K to $1.9M per violation category — compare that number to an annual governance program cost.

Deal value protection: Identify pipeline deals or contract renewals where AI governance attestation is a stated procurement requirement. Quantify what a single lost deal costs against the governance program investment. Enterprise and government buyers increasingly require this documentation.

Operational risk reduction: AI tools already deployed without governance create ongoing exposure — the longer governance is deferred, the larger the remediation cost when it becomes required. Altiri provides board presentation templates as part of all Operational and Enterprise engagements.

AI governance theater describes organizations that have policies, committees, and documentation on paper but have not operationalized governance into actual AI decision-making. A common pattern: publish an AI Ethics Policy, create a quarterly governance committee, check the box — while AI tools are still adopted without review, vendor contracts have no AI-specific data use provisions, and the governance committee has no enforcement authority.

Avoiding governance theater requires three things: (1) An AI system inventory that is actively maintained — not a one-time exercise, but a living registry updated when AI systems are added, changed, or removed. (2) Governance processes embedded in procurement — vendor AI review must happen before contracts are signed, not after. (3) Named accountability — specific individuals responsible for AI risk outcomes, not a committee with diffuse ownership. Altiri's engagements are designed to build operational governance programs, not policy libraries.

Cyber insurance carriers are increasingly scrutinizing AI use in underwriting. Organizations deploying AI in clinical, financial, or decision-making contexts face higher premiums, narrower coverage, or exclusions if they cannot demonstrate AI governance controls. Carriers want to see AI system inventories, vendor due diligence documentation, incident response procedures for AI failures, and evidence of ongoing model monitoring.

Beyond insurance, AI governance documentation is becoming relevant to D&O liability: directors who approved AI deployment programs without adequate governance oversight face increasing personal liability exposure as AI-related regulatory enforcement escalates. A formal AI governance program with documented board engagement creates a record of reasonable care that is materially relevant in litigation or regulatory defense — both for the organization and its leadership.

Defense contractors need to address two distinct AI governance obligations. First, AI governance layered onto CMMC: any AI system that could access, process, or transmit CUI requires specific controls — an AI system inventory that flags CUI exposure, policies prohibiting CUI from AI training data without explicit authorization, access controls for AI systems handling sensitive defense information, and audit trails for AI-assisted decisions involving controlled data.

Second, AI governance for contract compliance: DoD increasingly embeds AI governance requirements into prime contracts and subcontracts, including requirements to demonstrate AI bias testing, explainability for AI-assisted decisions, and human oversight for autonomous systems. Defense contractors bidding on AI-adjacent contracts without documented AI governance face disqualification or additional compliance scrutiny. Altiri's Defense AI Governance service specifically maps AI governance controls to CMMC Level 2 and Level 3 requirements.

The Sarbanes-Oxley Act requires public companies to maintain adequate internal controls over financial reporting (ICFR) and certify their effectiveness. AI systems involved in financial reporting — forecasting models, automated journal entries, revenue recognition tools, expense classification, or audit support — fall squarely within SOX's scope.

SOX auditors are increasingly asking companies to document AI controls as part of their ICFR assessment. This includes: model change management procedures (what triggers revalidation when an AI model is updated), evidence of output validation (human review processes before AI-generated figures enter reported financials), access controls to AI systems that influence reported data, and documentation of what the AI does and doesn't do in the reporting process. Altiri maps AI governance documentation to SOX control frameworks so governance evidence satisfies both regulatory and external audit requirements. Learn more about our financial services practice →

Digital health companies face a more complex regulatory environment than traditional healthcare organizations. FDA SaMD rules apply when AI is used in clinical decision support that qualifies as a Software as a Medical Device — potentially requiring change management controls, pre-submission meetings, and 510(k) clearance or PMA approval depending on the risk level of the clinical recommendation.

HIPAA applies to any AI processing PHI, including remote patient monitoring, wellness, population health, and revenue cycle tools. State privacy laws (California CMIA, New York health data protections) add additional consent and use requirements that vary by jurisdiction. FTC Act Section 5 has been applied to health data companies making deceptive AI or data use claims. For digital health companies seeking enterprise health system contracts or population health partnerships, demonstrating AI governance is increasingly a contract condition. Altiri works specifically with digital health companies to navigate this multi-regulator environment. See our healthcare governance practice →

Enterprise and government procurement teams increasingly include AI governance questions in vendor due diligence. Common questions include:

• Does your AI use our data to train its models? Under what conditions?
• What data residency and isolation controls exist for our data in your AI system?
• Has your AI been tested for bias in decisions affecting our user population?
• What is your process for notifying customers of AI model changes?
• Do you have an AI ethics or responsible AI policy, and what evidence of implementation exists?
• Is there a human review process for high-stakes AI outputs?
• What incident response procedures exist for AI failures or adverse outputs?

Organizations on the receiving end of these questions need AI governance documentation that answers them proactively. Organizations asking these questions need a vendor AI due diligence framework. Both are components of Altiri's engagement model — we build governance programs that satisfy both sides of the procurement relationship.

A foundational AI governance program — policy architecture, AI inventory, risk register, and initial audit documentation — typically takes 60–90 days to stand up. A full operational program with board reporting, vendor due diligence integration, and ongoing compliance monitoring takes 90–180 days.

Timeline depends on the size of the AI portfolio, existing compliance infrastructure, and organizational complexity. Altiri's onboarding begins with a 30-day discovery sprint that produces a current-state assessment and prioritized roadmap — so you know exactly where you stand before the program build-out begins.

Onboarding follows a four-phase process:

Phase 1 (Days 1–14) — Discovery: Stakeholder interviews, AI system inventory, existing policy review, and regulatory gap analysis. We map every AI system in use and identify the applicable regulatory obligations.

Phase 2 (Days 15–30) — Assessment: Risk scoring of identified AI systems, current-state maturity rating against the Strategic AI Alignment Framework, and a prioritized remediation roadmap.

Phase 3 (Days 31–60) — Build-out: Policy drafting, control implementation, vendor due diligence templates, and AltiriOS platform configuration for ongoing governance management.

Phase 4 (Day 61+) — Ongoing: Monthly governance reviews, quarterly board reporting, continuous compliance monitoring, and incident support.

Your organization needs AI governance now if any of the following are true:

• You are using AI tools that touch regulated data (PHI, PII, CUI, financial data)
• You have enterprise customers or government contracts that require compliance attestations
• Your AI vendors process your data for model training (check your SaaS agreements)
• You are planning AI deployments in the next 12 months
• Your board or auditors have asked about AI risk
• You are in a regulated industry and don't have a documented AI policy

If any of those apply, the question isn't whether you need a governance program — it's how fast you can stand one up. Altiri offers a free AI Readiness Assessment that produces a maturity score and gap analysis in under 10 minutes. It's the fastest way to understand where you actually stand.