Our Methodology

The Altiri AI GRC Framework —
From Assessment to Operationalized Governance

A structured methodology for organizations navigating AI adoption in regulated industries. Four phases, five maturity levels, and alignment to every framework regulators actually care about — including NIST CSF 2.0, which bridges cybersecurity controls with GRC program requirements.

Start Free AI Readiness Assessment Talk to a vCAIO →
87%
of organizations claim AI governance — only 25% have operationalized it
more likely to face regulatory action without a documented AI risk program
62%
of enterprise AI projects stall at governance — before they reach production
Why We Built This

The gap is methodology,
not intent

Most organizations want to govern AI responsibly. They adopt NIST AI RMF. They train on ISO 42001. They download Gartner reports. Then nothing changes.

"The organizations that succeed don't have better frameworks — they have a structured process for operationalizing them. That's the gap we solve."
— Altiri Framework Methodology v2.1
📋
For CISOs & Risk Officers
A defensible, auditable AI risk program aligned to the frameworks regulators and auditors already recognize — without rebuilding your GRC infrastructure from scratch.
🎯
For CDOs & AI Leaders
Governance that accelerates AI deployment rather than blocking it. A structured program that earns organizational trust — and keeps projects moving through approval faster.
⚖️
For Compliance Officers
Regulatory evidence that maps directly to your audit requirements — HIPAA, FINRA, CMMC, and state AI laws — without custom documentation for every framework.
Framework Overview

Four phases. One coherent program.

Most organizations treat AI governance as a compliance checkbox. Altiri's framework is designed to operationalize governance — embedding risk controls and oversight into how AI actually gets built and deployed.

01
Phase 1
AI Readiness Assessment
  • Current-state analysis across six governance domains
  • AI maturity scoring with domain-level radar chart
  • Complete AI system inventory and classification
  • Risk exposure mapping by system criticality
02
Phase 2
GRC Gap Analysis
  • Governance gaps mapped against NIST AI RMF & ISO 42001
  • Regulatory exposure assessment by jurisdiction
  • Compliance blind spots — HIPAA, CMMC, SOX, state AI laws
  • Prioritized remediation roadmap with ownership
03
Phase 3
Strategic AI Alignment
  • Custom 90-day governance roadmap
  • Framework selection and mapping (NIST / ISO / Gartner)
  • Policy infrastructure build — acceptable use, incident response
  • Board & executive alignment on AI risk posture
04
Phase 4
Operationalized Governance
  • Embedded vCAIO leadership & program ownership
  • Continuous monitoring & automated compliance checks
  • Quarterly governance reviews & control testing
  • Regulatory change management & board reporting cadence
Three Service Pillars

Where framework phases
become delivered services

Our four-phase methodology is executed through three practice areas. Each pillar has defined activities, deliverables, and regulatory framework references — so you know exactly what you're buying and what evidence it produces.

Pillar 01
🛡️
AI Governance & Risk Management
Build the governance infrastructure that regulators expect to see — policies, controls, risk registers, and oversight structures grounded in recognized standards.
Key Activities & Deliverables
  • AI system inventory and risk classification
  • AI acceptable use policy + incident response playbooks
  • Board-level risk register with documented owners
  • Governance committee charter and operating model
  • Quarterly control testing and board reporting
NIST AI RMF ISO 42001 Gartner AI TRiSM
Pillar 02
⚖️
Compliance Framework Alignment
Map your AI program to the specific regulatory frameworks your auditors care about — producing evidence-ready documentation without redundant work across frameworks.
Key Activities & Deliverables
  • Multi-framework gap analysis with remediation roadmap
  • NIST AI RMF core function documentation
  • ISO 42001 AIMS readiness assessment
  • Sector-specific compliance crosswalk (HIPAA / FINRA / CMMC)
  • Audit-ready evidence package
NIST CSF 2.0 ISO 27001 HIPAA CMMC
Pillar 03
🧠
vCAIO Strategic Leadership
Embedded fractional AI governance leadership that owns the program — not a consultant who delivers a report and disappears. Ongoing accountability for keeping AI governance operational.
Key Activities & Deliverables
  • Ongoing AI governance program ownership
  • Regulatory change management & horizon scanning
  • Executive and board communication on AI risk
  • Vendor AI risk assessment and procurement guidance
  • Monthly governance reviews + incident support
NIST AI RMF EU AI Act State AI Laws
AI Governance Maturity Model

Where does your organization stand?

Altiri's five-level maturity model gives organizations a common language for AI governance progress — and a clear picture of what "good" looks like at each stage.

1
Ad Hoc
No Formal AI Governance
AI adoption is reactive and uncoordinated. No policies, no risk framework, no inventory of AI systems. Compliance exposure is high and growing with each new deployment.
Governance Maturity
2
Foundational
Basic Policies & Awareness Training
AI acceptable use policies exist on paper. Leadership has AI literacy training. Risk assessments are informal or project-specific. No centralized oversight or model registry.
Governance Maturity
3
Structured
Framework-Aligned, Risk Registers Established
Organization has adopted a recognized framework (NIST AI RMF or ISO 42001). AI risk register exists with documented owners. Governance committee established. Most organizations that engage Altiri start here.
Governance Maturity
4
Managed
Continuous Monitoring, Automated Compliance Checks
Governance is operational, not ceremonial. Continuous monitoring of AI systems, automated drift detection, regular control testing, and integration with the organization's broader GRC tooling.
Governance Maturity
5
Optimized
AI Governance as Competitive Advantage
Governance enables faster, more confident AI adoption — not a bottleneck. Proactive regulatory engagement, measurable risk reduction tied to business outcomes, and AI governance as a differentiator in enterprise sales and procurement.
Governance Maturity
Not sure where you land? The free AI Readiness Assessment scores you across six governance domains and gives you a maturity level — in under 15 minutes.
Find out where you stand →
Assessment Integration

The free assessment is your
framework entry point

The AI Readiness Self-Assessment isn't just a score — it's your diagnostic tool for locating your organization on the maturity model and routing you to the right framework phase. Take it first, engage later with a clear roadmap.

Free AI Readiness Assessment
10 Questions. Six Governance Domains.
The assessment covers every dimension regulators examine — scoring your current state and identifying the highest-priority gaps before you spend a dollar on consulting.
AI Strategy & Leadership Accountability
Risk Management & Oversight Structures
Data Governance & Privacy Controls
Compliance Readiness & Regulatory Mapping
AI Security & Technical Controls
Transparency & Explainability Standards
Take the Free Assessment →
Your Score → Your Starting Point
Maturity Level Routes Framework Entry
Your score maps directly to a maturity level and a recommended framework entry phase — so you know exactly where to start and what to prioritize.
Level 1
Ad Hoc
Full assessment → emergency policy infrastructure + AI system inventory
Phase 1–2
Level 2
Foundational
Gap analysis against NIST AI RMF → structured governance roadmap
Phase 2–3
Level 3
Structured
Most Altiri clients start here → operationalize existing framework adoption
Phase 3–4
Level 4
Managed
vCAIO leadership → continuous improvement + board program optimization
Phase 4
Level 5
Optimized
Advisory only → competitive differentiation + regulatory engagement
Advisory
Framework Alignment

Built on the standards
regulators recognize

Altiri's methodology maps directly to the frameworks governing AI in regulated industries. Each phase of our engagement addresses specific requirements — so there's no translation work when you face an auditor.

NIST AI RMF
AI Risk Management Framework
The foundational U.S. standard for voluntary AI risk management. Our methodology maps directly to all four core functions — ensuring every governance deliverable has a clear NIST AI RMF home.
How our phases map
Govern
Phase 1–4: Governance structures, accountability, risk culture, and board-level oversight established across the engagement lifecycle
Map
Phase 1–2: AI system inventory, context documentation, risk categorization, and stakeholder impact mapping
Measure
Phase 2–3: Quantified risk analysis, bias evaluation, explainability gap assessment, and performance metrics
Manage
Phase 3–4: Control implementation, monitoring cadence, incident response integration, and continuous improvement
ISO 42001
AI Management System Standard
The first international standard for AI management systems. Designed for organizations that want certification-ready governance — or need to demonstrate AI management rigor to enterprise customers.
How our phases map
Context
Phase 1: Organizational context analysis, interested parties, AI system scope definition, and AI policy intent
Planning
Phase 2–3: Risk and opportunity assessment, AI objectives, operational planning, and control selection
Support
Phase 3: Competence frameworks, awareness programs, communication plans, and documentation controls
Improvement
Phase 4: Nonconformity management, corrective action, and management review for continuous improvement
Gartner AI TRiSM
AI Trust, Risk & Security Management
Gartner's AI TRiSM framework addresses the operational trust and security dimensions of deployed AI — particularly relevant for organizations with production AI systems facing adversarial or reliability risks.
How our phases map
Explainability
Phase 2: Model documentation, explainability requirements by risk tier, and stakeholder communication standards
ModelOps
Phase 3–4: Model lifecycle governance, performance monitoring, drift detection, and retraining controls
Data Anomaly
Phase 2: Data lineage documentation, training data governance, and anomaly detection requirements
Adversarial
Phase 3–4: Adversarial risk controls, prompt injection policies, and model security assessment procedures
NIST CSF 2.0
Cybersecurity Framework 2.0
NIST CSF 2.0 added Govern as a new core function — acknowledging that AI systems require the same organizational accountability as cybersecurity programs. Our methodology provides the crosswalk between CSF and AI-specific controls. GRC is the management layer that makes cybersecurity investments defensible. Read: GRC & Cybersecurity — NIST CSF for Regulated Industries →
How our phases map
Govern
Phase 1–4: AI governance policy, roles, risk management strategy, and supply chain risk management for AI
Identify
Phase 1: AI asset management, business environment analysis, and risk assessment for AI-enabled systems
Protect / Detect
Phase 3–4: AI access controls, anomaly detection, continuous monitoring, and security event identification
Respond / Recover
Phase 3–4: AI incident response playbooks, communications, and recovery planning for AI system failures
Regulatory Alignment Matrix

Framework component → regulation mapping

Every deliverable in our engagement traces to specific requirements across multiple regulatory frameworks. No orphaned artifacts. No re-documentation for auditors.

Framework Component NIST AI RMF ISO 42001 Healthcare Financial Defense
AI System Inventory
Phase 1 deliverable
 MAP 1.1MAP 1.5 Clause 4.3Clause 8.4 HIPAA §164.308 SR 11-7 §3.1 CMMC L2 CM.L2
AI Risk Register
Phase 1–2 deliverable
 GOVERN 1.2MAP 2.2 Clause 6.1Annex A.6.1 FDA SaMD Risk FINRA 17a-4 DoD RAI §4.2
AI Governance Policy
Phase 2–3 deliverable
 GOVERN 1.1GOVERN 2.2 Clause 5.2Clause 7.5 HIPAA §164.316 SOX §302/906 CMMC L2 PL.L2
Bias & Fairness Assessment
Phase 2 deliverable
 MEASURE 2.5MEASURE 2.6 Annex A.6.2Annex A.10.3 OCR AI Guidance ECOA Fairness DoD RAI §3.c
Model Documentation
Phase 2–3 deliverable
 MAP 5.1MEASURE 1.1 Clause 7.5Annex A.8.4 FDA 21 CFR §820 SR 11-7 §4 FedRAMP SSP
Continuous Monitoring Program
Phase 4 deliverable
 MANAGE 4.1MANAGE 4.2 Clause 9.1Clause 10.2 HIPAA §164.308(a)(8) SR 11-7 Ongoing FedRAMP ConMon
Incident Response Plan
Phase 3 deliverable
 MANAGE 3.2MANAGE 4.3 Annex A.9.5 HIPAA Breach 45 CFR §164.400 FINRA Rule 4370 CMMC IR.L2-3.6
Defense & DoD Contractor Compliance
NIST 800-171 · CMMC Level 2

14 control families. One
AI-augmented maturity model.

NIST SP 800-171 protects CUI in non-federal systems. CMMC Level 2 requires documented evidence of implementation. Altiri layers an AI governance overlay on top of the 14 families — adding LLM security, prompt injection controls, and AI supply chain accountability to every requirement your auditor expects to see.

CMMC Maturity Levels
NI — Not Implemented
PI — Partially Implemented
I — Implemented
O — Optimized
Click a family to set maturity
AC
Access Control
Control account access to AI systems, model endpoints, and training data repositories. Document privileged access for LLM-based tools and AI development environments.
AI: LLM endpoints, model APIs CSF: PR.AC NIST AI: GOVERN 3.1
AU
Audit & Accountability
Log AI system access, model inference events, and training pipeline changes. Correlate AI audit logs with security events — especially for models processing CUI.
AI: inference logging, training audit CSF: DE.AE NIST AI: MEASURE 1.3
CM
Configuration Management
Document AI model configurations, baseline models, approved model versions, and ML infrastructure settings. Track model drift thresholds and approved training datasets.
AI: model versioning, drift config CSF: PR.IP NIST AI: MAP 5.1
IA
Identification & Authentication
Authenticate AI service accounts, API keys for model endpoints, and human-in-the-loop approval workflows. Enforce MFA for access to AI model configuration interfaces.
AI: API auth, human-in-loop CSF: PR.AC SOC 2: CC6.1
IR
Incident Response
AI-specific incident response playbooks for model compromise, prompt injection attacks, training data breaches, and AI output failures affecting CUI processing.
AI: prompt injection, model compromise CSF: RS.RP NIST AI: MANAGE 3.2
MA
Maintenance
Control maintenance of AI infrastructure, ML model retraining environments, and AI development workstations. Verify integrity of patched or updated models before deployment.
CSF: PR.MA NIST AI: MAP 5.2
MP
Media Protection
Protect CUI in AI training datasets, model weights, fine-tuning data, and inference inputs/outputs. Classify AI training data as CUI where it originates from controlled environments.
AI: training data, model weights CSF: PR.DS EU AI: Annex I §1
PS
Personnel Security
Screen personnel with access to AI systems, model training environments, and CUI in AI contexts. Include AI-specific risk awareness in personnel security briefings for ML engineers and AI operators.
AI: ML engineer vetting CSF: PR.PS
PE
Physical Protection
Protect AI compute infrastructure, training data storage, and model endpoint hardware. Physical access controls for GPU clusters and AI development environments that process CUI.
CSF: PR.PE
RA
Risk Assessment
Assess AI system risk including model bias, output reliability, adversarial susceptibility, and CUI exposure through AI outputs. Include AI in your organizational risk assessment at the system level.
AI: bias, adversarial, CUI leakage CSF: ID.RA NIST AI: MAP 2.1
CA
Security Assessment
Assess AI control effectiveness, conduct AI-specific control testing, and document AI governance maturity. Include AI security controls in your CMMC assessment evidence package.
AI: control testing, AI evidence CSF: GV.OV NIST AI: GOVERN 5.1
SA
Situational Awareness
Monitor AI system threat landscape — including adversarial prompts, model extraction attempts, and emerging AI-specific vulnerabilities in your deployed models and ML infrastructure.
AI: threat monitoring, AI CVE CSF: DE.CM DoD RAI §5.1
SC
System & Communications Protection
Secure AI API boundaries, encrypt AI model inputs/outputs in transit, isolate AI processing environments, and enforce network segmentation for AI systems that handle CUI.
AI: API security, model endpoint TLS CSF: PR.DS NIST AI: PROTECT 2.1
SI
System & Information Integrity
Detect model drift, prompt injection attempts, and malicious AI inputs. Maintain AI system integrity through continuous monitoring, input validation, and model output anomaly detection.
AI: drift detection, injection defense CSF: DE.CM NIST AI: MEASURE 3.1
AI-Governance Overlay Altiri Extension
NIST 800-171 was written before generative AI. Every family that impacts AI has an overlay requirement — the AI-specific controls a C3PAO assessor will probe when evaluating your CMMC Level 2 submission in an AI context.
Model Inventory & CUI Scope
Document every AI system that processes, generates, or stores CUI. Include model purpose, data flows, and downstream consumers of AI outputs containing CUI.
Prompt Injection Controls
Input validation, output filtering, and adversarial prompt testing for LLM-based systems. Document your defense posture for indirect injection via third-party data.
AI Supply Chain Accountability
Vendor AI documentation — model cards, provenance, training data origin, and third-party model usage. DoD RAI §4 requirements for AI subcomponents in CUI systems.
LLM Access Logging
Audit trail for all LLM interactions including prompt inputs, retrieved context, and generated outputs — especially for systems processing CUI or providing decision-support.
Model Change Management
Formal change control for model updates, fine-tuning, and configuration changes. Document approval workflow for model version promotion to production CUI contexts.
AI Incident Response Playbook
Documented response procedures for AI-specific incidents: model hallucination causing CUI disclosure, adversarial manipulation, or training data breach. Include containment and forensics steps.
Multi-Framework Crosswalk
NIST 800-171 Family CMMC L2 Req. NIST AI RMF ISO 42001 SOC 2 EU AI Act
AC — Access Control
14 controls
 L2-Required GOVERN 3.1PROTECT 2.1 A.8.3 CC6.1CC6.6 Art. 11
AU — Audit & Accountability
14 controls
 L2-Required MEASURE 1.3GOVERN 4.1 A.9.4 CC7.2 Art. 12
CM — Configuration Mgmt
11 controls
 L2-Required MAP 5.1MANAGE 2.1 A.8.1 CC8.1 Art. 9
IA — Identification & Auth
6 controls
 L2-Required PROTECT 1.1 A.8.2 CC6.1 Art. 11
IR — Incident Response
9 controls
 L2-Required MANAGE 3.2 A.9.5 CC7.3 Art. 14
MP — Media Protection
9 controls
 L2-Required PROTECT 3.1MAP 3.1 A.7.2 CC6.7 Art. 9
RA — Risk Assessment
5 controls
 L2-Required MAP 2.1MAP 2.3 A.6.1 CC9.1 Art. 9
SC — Sys & Comm Protection
16 controls
 L2-Required PROTECT 2.1PROTECT 2.2 A.8.4 CC6.2CC6.6 Art. 11
SI — Sys & Info Integrity
8 controls
 L2-Required MEASURE 3.1MANAGE 1.2 A.9.2 CC7.1 Art. 10

Defense contractors submitting for CMMC Level 2 certification in 2026+ must demonstrate AI-specific control implementation. Altiri provides the evidence package, control documentation, and C3PAO-ready artifacts.

Defense Contractor AI → Take Readiness Assessment
Industry-Specific Considerations

Sector requirements don't fit
generic frameworks

Regulated industries carry AI compliance obligations that go beyond horizontal frameworks. Our methodology incorporates sector-specific requirements from day one.

🏥
Healthcare
HIPAA · Clinical AI · FDA SaMD · PHI Pipelines
HIPAA AI
PHI exposure in LLM-based clinical tools — BAA requirements, data minimization, and de-identification controls for AI training pipelines
Clinical AI
Diagnostic and treatment recommendation model validation — FDA Software as a Medical Device alignment and clinical performance monitoring
Patient Safety
Bias auditing for clinical decision support, population health algorithms, and AI-assisted triage — with documented safety thresholds
🏦
Financial Services
SR 11-7 · FINRA · SOX · Algorithmic Fairness
SR 11-7
Extending Model Risk Management to generative AI and LLM-based applications — validation standards, model inventories, and ongoing performance tracking
FINRA
Algorithmic trading governance, explainability requirements, and AI supervision obligations under current and emerging FINRA guidance
SOX / AI
AI controls for financial reporting automation — audit trail requirements, change management documentation, and compensating controls for AI-assisted decisions
🛡️
Defense & Government
CMMC · FedRAMP · DoD AI Ethics · RAI
CMMC
CMMC Level 2/3 AI controls for defense contractors — CUI protection in AI systems, access controls, and configuration management for ML infrastructure
FedRAMP+AI
AI-enabled cloud service authorization — continuous monitoring controls, AI component security documentation, and FedRAMP boundary definition for ML systems
DoD RAI
DoD Responsible AI principles and AI Ethics Framework implementation — traceability, reliability, governability, and bias controls for government contractor AI
Get Started

Start with a free
AI Readiness Assessment

Understand your current governance maturity, identify your highest-risk gaps, and get a prioritized action plan — no sales call required.

Take the Free Assessment → Talk to a vCAIO about your gaps