Govern
NIST AI RMF 1.0 · GOVERN function
Establish AI governance structure: policies, roles, accountability.
What this function means
GOVERN is the foundational function — it defines who is accountable, what policies bind AI development and deployment, how risk tolerance is expressed, and how legal/regulatory obligations flow through the organisation.
How TrustAtlas dimensions support it
Regulatory compliance and jurisdiction are the direct measures of legal/regulatory governance posture; transparency covers public disclosure of governance practices; business stability captures whether the vendor has the organisational continuity to honour governance commitments.
See methodology for how each dimension is scored across the catalog.
Example NIST categories under Govern
- GOVERN 1: Policies, procedures, and practices in place
- GOVERN 2: Accountability structure with senior leadership
- GOVERN 6: Diverse perspectives integrated into AI risk decisions
Drawn from NIST AI RMF 1.0; the catalog evidence below maps onto these categories at the vendor-evaluation layer.
Questions to ask vendors
Use as part of your procurement diligence or as a structured profile-review aid alongside the vendor's TrustAtlas page.
- Who owns AI risk at your company (CISO, Chief AI Officer, General Counsel)? Provide a current accountability mapping.
- Do you have a published AI policy or acceptable-use document, and how often is it reviewed and reapproved?
- Which AI-specific regulations do you currently track and align to (EU AI Act, NYC Local Law 144, Colorado AI Act, US Executive Order on AI, etc.)?
- Will you sign DPAs and AI-specific contractual addenda that legally bind you to your stated governance practices?
Related
- Back to the full NIST AI RMF cross-walk
- OWASP LLM Top 10 cross-walk — the application-security companion framework
- Vendors that claim NIST AI RMF alignment
- TrustAtlas methodology — how the 8 risk dimensions are scored