Why do organisations need an AI governance framework?

Organisations need a governance framework to evidence responsible AI use to investors, regulators, enterprise clients, and auditors. Without one, governance is ad hoc and invisible, creating regulatory risk and blocking commercial opportunities.

How many principles does the Veridio AI Governance Framework have?

The Veridio AI Governance Framework contains 58 principles organised into 9 governance domains. These are assessed across three tiers: Foundational (23 principles), Growth (50 principles), and Enterprise (all 58 principles).

What regulations does the VAGF map to?

Each VAGF principle is mapped to the EU AI Act, ISO/IEC 42001, the NIST AI Risk Management Framework, UK GDPR, and sector-specific requirements. A single assessment produces alignment evidence across multiple regulatory frameworks simultaneously.

AI Governance

What is an AI Governance Framework?

An AI governance framework is a structured set of principles, policies, and controls that an organisation uses to manage the development, deployment, and operation of AI systems responsibly. It defines who is accountable, what standards apply, how risks are assessed, and how compliance is evidenced.

Why organisations need a governance framework

Every organisation using AI, whether building models or consuming AI features embedded in software, faces a common problem: they cannot evidence how that AI is governed. Investors ask about it during due diligence. Enterprise clients require it in procurement questionnaires. Regulators are beginning to mandate it. Without a framework, governance is ad hoc, inconsistent, and invisible.

A governance framework provides the structure that turns good intentions into demonstrable practice. It ensures that AI risk is assessed before deployment rather than discovered after failure. It creates clear accountability so that when something goes wrong, the organisation knows who is responsible and what process to follow. It produces documentation that satisfies the auditor, the board, the client, and the regulator.

The organisations that move earliest gain a measurable advantage. They close investment rounds faster because governance is already evidenced. They win enterprise contracts because they can answer the AI governance questionnaire on day one. They face regulatory enforcement from a position of preparedness rather than remediation.

The Veridio AI Governance Framework (VAGF)

The Veridio AI Governance Framework organises AI governance into nine domains, each covering a distinct area of governance practice. Within those nine domains sit 58 principles, each representing a specific governance capability an organisation should be able to evidence.

The nine domains cover the full lifecycle: from knowing what AI systems exist (System Visibility and Classification), through establishing accountability structures (Governance and Accountability), assessing risk (Risk and Impact Assessment), ensuring transparency (Transparency and Explainability), governing models (Model Governance and Operational Controls), managing data (Data Governance and Management), maintaining human oversight (Human Oversight and Ethical Safeguards), monitoring operations (Monitoring, Incident and Lifecycle Management), and demonstrating assurance (Assurance, Audit and Validation).

Each principle is scored on a five-point maturity scale. The framework does not simply ask whether a control exists; it assesses how mature, embedded, and evidenced that control is. This produces a granular picture that distinguishes between an organisation that has written a policy and one that has implemented, tested, and continuously improved the practice that policy describes.

Three assessment tiers

The VAGF supports three tiers of assessment, each designed for a different stage of governance maturity. The Foundational tier covers 23 principles across all nine domains, providing the baseline governance posture every organisation needs. The Growth tier expands to 50 principles, adding depth in areas like model validation, data lineage, and incident management. The Enterprise tier covers all 58 principles, including advanced controls for fairness assessment, continuous monitoring, and audit readiness.

This tiered approach means organisations can start with a manageable scope and expand as their governance matures. A seed-stage company deploying a single AI feature needs different governance depth from a regulated financial services firm operating dozens of AI models. The framework accommodates both without compromising rigour at either end.

Regulatory alignment

Every VAGF principle is mapped against the regulatory instruments that organisations most commonly need to comply with. These include the EU AI Act, ISO/IEC 42001, the NIST AI Risk Management Framework, the UK GDPR, and sector-specific requirements for financial services, healthcare, and public sector organisations.

This mapping means that when an organisation scores a principle, it simultaneously understands its compliance position against multiple regulatory frameworks. A single assessment produces alignment evidence across the EU AI Act risk management requirements (Article 9), the transparency obligations (Article 13), the human oversight requirements (Article 14), and the quality management system expectations (Article 17), alongside the ISO 42001 management system clauses and the GDPR data protection requirements.

For UK organisations, this regulatory mapping is particularly important. The EU AI Act applies extraterritorially to any organisation whose AI outputs affect people within the EU, regardless of where the organisation is headquartered. Many UK companies discover that their AI governance obligations extend beyond UK domestic requirements.

Find out where you stand

Take the free quick check

Ten questions. Five minutes. An instant snapshot of your AI governance maturity scored against the VAGF framework.

Start free quick check