Chapter 1 — AI Risk Governance and Framework Integration

Overview

An essential part of managing artificial intelligence (AI) risk is understanding how the use of AI can be integrated into an enterprise’s existing governance and risk management program. Although AI solutions offer innovative technological advancements and can be disruptive, they should follow existing governance programs where possible. Enterprises may find it necessary to develop new policies and procedures, or augment existing ones, for AI, such as acceptable use policies, risk frameworks, and standard operating procedures. Effective AI risk governance aligns innovation with business objectives and organizational mission, ensuring that advances in technology support sustainable outcomes. AI also presents new areas of consideration, such as ethical and societal impacts and AI trustworthiness, that should be integrated into enterprise risk management and governance. This domain represents 37% (approximately 33 questions) of the exam.

Domain 1: Exam Content Outline

A: AI Models, Frameworks, Strategies, and Use Cases

B: AI Organizational Processes and Alignment

C: AI Ownership, Oversight, and Accountability

D: AI Policies, Procedures, and Organizational Training

E: AI Regulatory Compliance and Legal Considerations

F: AI Trustworthiness, Ethical, and Societal Implications

Learning Objectives/Task Statements

• Evaluate risk related to AI models/solutions including design, suitability, algorithms, training, drift, and AI life cycle.
• Facilitate the integration of AI risk management into an enterprise risk management framework and risk programs.
• Develop and implement an AI risk management framework, including roles and accountability, AI risk policies and procedures, and acceptable risk tolerance levels.
• Conduct risk assessments to identify and classify risks associated with AI.
• Develop and recommend risk treatment strategies for identified AI risks.
• Assess compliance with applicable AI-related regulations, laws, frameworks, standards, and guidelines.
• Integrate AI risk considerations into existing governance programs.
• Integrate AI risk considerations into existing risk register and control taxonomies.
• Evaluate AI use cases based on the organization’s risk appetite.
• Monitor and test organizational processes to identify AI risks.
• Collaborate with stakeholders to develop and integrate AI risk concepts into enterprise-wide awareness training.
• Capture AI risk considerations in enterprise risk metrics and reporting (e.g., board, management, operations).
• Conduct and/or evaluate threat and vulnerability assessments on AI projects/programs.
• Collaborate with stakeholders to integrate AI risk scenarios into the enterprise incident management program.
• Continuously assess and monitor the risk landscape for emerging AI risk.
• Evaluate controls to manage AI-related risk within the organization’s risk tolerance.
• Advise on AI-related risk within contracts and service agreements, including data usage and intellectual property.
• Evaluate AI risk as part of supply chain risk management.
• Collaborate with stakeholders to address AI trustworthiness and impacts including ethics, bias, privacy, safety, and environmental, social, and governance (ESG) implications.
• Leverage AI to support the risk management program (e.g., risk profile, reporting, evaluation, risk models, and analysis).
• Incorporate AI-related risk considerations into incident response, BIAs, the BCP, and DRP.
• Assess human oversight controls at critical decision points for risk and AI impact.

Suggested Resources for Further Study

• Alvero, K.M.; Kouzehkanani, R.; “The Power of Accountability in AI Governance,” ISACA Journal, vol. 3, 2025, link
• Committee of Sponsoring Organizations of the Treadway Commission (COSO), Applying the COSO Framework and Principles to Help Implement and Scale Artificial Intelligence, USA, 2021
• European Commission, “AI Act,” link
• Institute of Electrical and Electronics Engineers (IEEE), 7000-2021: IEEE Standard Model Process for Addressing Ethical Concerns during System Design, USA, 2021, link
• ISACA, Artificial Intelligence: A Primer on Machine Learning, Deep Learning, and Neural Networks, USA, 2024
• ISACA, Leveraging COBIT for Effective AI System Governance, 31 January 2025, link
• ISACA, The Promise and Peril of the AI Revolution: Managing Risk, USA, 2023
• International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 23894:2023 Information technology – Artificial intelligence – Guidance on risk management, Edition 1, 2023, link
• ISO/IEC, ISO/IEC 23053 Framework for Artificial Intelligence Systems Using Machine Learning, Edition 1, 2022, link
• ISO/IEC, ISO/IEC 42001 Information technology – Artificial intelligence – Management system, Edition 1, 2023, link
• Scarpino, J.; “Deploying Responsible AI,” ISACA Journal, vol. 1, 2024, link
• Scarpino, J.; “Ethics, Accountability, and the Pursuit of Responsible AI,” ISACA Journal, vol. 3, 2025, link
• US National Institute of Standards and Technology (NIST), Artificial Intelligence Risk Management Framework (AI RMF), USA, 2023, link
• US NIST, AI RMF Playbook, link
• World Economic Forum, “AI Value Alignment: Guiding Artificial Intelligence Towards Shared Human Goals,” October 2024, link