Threatstealth

AI Governance & AI Security Frameworks Reference

Reference of 30 AI governance, ethics and security frameworks — NIST AI RMF, EU AI Act, ISO 42001, MITRE ATLAS, OWASP LLM Top 10, and more.

AI Governance & AI Security Frameworks Reference

Reference of 30 AI governance, ethics, and security frameworks — covering regulatory requirements like the EU AI Act, technical standards like NIST AI RMF and ISO 42001, and adversarial threat frameworks like MITRE ATLAS and OWASP LLM Top 10.

EU AI Act: Risk-Based AI Regulation and Compliance Requirements

The EU Artificial Intelligence Act, fully in force from August 2024 with phased obligations through 2027, is the world's first comprehensive AI regulation — applying a risk-based classification system that determines compliance obligations based on the intended use and potential harm of each AI system. Prohibited AI practices (unacceptable risk) were banned from February 2025, including social scoring, real-time biometric identification in public spaces for law enforcement (with exceptions), and manipulation of vulnerable groups. High-risk AI systems (employment decisions, credit scoring, biometric verification, critical infrastructure management) require conformity assessments, human oversight, accuracy documentation, and registration in an EU database before market placement.

NIST AI RMF 1.0: The Voluntary US AI Risk Management Standard

The NIST AI Risk Management Framework version 1.0, published in January 2023, provides a voluntary, flexible framework for managing AI risks — structured around four core functions: Govern, Map, Measure, and Manage. The Govern function establishes organisational policies, culture, and accountability for AI risk. Map identifies the context, risks, and potential impacts of specific AI systems. Measure quantifies AI risks through metrics, testing, and evaluation. Manage implements controls, monitors performance, and responds to AI-related incidents. The framework is designed to complement rather than replace existing AI regulations and is being widely adopted by US federal agencies and private sector organisations as a baseline for responsible AI deployment.

MITRE ATLAS: Adversarial Threat Landscape for AI Systems

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is an AI-focused analogue to MITRE ATT&CK — a curated knowledge base of real-world adversarial attacks against machine learning systems. ATLAS documents attack techniques observed in actual AI system compromises including reconnaissance techniques for model discovery, evasion attacks (adversarial examples that fool models), poisoning attacks (corrupting training data to manipulate model behaviour), extraction attacks (stealing model weights or functionality), and functional attacks (manipulating model outputs to achieve attacker goals). Security teams use ATLAS to evaluate their AI systems' resilience and design detection rules for AI-specific attack patterns.

ISO 42001 and Organisational AI Management Systems

ISO/IEC 42001:2023, published in December 2023, is the first international standard specifying requirements for an Artificial Intelligence Management System (AIMS) — providing organisations with a framework for responsible AI development and deployment analogous to what ISO 27001 provides for information security. ISO 42001 covers AI policy, risk assessment specific to AI systems, impact assessment, operational controls for AI development pipelines, and performance evaluation. Organisations seeking to demonstrate third-party-verified AI governance can pursue ISO 42001 certification — and several EU AI Act high-risk compliance pathways are expected to reference ISO 42001 as a harmonised standard. Certification is available through accredited certification bodies.