AI governance · ISO 42001 · EU AI Act · NIST AI RMF

AI governance, your way.
Three bricks. One platform.

Modular AI governance with three certifiable / regulatory shapes shipped: ISO/IEC 42001:2023 (full Annex A), EU AI Act (Reg. 2024/1689 Articles 5–56), NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE). Stack them. Pick what your buyers ask for. Bring your own AI key. EU-resident hosting.

Book a Demo Free ISO 42001 Assessment
What ships in the AI governance bricks

Three bricks. 94 controls combined. Stackable.

No promises — verified live in production. Same depth as the ISO 27001 brick: 5-level maturity rubrics, evidence templates, gap detection, coaching tips. Pick the brick(s) your buyer or regulator asks for.

ISO/IEC 42001:2023 — 37 controls

The certifiable AI Management System standard. Full Annex A coverage across nine themes (A.2 → A.10) consolidated into 4 milestones: Foundations & Governance (9), Impact Assessment (4), AI System Lifecycle (14), Stakeholders/Use/Suppliers (10). Auditor-ready evidence templates per control.

EU AI Act (Reg. 2024/1689) — 24 controls

The operator-obligation surface for providers and deployers. Articles 5–7 (prohibited practices + high-risk classification), 8–15 (high-risk requirements: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy/robustness/cybersecurity), 16–22 (provider obligations + QMS), 26/27/49/50/51–56 (deployer obligations, FRIA, EU database registration, transparency for chatbots/deepfakes, GPAI obligations).

NIST AI RMF (AI RMF 1.0) — 33 controls

The voluntary risk-management framework. 33 high-leverage subcategories across the four functions GOVERN (10) / MAP (8) / MEASURE (7) / MANAGE (8). Process-oriented rather than control-oriented — pairs with ISO 42001 and the EU AI Act for organisations that need to track multiple AI governance shapes simultaneously.

AI system inventory built-in

The AI system inventory is the entry point for every brick — ISO 42001 A.4.2, EU AI Act Article 8 compliance matrix, NIST AI RMF GV-1.6. Register once with data, tooling, compute, human resources; reuse for every framework you adopt.

BYO LLM keys — your AI, your data

The same Bring-Your-Own-Key model the rest of BrickGRC uses applies to AI governance work. Impact-assessment narratives, control maturity scoring, and gap detection run on OpenAI, Anthropic, Azure OpenAI, or your own local model — your provider, your billing, your audit trail.

Stack with your existing bricks

Already running ISO 27001? SOC 2? GDPR? Evidence collected for those bricks counts toward overlapping AI governance controls automatically (security, supplier governance, incident management, training, data governance). The platform reuses what you've already done — no duplicate work across frameworks.

Background

What is AI governance, and why does it matter now?

ISO/IEC 42001:2023 is the international standard for AI Management Systems (AIMS) — published December 2023. It's the first certifiable management-system standard specifically for organizations that develop, provide, or use AI. It follows the same Annex SL structure as ISO 27001 — main clauses 4 through 10 plus Annex A controls — which means if you have an ISMS already, the AIMS is a familiar shape, not a parallel universe.

The standard's relevance is sharpening fast for three reasons.

  • The EU AI Act entered into force in August 2024, with high-risk AI obligations applying from August 2026. Most AI Act high-risk requirements — risk management (Article 9), data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), human oversight (Article 14), accuracy and robustness (Article 15), post-market monitoring (Article 72) — map cleanly onto ISO 42001 Annex A. Implementing 42001 is the most economical preparation path.
  • Enterprise procurement is starting to ask AI-specific security questions. "Do you have an AIMS?" is becoming the next "Do you have ISO 27001?" — and answering "yes, with an audit trail" turns a stalled deal into a closed one.
  • Internal AI sprawl is real. Most organizations now have a dozen AI features in production they didn't formally inventory. ISO 42001's resource controls (A.4.2-A.4.6) force the inventory to exist, which is a prerequisite for everything that comes after.

BrickGRC was built modularly precisely so frameworks can stack. There are now three AI governance bricks shipped — pick whichever your buyer or regulator needs, or stack them. The ISO 42001 brick is the certifiable management-system standard; the EU AI Act brick is the regulatory operator-obligation walk-through; the NIST AI RMF brick is the voluntary process-oriented framework. Many organisations need at least two: ISO 42001 for the certificate, EU AI Act for the regulator. Many add NIST AI RMF as the day-to-day process layer.

Across the three bricks, BrickGRC tracks 94 controls / subcategories / Articles with audit-ready evidence templates, 5-level maturity rubrics, coaching tips, and gap detection. The AI system inventory is shared — register once, reference from every brick. Evidence collected for ISO 27001 / SOC 2 / GDPR bricks rolls into AI governance automatically where the controls overlap (security, supplier governance, incident management, data governance).

FAQ

AI governance with BrickGRC — common questions

Does BrickGRC support ISO/IEC 42001:2023?

Yes. The ISO 42001 brick covers all 37 Annex A controls across the nine themes (A.2–A.10). Each control has guided implementation tasks, evidence templates, 5-level maturity scoring, coaching tips, and gap detection — same depth as the ISO 27001 brick.

Does BrickGRC help with EU AI Act readiness?

Yes, indirectly. EU AI Act high-risk obligations map closely onto ISO 42001 Annex A — risk management (A.5), data governance (A.7), technical documentation (A.6.2.7), record-keeping (A.6.2.8), human oversight (A.6.1.3), and post-market monitoring (A.6.2.6). A dedicated EU AI Act brick is now shipped — covering Articles 5–7 (prohibited practices, classification), 8–15 (high-risk requirements), 16–22 (provider obligations + QMS), and 26/27/49/50/51–56 (deployer obligations, FRIA, EU database, transparency, GPAI). 24 controls total. Use it standalone or alongside ISO 42001 — most organisations stack both.

Is there an AI system inventory feature?

Yes — the AI system inventory is Annex A.4.2 of the ISO 42001 brick. Each AI system is registered with its data resources (A.4.3), tooling (A.4.4), compute (A.4.5), and human resources (A.4.6). The inventory is structured, queryable, and the entry point for impact assessments and supplier governance.

Can I bring my own AI keys for the AI governance work?

Yes. On Professional and Enterprise plans, BYO LLM keys are supported for OpenAI, Anthropic, Azure OpenAI, and local models. AI processing on your evidence runs against the keys you provide — your provider relationship, your billing, your audit trail. Per-tenant isolation by default; EU-resident hosting (Frankfurt).

Do I need ISO 27001 before ISO 42001?

Not strictly. ISO 42001 is its own management-system standard. But many controls overlap (information security, supplier governance, incident management, training), and most teams find pursuing both in parallel — or extending an existing ISMS — efficient. BrickGRC lets you stack the bricks; the platform tracks shared evidence so you don't duplicate work. See our ISO 27001 page for the companion brick.

Is the brick a substitute for a Lead Auditor?

No. The brick is a community-created framework inspired by ISO/IEC 42001:2023 to drive your implementation work. Formal certification readiness still requires a certified ISO 42001 Lead Auditor. The brick gets you to the audit conversation faster and with better evidence; the auditor takes you the rest of the way.

Start your AI governance programme today.

Pick the ISO 42001 brick, register your AI systems, run the first impact assessment, and let the AI Coach handle the evidence wrangling. AIMS-ready in weeks, not months.

Book a Demo Start Free Trial