AI Governance & Risk
Accountable AI programmes built on NIST AI RMF, ISO 42001, and EU AI Act requirements.
What You Gain
- A complete AI use case inventory with risk classifications under NIST AI RMF and EU AI Act tiers.
- A gap assessment report mapping your current state to NIST AI RMF functions, with a prioritised remediation roadmap.
- Documented responsible-AI audit findings covering bias, explainability, and drift for assessed models.
- A governance policy suite your team can operate with existing staff — no dedicated AI ethics team required.
- A defensible evidence pack for responding to enterprise due diligence questionnaires, insurance underwriting reviews, and regulatory inquiries.
What We Deliver
- AI Use Case Registry (template + populated for your environment)
- NIST AI RMF Gap Assessment Report
- EU AI Act Applicability and Obligations Memo
- Responsible AI Audit Report (bias, explainability, drift — per system assessed)
- AI Governance Policy Suite (acceptable use, oversight, incident response, model lifecycle)
- ISO 42001 Readiness Scorecard (if in scope)
- Staff training deck for AI oversight roles
This Service Is Right for You If…
Frequently Asked Questions
What is NIST AI RMF and do we actually need to follow it?
The NIST AI Risk Management Framework is voluntary US federal guidance, but it has become the dominant governance reference for enterprise AI in North America. Canadian banks, insurers, and large enterprise buyers are incorporating AI RMF alignment into supplier questionnaires. You do not need to certify against it, but demonstrating alignment is a practical procurement requirement for mid-market and enterprise sales.
Does the EU AI Act apply to Canadian businesses?
It can. If your AI system produces outputs used in the EU — by customers, partners, or your own EU-based employees — you may be classified as a provider or deployer under the Act's extraterritorial provisions. High-risk use cases (recruitment AI, credit scoring, biometric identification) face the strictest obligations.
What is the difference between AI governance and AI security?
AI security focuses on adversarial threats from external actors. AI governance focuses on systemic risk — ensuring your AI systems behave as intended, treat people fairly, and can be explained and audited. Both are necessary. A system can be secure against external attacks and still produce discriminatory outputs or make decisions no one can explain.
How long does it take to build an AI governance programme from scratch?
For a company with five to fifteen AI use cases and an existing ISO 27001 or SOC 2 programme, a foundational governance programme takes six to ten weeks to design and document. Implementation takes a further two to four months. Mitiksha delivers the design and documentation; your team owns ongoing operation with our support.
Our AI systems are all from major vendors (Microsoft, Salesforce, SAP). Do we still need governance?
Yes. Vendor AI tools still require you to assess risk classification, document oversight controls, and take responsibility for decisions made using their outputs. The EU AI Act explicitly creates obligations for deployers of third-party AI systems. Governance of vendor AI is often simpler than governing custom-built models, but it is not optional.
What is model drift and why does it matter?
Model drift occurs when a model's performance degrades because the real-world data it encounters no longer matches its training data. For a credit scoring model, drift might mean approvals that looked safe in 2023 are now systematically wrong. Drift goes undetected without monitoring. Mitiksha assesses whether production models have drift detection controls and establishes triggers for re-evaluation.
Last reviewed April 2026
Ready to Get Started?
Let's discuss how AI Governance & Risk can help your business.