NIVAI-AGF

Governs where AI-processed data resides and which jurisdictions it crosses. Ensures data sovereignty obligations are met before AI tools are authorised for use. Covers data residency, cross-border transfer controls, vendor data sovereignty, and continuous monitoring.

Detects and prevents sensitive organisational data from being submitted to AI tools without authorisation. Covers shadow AI detection, prompt content standards, and per-department AI governance for engineering, finance, HR, legal, and sales teams.

Ensures personal and sensitive data processed by AI tools meets privacy obligations under GDPR, POPIA, and equivalent frameworks. Covers data minimisation, consent chains, ungoverned AI privacy risk, and AI provider privacy assessment.

Governs who in the organisation can access which AI tools and under what conditions. Covers SSO enforcement, role-based access, MFA requirements, access review cycles, and AI tool deprovisioning.

Addresses security controls specific to AI tool usage: prompt injection risks, model poisoning vectors, API key management, and AI session security. Complements existing information security controls.

Ensures AI tools and services used in operations meet reliability and availability standards. Covers SLA documentation, failover mechanisms, fallback procedures, and business continuity for AI-dependent processes.

Governs the selection, deployment, monitoring, and retirement of AI models used in the organisation. Covers model risk assessment, performance monitoring, bias evaluation, and version control.

Ensures data in transit to and from AI providers is encrypted to required standards. Covers TLS enforcement, API communication security, prompt and output data protection, and encryption key management for AI-processed data.

Governs the human dimension of AI governance: employee training, acceptable use acknowledgement, background screening for AI-elevated roles, ethics policy, and concern reporting mechanisms.

Ensures AI tool expenditure is governed, approved, and tracked. Covers procurement controls, contract review, financial data controls for AI-processed financial data, and audit trails for financial AI use.

Governs the use of AI tools in software development workflows. Covers AI code review requirements, CI/CD gate controls, development data governance, model testing, and dependency management.

Addresses operational governance of AI tool usage: monitoring, change control, capacity management, operational runbooks, and audit logging for AI-dependent workflows.

The foundation domain. Covers board-level AI oversight, governance policy, accountability structures, ethics framework, regulatory compliance, AIMS context and scope documentation, decision oversight, and AI transparency disclosure.

Governs the identification, assessment, treatment, and monitoring of AI-specific risks. Covers a comprehensive risk management framework including the live risk register, risk tolerance statement, third-party concentration risk, and treatment plans.

Ensures AI governance is subject to regular internal and external audit. Covers audit programme design, evidence collection requirements, findings management, continuous compliance monitoring, and auditor spot-check capability.

Governs the use of AI tools in customer-facing sales and marketing activities. Covers AI disclosure obligations, CRM data governance in AI tools, proposal accuracy review, and AI sales analytics governance.

Governs the organisation's response to AI-related incidents. Covers the incident response plan for AI sovereignty and leakage events, incident documentation and root cause analysis, and periodic control testing including red team exercises.

Governs AI systems that act on behalf of users via delegated credentials or autonomous execution. Covers cross-session credential isolation, autonomous action authorisation, AI agent credential purge on offboarding, cross-user context isolation, AI action attribution, and shared orchestrator credential architecture.