A 30-Day Plan for First-Time AI Governance Leads
You've just inherited the AI risk portfolio and don't know where to start.
Your CISO walked into your office last Tuesday, dropped a vague mandate about "owning AI risk," and left before you could ask what that means. You now have a title that didn't exist six months ago, a portfolio of systems you didn't build, and a regulatory timeline that doesn't care how new you are to the role.
The EU AI Act's high-risk obligations enforce in August 2026. NIST AI RMF is showing up in federal procurement language. ISO 42001 certification is on your board's radar. You have 30 days to go from "what do we even have?" to "here's the operating model."
Here's the week-by-week plan. Opinionated, practical, calibrated against the three frameworks you'll actually face.
Week 1: Discovery (Days 1-7)
One objective: know what exists. Not what should exist. What actually exists today in production.
Build the AI system inventory
This is the single most important deliverable of your first 30 days. You can't classify risk on systems you haven't inventoried. Ask every engineering lead, product owner, and data science manager three questions:
- What AI/ML models are deployed in production today?
- What third-party AI services do you consume (OpenAI, Azure AI, vendor-embedded)?
- What AI projects will reach production in the next 6 months?
Most organizations discover 2-4x more AI systems than leadership believes exist. Marketing uses an AI content tool nobody approved. Customer support deployed a chatbot through a vendor. The data team has models running on cron jobs that predate your tenure.
Also assess what governance artifacts already exist: AI acceptable use policy (usually yes, usually insufficient), AI systems in the risk register (usually no), legal review of AI vendor data processing terms (sometimes).
Week 1 output
A spreadsheet with: System Name, Owner, Deployment Status, Data Types Processed, User-Facing (Y/N), Decision Impact (Advisory/Deterministic), Third-Party (Y/N).
Meetings worth taking vs. skipping
| Take | Skip |
|---|---|
| CISO 1:1 (clarify scope, budget, authority) | Vendor demos (you don't know requirements yet) |
| ML platform owner (get the real inventory) | Committee formation (committees without data produce PDFs) |
| Privacy/Legal lead (understand existing data governance) | Board presentation prep (you have nothing to present with 5 days of context) |
| Procurement (find shadow AI in vendor contracts) |
Week 2: Framework Selection (Days 8-14)
You have an inventory. Now decide which framework(s) govern your program.
The framework decision matrix
| Framework | Triggers | Structure | Control Count |
|---|---|---|---|
| EU AI Act | Sell into EU, process EU data, deploy AI accessible from EU | Risk-tier (Unacceptable/High/Limited/Minimal) | ~85 for high-risk |
| NIST AI RMF | Sell to US federal, reference NIST elsewhere | Four functions: Govern, Map, Measure, Manage | ~72 subcategories |
| ISO 42001 | Board wants certification, customers ask, already run ISO 27001 | Annex SL (Plan-Do-Check-Act) | ~38 clauses + annex |
Why you don't choose just one
These three frameworks overlap significantly. SCF maps 114 AAT (AI & Autonomous Technologies) controls that span all three. A control like "AI system risk classification methodology" satisfies EU AI Act Article 6, NIST AI RMF MAP-1.1, and ISO 42001 Clause 6.1.2 simultaneously.
You build one control set calibrated against the SCF AAT domain and track which requirements each control satisfies. When the EU AI Act auditor arrives, show the EU view. When the ISO assessor comes, show the ISO view. Same controls, different projection. We covered this in AI Governance Beyond the Policy PDF.
Week 2 output
A one-page framework decision: which are mandatory (regulatory), which are voluntary (customer-driven), and a preliminary mapping of the 15-20 controls overlapping all three.
Week 3: Risk Classification (Days 15-21)
Inventory plus framework. Now classify risk.
Risk tiering methodology
| Tier | EU AI Act Equivalent | Definition | Governance Intensity |
|---|---|---|---|
| Tier 1: Prohibited | Unacceptable | Manipulates, exploits vulnerabilities, mass surveillance | Full stop. Legal review. |
| Tier 2: High-Risk | High Risk (Art. 6 / Annex III) | Makes or influences decisions about people | Full controls. Continuous monitoring. Human oversight. |
| Tier 3: Limited | Limited Risk | Interacts with people, no high-stakes decisions | Transparency controls. Periodic review. |
| Tier 4: Minimal | Minimal Risk | Non-personal data, no direct human impact | Inventory only. Annual review. |
For each system in your inventory, ask: Does it process personal data? (Minimum Tier 3.) Does it make or influence decisions about individuals? (Tier 2.) Could a wrong output cause financial, legal, or physical harm? (Tier 2.) Falls into Annex III category? (Tier 2.)
Most organizations discover 2-5 Tier 2 systems they weren't tracking: the hiring screening tool, the credit scoring model, the insurance risk calculator embedded in a vendor platform.
Week 3 output
Inventory with risk tiers assigned. A memo identifying all Tier 2 systems and their current control gaps. This memo is your work backlog for the next 60 days.
Week 4: Operating Model (Days 22-30)
You know what you have, what governs it, and which systems are high-risk. Build the model that sustains governance beyond month one.
Assign control owners per Tier 2 system
Five roles per system: Risk assessment owner (product/system owner), Technical controls owner (engineering lead), Data governance owner (privacy/data team), Human oversight owner (business process owner), Evidence owner (your team).
Establish evidence cadence
| Evidence Type | Cadence | Source |
|---|---|---|
| Model performance metrics (accuracy, drift) | Weekly automated | ML platform monitoring |
| Access control verification | Monthly automated | Entra ID |
| Bias/fairness assessments | Quarterly manual | Data science team |
| Risk assessment updates | Quarterly or on change | Product owner |
| Human oversight effectiveness | Semi-annual | Business process owner |
| Full AI system audit | Annual | Internal/external audit |
Set up monitoring before reporting
Common mistake: building a dashboard before data flows into it. Get one Tier 2 system producing automated evidence (model metrics via API, access logs via Entra, deployment records via CI/CD) before you build the governance dashboard.
Week 4 output
Operating model document: control ownership matrix, evidence cadence table, escalation paths, and a 90-day roadmap for expanding from one Tier 2 system to all Tier 2 systems.
How Kyudo supports this timeline
You can execute this plan with spreadsheets. The friction comes in Week 4 when you need the operating model to operate.
Kyudo's Risk Registry provides the structured home for your AI inventory and risk classifications. Each system links to its tier, assigned controls, and evidence pipeline. New systems inherit the control template for their tier.
The Controls Hub stores AI governance controls with pre-built mappings to EU AI Act articles, NIST AI RMF subcategories, and ISO 42001 clauses via the STRM Engine's SCF AAT domain. One control set, mapped across all three.
For evidence collection, integrations pull automated signals from ML platform monitoring, Entra ID, and Azure deployment pipelines. Manual evidence (quarterly bias assessments, risk updates) follows structured workflows with freshness scoring. Stale evidence ages out automatically.
The AI governance solution provides framework-specific views without requiring framework-specific control libraries.
The counter-argument: "30 days is too fast"
Traditional AI governance programs take 6-12 months. But "stood up" in those timelines usually means a policy document, a committee charter, and a framework selection. The actual inventory often isn't complete until month 4.
This plan produces inventory (Week 1), framework decision (Week 2), risk classification (Week 3), and operating model (Week 4). It's faster because it skips the deliberation phase. You don't need consensus on framework selection before inventorying systems. You don't need committee approval before classifying risk. The inventory and classification inform deliberation rather than waiting for it.
The risk of going slower: the EU AI Act enforcement date doesn't move. Every month in deliberation is a month not implementing controls on Tier 2 systems.
Your 30-day checklist
-
Week 1: Complete AI system inventory. Every production system, every third-party service, every in-development model. Verify with engineering, not just project lists.
-
Week 2: Select and map frameworks. EU AI Act, NIST AI RMF, ISO 42001, or a combination. Document the 15-20 overlapping controls.
-
Week 3: Classify risk. Assign tiers. Identify Tier 2. Document control gaps.
-
Week 4: Assign owners, set cadence. Five control owners per Tier 2 system. Every evidence type has a frequency. One system producing automated evidence before month-end.
-
Day 31+: Expand. Scale to all Tier 2 systems over 60 days. Add Tier 3 in quarter two.
The role is new. The problem isn't. AI governance is risk governance applied to a specific technology category. The playbook is the same. The pace is different.
Kyudo maps 114 AI governance controls across EU AI Act, NIST AI RMF, and ISO 42001 in a single control registry. One inventory. One classification. Every framework.
Download the framework map to see how SCF AAT controls span all three AI governance frameworks.