AI Governance

Frameworks Modules Defensibility Audience

EU AI Act · ISO 42001 · NIST AI RMF — operational

Govern the AI you deploy. With the platform that runs inside your tenant.

Kyūdō unifies EU AI Act, ISO 42001, and NIST AI RMF into a single Compliance Graph — 156 AI governance controls, governed by the same system that governs the rest of your stack. Inside your Azure tenant. With no second AI vendor to audit.

Book an AI governance workshop See framework coverage

○ 156 AI controls · 3 frameworks · 1 graph○ Runs inside your Azure tenant○ Article 99 deadline: 2 Aug 2026

AI Inventory · live · in-tenant

discovered by KG · 6 systems

Microsoft 365 Copilot

M365 · tenant-wide

LIMITED

96%

Azure OpenAI · CustomerSvc

Azure · prod-eastus

HIGH-RISK

88%

GitHub Copilot Enterprise

GitHub · org

LIMITED

94%

Internal classifier · Claims

Self-hosted · in-tenant

HIGH-RISK

72%

Vendor LLM · LegalDraft

Vendor · API

HIGH-RISK

64%

Embeddings · Search

Azure · multi-region

MINIMAL

99%

Annex III · Article 6 · ISO 42001 §6.1.4posture: 86% · trending ↑

The architecture problem

The AI you're governing runs in your tenant. The AI governance platform should too.

Microsoft 365 Copilot runs inside your tenant. Azure OpenAI runs inside your tenant. Your custom models run inside your tenant. The regulatory perimeter being audited under EU AI Act, ISO 42001, and NIST AI RMF is the perimeter Microsoft already secures for you.

Then most AI governance platforms ask you to send the evidence — prompts, outputs, model cards, risk assessments, incident logs — out of that perimeter to a multi-tenant SaaS. The artifact intended to prove sovereignty becomes the thing that breaks it.

Kyūdō runs the AI governance system inside the same Azure tenant as the AI it governs. Same identity plane. Same data residency. Same auditable boundary. No second vendor in the chain of custody.

Architecture · before vs. with Kyūdō

Most AI governance platforms

Customer Azure tenant

AI systems

M365 Copilot · Azure OpenAI · GitHub Copilot · custom models

Governance · vendor cloud

evidence ✕ prompts ✕ model cards leave tenant

chain of custody breaks at tenant boundary

Kyūdō

Customer Azure tenant

AI systems

M365 Copilot · Azure OpenAI · GitHub Copilot · custom models

Kyūdō · in-tenant

evidence ✓ prompts ✓ model cards stay in tenant

chain of custody preserved end to end

Why Kyūdō for AI governance

AI governance is a system property. Not a binder, not a workflow, not a chatbot.

For organizations whose AI use is in scope of EU AI Act, ISO 42001, or NIST AI RMF, four properties have to be true at the architecture layer. Without all four, AI governance becomes another binder for the auditor to disprove.

Architecture properties · all four required

I.Inside-tenantAzure native

II.Frameworks unified3 → 156

III.Compliance Graphtyped + cited

IV.Operationalcontinuous

I.deployment

Inside-tenant deployment

Kyūdō runs inside your Azure tenant. The data plane, the AI that reasons over your governance, and the audit trail share the same identity, residency, and policy boundary as the AI you are governing.

II.frameworks

Three frameworks, one control set

EU AI Act, ISO 42001, and NIST AI RMF mapped to a single set of 156 AI governance controls. Coverage is computed, not narrated. Map once, prove three times.

III.graph

Compliance Graph reasoning

AI systems, models, datasets, prompts, outputs, risk assessments, controls, and evidence are typed entities in one graph. AI-readiness questions resolve to graph queries — every answer cited, every output traceable.

IV.operational

Operational, not advisory

Kyūdō does not produce a one-time AI governance binder. Controls run continuously against live tenant signals; evidence updates as your AI portfolio changes; framework coverage is current to the day, not the audit.

Three frameworks. One capability.

EU AI Act, ISO 42001, NIST AI RMF — mapped, deduplicated, and operationalized in one control set.

Most organizations approach the three as three programs — three risk registers, three sets of evidence, three sets of binders. Kyūdō collapses them into one Compliance Graph mapping: 156 AI governance controls, expressed against the same evidence, with per-framework views generated on demand.

Framework
What Kyūdō covers
What Kyūdō produces

EU AI Act

Reg. (EU) 2024/1689 · Annex III · Articles 6, 9, 10, 11, 13, 14, 15

47controls

Risk classification, AI system inventory, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, post-market monitoring, incident reporting, conformity assessment.

AI inventory

Annex IV tech file

Conformity declaration

Incident log

ISO 42001:2023

AI management system · Clauses 4–10 · Annex A controls A.2–A.10

38controls

AI management system scope, AI policy, risk and impact assessment, lifecycle controls (data, model, system, deployment), supplier and third-party AI risk, performance evaluation, internal audit, management review, continual improvement.

※ Certification-supporting documentation

AIMS scope

AI policy

Lifecycle records

Audit evidence

NIST AI RMF 1.0

Govern · Map · Measure · Manage · GenAI Profile (NIST AI 600-1)

29controls

Governance structures and accountability, AI system context mapping, risk and impact measurement, risk management actions, generative-AI specific risks (CBRN information, confabulation, dangerous content, IP, privacy, value chain).

RMF profile

GenAI risk register

Measurement records

Mgmt actions

Total · unified mapping

156AI governance controls3frameworks reconciled1evidence base

The AI governance system

Six capabilities. One Compliance Graph. Inside your tenant.

AI governance is not a checklist — it is a system of record. Six capabilities, sharing one typed graph, producing the evidence your regulators, customers, and board will accept.

Inventory

Risk

Controls

Evidence

Vendor AI

Trust

AI GovernanceComplianceGraph

in-tenant · typed · cited

01 / InventoryShipped

AI Inventory

Auto-discover every AI system in your tenant — Microsoft Copilot family, Azure OpenAI deployments, GitHub Copilot, embeddings, vendor APIs, and self-hosted models. Classified by EU AI Act risk tier on ingestion.

Annex III · Article 6 · ISO 42001 §6.1.4

02 / RiskShipped

Risk & Impact

Per-system risk and impact assessments wired to the ISO 42001 lifecycle and NIST AI RMF Map–Measure–Manage phases. Reassessment triggers on model, data, or scope change — not on calendar.

ISO 42001 §6.1 · NIST AI RMF Map/Measure

03 / ControlsShipped

AI Controls

156 AI governance controls. One control set, every framework. Coverage is computed from the Compliance Graph — change the framework view, the same controls produce a different attestation.

EU AI Act Art. 9–15 · ISO 42001 Annex A · RMF Govern

04 / EvidenceShipped

AI Evidence

Model cards, data sheets, training documentation, prompt and output logs, evaluation runs, and incident records — collected from tenant signals, typed in the graph, and cited on every output.

Annex IV technical file · ISO 42001 Cl. 7.5

05 / Vendor AIShipped

Vendor AI Risk

Third-party AI as a first-class entity: SaaS-embedded models, foundation-model vendors, dataset providers. Carries its own evaluation, contractual obligations, and incident channel into your risk register.

ISO 42001 §6.1.5 · EU AI Act Title III Ch. 4

06 / TrustShipped

AI Trust Center

Counterparty-facing surface for your AI portfolio. Selective disclosure of model cards, evaluation summaries, conformity declarations, and incident posture — with NDA gating and watermarked exports.

Conformity declarations · transparency obligations

Auditor-grade by architecture

The AI governance platform that meets the standard it imposes.

If we are going to govern your AI, our platform should pass the same audit. Five mechanisms make Kyūdō's outputs defensible — not because we promise they are, but because the architecture forces them to be.

01

Citations on every output

Every artifact Kyūdō produces — gap analysis, control narrative, conformity declaration, risk register entry — links back to the typed graph nodes that produced it. No claim without citation.

Generated

EU AI Act Art. 9 §4 — 3 controls, 8 evidence items, 2 model cards cited

02

Graph-backed reasoning

AI inference happens against a typed Compliance Graph of your environment, not against unstructured documents. Same query, same graph, same answer — every time, for every auditor.

Property

deterministic reads · provenance preserved · diffable across time

03

In-tenant data plane

Prompts, outputs, and the AI that reasons over them never leave your Azure tenant. Microsoft Purview labels and Defender boundaries continue to apply because the workload stays on your side of the line.

Boundary

Customer Azure tenant · Entra identity · Purview labels honored

04

Versioned framework mappings

Framework controls, mappings, and interpretations are versioned the way code is. When the EU AI Act guidance updates or ISO 42001 issues an addendum, you see the diff and can replay prior assessments against either version.

Auditable

EU AI Act mapping v2024.06 → v2025.02 · 14 controls revised, 3 added

05

Operational, not point-in-time

Controls run continuously against tenant signals; evidence updates as configurations change; coverage percentages are current to the day, not the audit.

Update cadence

evidence ⟳ continuous · controls ⟳ on-signal · views ⟳ on-request

Where you are right now

Three frameworks. Three entry points. One platform that handles all of them.

Pick the regulatory beat you are answering to today. Kyūdō meets you there — and the work you do for one framework is already work toward the others, because the underlying control set is shared.

EU AI Act · in scope

operator or provider

Operationalize EU AI Act before August 2026.

You are placing on the market or putting into service AI systems that fall under Annex III, or you are a deployer of high-risk AI. Article 99 turnover penalties become enforceable on 2 August 2026.

Annex IIIArticle 6Art. 9 risk mgmtArt. 10 dataArt. 11 docsArt. 14 oversightArt. 99

ISO 42001 · path to cert

AIMS implementation

Stand up an AI management system without a binder factory.

You are building an AIMS for ISO 42001 certification — first-time or roll-forward from ISO 27001. You need lifecycle records, supplier AI controls, and certification-supporting documentation generated from live evidence.

Cl. 4–10Annex A.2–A.10AIMS scopeAI policyInternal auditMgmt review

NIST AI RMF · adopters

Govern · Map · Measure · Manage

Run NIST AI RMF as an operating loop, not an artifact.

You are adopting the NIST AI RMF — including the Generative AI Profile (NIST AI 600-1) — as the spine of your AI program. You want measurement records and management actions that hold up to board, customer, and federal scrutiny.

GovernMapMeasureManageGenAI ProfileAI 600-1

2 Aug 2026 · 74 days remaining

EU AI Act enforcement is dated. Your AI governance should be operational before it is.

The Article 99 penalty regime — administered by national market surveillance authorities — takes effect on 2 August 2026. After that date, providers and deployers of high-risk AI systems are answerable not for intent but for operational evidence: AI inventory, technical documentation, conformity declarations, and incident logs that exist on day one of an investigation.

If your AI governance program is not operational by then, what you hand the auditor is intent. Kyūdō hands them the system.

Book an EU AI Act readiness review See coverage map

Reg. (EU) 2024/1689 · Article 99

Most serious violations

up to 35M EUR

or 7% of global annual turnover, whichever is higher

Other obligations

up to 15M EUR

or 3% of global annual turnover, whichever is higher

Misleading information

up to 7.5M EUR

or 1% of global annual turnover, whichever is higher

Administered by national market surveillance authorities. Penalties are per violation, not per organization.

Start where you are

Operationalize AI governance where the AI already runs.

A 60-minute deployment workshop with a Kyūdō architect: scope your AI portfolio, map it to EU AI Act, ISO 42001, and NIST AI RMF in your tenant, and leave with a deployment plan and reference architecture for your environment.

Book a deployment workshop Download reference architecture (PDF)

○ Inside your Azure tenant○ Microsoft Purview · Defender · Entra honored○ No second AI vendor in the chain of custody