GOVERN-1 — Govern 1: Legal and Regulatory Compliance
27 requirements in the Govern 1: Legal and Regulatory Compliance function
GOVERN 1.1Legal and regulatory requirements involving AI are understood, managed, and documented
GV-1.1-001Align GAI development and use with applicable laws and regulations, including those related to
GOVERN 1.2The characteristics of trustworthy AI are integrated into organizational policies, processes
GV-1.2-001Establish transparency policies and processes for documenting the origin and history of training
GV-1.2-002Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety
GOVERN 1.3Processes, procedures, and practices are in place to determine the needed level of risk management
GV-1.3-001Consider the following factors when updating or defining risk tiers for GAIA buses and impacts to
GV-1.3-002Establish minimum thresholds for performance or assurance criteria and review as part of
GV-1.3-003Establish a test plan and response policy, before developing highly capable models, to
GV-1.3-004Obtain input from stakeholder communities to identify unacceptable use, in accordance with
GV-1.3-005Maintain an updated hierarchy of identified and expected GAI risks connected to contexts of GAI
GV-1.3-006Reevaluate organizational risk tolerances to account for unacceptable negative risk (such as where
GV-1.3-007Devise a plan to halt development or deployment of a GAI system that poses unacceptable negative
GOVERN 1.4The risk management process and its outcomes are established through transparent policies
GV-1.4-001Establish policies and mechanisms to prevent GAI systems from generating CSAM, NCII or content
GV-1.4-002Establish transparent acceptable use policies for GAI that address illegal use or applications of
GOVERN 1.5Ongoing monitoring and periodic review of the risk management process and its outcomes are
GV-1.5-001Define organizational responsibilities for periodic review of content provenance and incident
GV-1.5-002Establish organizational policies and procedures for after action reviews of GAI system incident
GV-1.5-003Maintain a document retention policy to keep history for test, evaluation, validation, and
GOVERN 1.6Mechanisms are in place to inventory AI systems and are resourced according to organizational risk
GV-1.6-001Enumerate organizational GAI systems for incorporation into AI system inventory and adjust AI
GV-1.6-002Define any inventory exemptions in organizational policies for GAI systems embedded into
GV-1.6-003In addition to general model, governance, and risk information, consider the following items in
GOVERN 1.7Processes and procedures are in place for decommissioning and phasing out AI systems safely and in
GV-1.7-001Protocols are put in place to ensure GAI systems are able to be deactivated when necessary
GV-1.7-002Consider the following factors when decommissioning GAI systemsData retention requirements; Data