Duration 2 days – 14 hrs
Overview
This standard training equips leaders, product/tech teams, risk/compliance, and internal audit with a practical governance playbook for managing AI initiatives end-to-end—covering risk appetite, accountability, lifecycle controls, third-party/vendor risk, monitoring, and assurance.
The course is anchored on widely used governance/risk references such as:
- NIST AI Risk Management Framework (AI RMF 1.0) with its GOVERN–MAP–MEASURE–MANAGE functions.
- ISO/IEC 42001:2023 (AI management system) for establishing an AI governance management system.
- ISO/IEC 23894:2023 (AI risk management guidance).
- Regulatory awareness elements, including EU AI Act risk-based obligations (for organizations with EU exposure) and Philippines NPC Advisory No. 2024-04 for AI systems processing personal data (privacy governance).
Objectives
- Define an AI governance operating model (decision rights, committees, roles, and accountability).
- Build an AI use-case intake and approval process with risk-based gating (what needs EDD/impact assessment vs fast-track).
- Apply practical AI risk concepts: bias/fairness, transparency, privacy/security, robustness, model drift, third-party risk, and incident response.
- Use recognized frameworks (NIST AI RMF / ISO 42001 / ISO 23894) to design controls across the AI lifecycle.
- Establish monitoring, KPIs/KRIs, documentation, audit trails, and reporting dashboards for management and board oversight.
- Incorporate privacy and regulatory guardrails for AI handling personal data (PH NPC Advisory + Data Privacy Act; plus global awareness).
Target Audience
- Executives / business owners sponsoring AI initiatives
- Product owners, project/program managers, innovation leads
- Data/AI/ML teams, architecture, cybersecurity
- Risk management, compliance, legal, privacy/DPO office
- Procurement/vendor management
- Internal audit / assurance teams
Prerequisites
- No AI technical background required
- Helpful: familiarity with your org’s risk management process, SDLC/Change management, and vendor onboarding
Course Outline
Day 1 — Governance foundations and frameworks
Module 1: AI initiative risks and why governance fails
- Typical AI failures: unmanaged use cases, “shadow AI,” weak accountability, poor data practices
- What “good” oversight looks like (3 lines of defense + product ownership)
Module 2: AI governance operating model
- Board/Exec oversight, AI Steering Committee, model owners, validators, risk/compliance, audit
- RACI and decision rights (approve, monitor, stop, escalate
Module 3: Frameworks you can map to your org
- NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE)
- ISO/IEC 42001 (AI management system approach)
- ISO/IEC 23894 (AI risk management guidance)
Workshop A: AI use-case intake + classification
- Teams classify 3 sample AI initiatives (customer-facing, internal, decisioning) and define required governance gates
Module 4: Policies and minimum control standards
- Policy set: acceptable use, data governance, human oversight, documentation, vendor controls, incident reporting
- Required artifacts: model cards, data sheets, risk assessments, change logs
Day 2 — Controls across the lifecycle + monitoring + assurance
Module 5: Lifecycle controls (build–buy–use)
- Intake → design → build/configure → test/validate → deploy → monitor → retire
- Change management and “re-approval” triggers (data shift, model updates, new decision impact)
Module 6: Risk assessment & impact assessment
- Risk taxonomy: privacy, bias, explainability, security, resilience, safety, legal/regulatory
- Practical scoring (likelihood/impact), compensating controls, residual risk sign-off
- Privacy expectations for AI processing personal data (PH NPC Advisory + DPA principles)
Module 7: Third-party/vendor and GenAI governance
- Vendor due diligence checklist: data handling, model IP, security, logging, SLAs, audit rights
- Prompt/data leakage risks; approval rules for external GenAI tools
Module 8: Monitoring, metrics, and incident management
- KRIs/KPIs: drift, error rates, fairness metrics, privacy incidents, security events
- Incident response and governance escalation routes
Module 9: Assurance and audit readiness
- Evidence packs and audit trails; testing cadence; independent validation
- Regulatory awareness (EU AI Act high-risk concept + obligations if relevant to your footprint)
Workshop B: Build your “AI Governance Starter Pack”
- Draft: (1) AI Use-case Intake Form, (2) AI Risk Assessment template, (3) RACI + committee structure, (4) minimum documentation checklist
