Duration 2 days – 14 hrs

 

Overview

 

This standard training equips leaders, product/tech teams, risk/compliance, and internal audit with a practical governance playbook for managing AI initiatives end-to-end—covering risk appetite, accountability, lifecycle controls, third-party/vendor risk, monitoring, and assurance.

 

The course is anchored on widely used governance/risk references such as:

 

• NIST AI Risk Management Framework (AI RMF 1.0) with its GOVERN–MAP–MEASURE–MANAGE functions. 
• ISO/IEC 42001:2023 (AI management system) for establishing an AI governance management system. 
• ISO/IEC 23894:2023 (AI risk management guidance). 
• Regulatory awareness elements, including EU AI Act risk-based obligations (for organizations with EU exposure) and Philippines NPC Advisory No. 2024-04 for AI systems processing personal data (privacy governance).

 

Objectives

 

• Define an AI governance operating model (decision rights, committees, roles, and accountability).
• Build an AI use-case intake and approval process with risk-based gating (what needs EDD/impact assessment vs fast-track).
• Apply practical AI risk concepts: bias/fairness, transparency, privacy/security, robustness, model drift, third-party risk, and incident response.
• Use recognized frameworks (NIST AI RMF / ISO 42001 / ISO 23894) to design controls across the AI lifecycle.
• Establish monitoring, KPIs/KRIs, documentation, audit trails, and reporting dashboards for management and board oversight.
• Incorporate privacy and regulatory guardrails for AI handling personal data (PH NPC Advisory + Data Privacy Act; plus global awareness).

 

Target Audience 

 

• Executives / business owners sponsoring AI initiatives
• Product owners, project/program managers, innovation leads
• Data/AI/ML teams, architecture, cybersecurity
• Risk management, compliance, legal, privacy/DPO office
• Procurement/vendor management
• Internal audit / assurance teams

 

Prerequisites 

• No AI technical background required

• Helpful: familiarity with your org’s risk management process, SDLC/Change management, and vendor onboarding

 

Course Outline 

 

Day 1 — Governance foundations and frameworks

 

Module 1: AI initiative risks and why governance fails 

• Typical AI failures: unmanaged use cases, “shadow AI,” weak accountability, poor data practices
• What “good” oversight looks like (3 lines of defense + product ownership)

 

Module 2: AI governance operating model

• Board/Exec oversight, AI Steering Committee, model owners, validators, risk/compliance, audit
• RACI and decision rights (approve, monitor, stop, escalate

Module 3: Frameworks you can map to your org 

• NIST AI RMF (GOVERN, MAP, MEASURE, MANAGE) 
• ISO/IEC 42001 (AI management system approach) 
• ISO/IEC 23894 (AI risk management guidance) 

 

Workshop A: AI use-case intake + classification

• Teams classify 3 sample AI initiatives (customer-facing, internal, decisioning) and define required governance gates

 

Module 4: Policies and minimum control standards 

• Policy set: acceptable use, data governance, human oversight, documentation, vendor controls, incident reporting
• Required artifacts: model cards, data sheets, risk assessments, change logs

 

Day 2 — Controls across the lifecycle + monitoring + assurance

 

Module 5: Lifecycle controls (build–buy–use) 

• Intake → design → build/configure → test/validate → deploy → monitor → retire
• Change management and “re-approval” triggers (data shift, model updates, new decision impact)

 

Module 6: Risk assessment & impact assessment 

• Risk taxonomy: privacy, bias, explainability, security, resilience, safety, legal/regulatory
• Practical scoring (likelihood/impact), compensating controls, residual risk sign-off
• Privacy expectations for AI processing personal data (PH NPC Advisory + DPA principles) 

 

Module 7: Third-party/vendor and GenAI governance 

• Vendor due diligence checklist: data handling, model IP, security, logging, SLAs, audit rights
• Prompt/data leakage risks; approval rules for external GenAI tools

 

Module 8: Monitoring, metrics, and incident management 

• KRIs/KPIs: drift, error rates, fairness metrics, privacy incidents, security events
• Incident response and governance escalation routes

 

Module 9: Assurance and audit readiness 

• Evidence packs and audit trails; testing cadence; independent validation
• Regulatory awareness (EU AI Act high-risk concept + obligations if relevant to your footprint) 

 

Workshop B: Build your “AI Governance Starter Pack”

• Draft: (1) AI Use-case Intake Form, (2) AI Risk Assessment template, (3) RACI + committee structure, (4) minimum documentation checklist