Responsible AI

Responsible AI has a marketing problem. It usually appears as an aspiration rather than a specification, and an AI Officer cannot implement an aspiration. They can implement a control, test whether it works, and produce the evidence that it worked when a supervisory authority asks.

The GovCompass-7 reframes responsible AI as a control problem. It names seven elements that together define what it means for an AI system to be responsibly governed, and for each one it specifies the controls that hold it in place. The seven elements are not arbitrary: they are the points where the EU AI Act, the NIST AI Risk Management Framework, and ISO/IEC 42001 converge, expressed in language an operational governance function can act on.

Three layers of control

Each element is governed through three control layers that any auditor will recognise:

• Preventive controls stop a failure from occurring.
• Detective controls surface a failure once it has occurred.
• Corrective controls contain and remediate it, and feed the lesson back into prevention.

No single layer is sufficient. Preventive controls reduce the probability of harm but never eliminate it. Detective controls catch what prevention misses, but only matter if something acts on the signal. Corrective controls close the loop. An element governed only by preventive controls looks compliant on paper and fails silently in production. A responsible AI programme is one that can demonstrate, with evidence, that all three layers operate for each element across its AI inventory.

Read it as a system

The elements are distinct but not independent. Security and robustness underpins the others, because a model that can be manipulated cannot be relied upon to be fair, safe, or transparent. Explainability enables oversight, because an overseer cannot review what they cannot understand. Accountability binds everything, because every control needs an owner. In a working programme the seven share one infrastructure: one AI inventory, one risk register, one incident process, one set of oversight logs.

Governance maturity

A useful way to read your own programme is to ask, for each element, which control layers actually operate. That is a more honest picture than a binary compliant-or-not judgement:

1. Preventive only. A policy, a pre-deployment assessment, a sign-off, and nothing after. The most common state, and the one that looks compliant in a procurement review and fails silently in production.
2. Preventive and detective. The element is monitored, drift is surfaced, complaints are routed. You now know when something has gone wrong, but knowing is not the same as acting.
3. All three layers, connected. Prevention reduces the failure rate, detection surfaces what remains, and correction contains each failure and feeds the lesson back into prevention. The loop closes. This is what the Art. 9 risk-management requirement actually demands.
4. A cross-element view. You can see the maturity of all seven elements at once, allocate attention to the weakest, and run the GovCompass-7 as a living management system rather than a compliance artefact. This is the state ISO/IEC 42001 is built to support.

Using the framework

Take the AI inventory and, for each high-risk system, assess each element against the three layers: is the control designed, implemented, and evidenced? The gaps in that grid are the governance backlog, prioritised by the risk of the system and the severity of the missing control. Mapped one way, the grid is a responsible AI framework. Mapped another, it is an EU AI Act conformity file, a NIST AI RMF profile, and the core of an ISO/IEC 42001 management system.