GOVERN Function
The GOVERN function is the foundation of the NIST AI RMF. It establishes the organisational context within which AI risk management activities occur: the policies, roles, processes, and culture that make the other three functions effective.
GOVERN is the function where your organisation decides how it will manage AI risk and who is responsible for what. It runs in parallel with — and provides direction to — MAP, MEASURE, and MANAGE.
Relevant GOVERN Categories
GOVERN 1 — Policies, Processes, Procedures, and Practices
GOVERN 1.1 Policies and procedures for addressing AI risk are in place.
VeriProof provides the compliance evidence infrastructure for AI risk policies:
- Governance scoring configurations serve as the operational expression of risk policy thresholds — they make policy statements measurable
- Alert rules link policy thresholds to operational procedures (notification, escalation, corrective action)
- Evidence package exports demonstrate that policies were operationalised and monitored throughout the reporting period
Document your governance scoring configuration in your AI risk policy as the specific monitoring mechanism for each risk threshold you’ve identified.
GOVERN 1.7 AI risks are communicated to relevant stakeholders.
Configure VeriProof alert rules to notify stakeholders appropriate to each risk severity. Open Monitoring in the Customer Portal and click + New Rule. For critical events that require immediate escalation (for example, governance score dropping below your critical threshold), set severity to Critical and assign the risk committee channel. For medium-severity events, set severity to Medium and assign the AI team lead. Use separate rules for each severity tier so notifications reach the right people without alert fatigue.
The alert delivery log — included in evidence packages — demonstrates that risk communication procedures were followed in practice.
GOVERN 2 — Accountability and Responsibility
GOVERN 2.2 Risk tolerance statements exist for AI.
Risk tolerance is operationalised in VeriProof through governance scoring thresholds. Your risk tolerance statement should specify, for each identified risk dimension:
- The acceptable threshold (expressed as a governance score minimum)
- The measurement window (rolling 24-hour average, per-session, etc.)
- The response required when tolerance is exceeded
Document these thresholds in your risk tolerance statement and reference the VeriProof scoring configuration that implements them.
GOVERN 2.4 Organisational teams understand their responsibilities.
Role-based access in the Customer Portal enforces separation of duties. Define roles that match your organisational accountability structure:
| Role | Access | Typical owner |
|---|---|---|
| Viewer | Read sessions and reports | Compliance analyst |
| Analyst | Read + export evidence, acknowledge alerts | AI risk owner |
| Admin | Full configuration access | AI governance lead |
| Account Owner | Billing + user management | IT/legal ops |
GOVERN 4 — Risk Culture
GOVERN 4.1 Organisational teams are informed about their roles.
Publish your VeriProof governance scoring configuration internally, alongside the risk analysis that produced the threshold values. This makes the connection between organisational risk policy and operational monitoring explicit and auditable.
GOVERN 6 — Policies and Procedures for Third-Party Risks
GOVERN 6.2 Policies for third-party data governance exist.
If your AI pipelines process personal data, VeriProof’s data subject management and GDPR cryptographic erasure satisfy several GOVERN 6.2 requirements for data governance policies applied to AI-processed personal data. See GDPR Cryptographic Erasure for the technical implementation.
GOVERN Evidence in Packages
The GOVERN section of a VeriProof AI RMF evidence package includes:
- Governance scoring configuration snapshot (defines operationalised risk thresholds)
- Alert rule inventory (defines the escalation procedures)
- Alert acknowledgement log (shows the organisational response to risk events)
- User role summary (demonstrates accountability structure)
Next Steps
- MAP function — operational context and risk identification
- MEASURE function — quantitative risk assessment
- Governance Scoring guide — configuring thresholds that operationalise GOVERN policies