AIRiskAware
Proprietary Framework

AI Integrated
Risk Architecture.

A four-phase methodology for building, governing, and sustaining enterprise AI risk programs. Developed by AI risk governance specialists and aligned with the world's leading AI and risk management standards.

ISO 42001 Compatible ISO 31000 Compatible NIST AI RMF Compatible EU AI Act Compatible

What is AIRA?

AIRA, AI Integrated Risk Architecture, is a structured, repeatable methodology developed through enterprise AI risk advisory practice. It provides organisations with a clear path from AI risk awareness to operational governance, ensuring AI systems are assessed, controlled, monitored, and continually improved in a way that satisfies board, regulatory, and investor expectations.

The framework is practical by design. Each phase maps to tangible outputs: governance documents, risk registers, board reports, control registers, and monitoring frameworks. AIRA is designed to be compatible with ISO/IEC 42001:2023 (the world's first certifiable AI management system standard), ISO 31000, the NIST AI RMF, and the EU AI Act, allowing organisations to demonstrate alignment with multiple frameworks through a single implementation.

Have a question about the AIRA Framework or how it applies to your organisation?

The four phases

A complete lifecycle for AI risk governance

1

Assess

Understand your AI risk landscape

Map every AI system across the organisation. Classify each by risk level, High, Elevated, or Standard, based on use case, data sensitivity, decision impact, and regulatory exposure. Identify which regulatory frameworks apply. Establish a current-state governance maturity baseline.

Outputs

  • AI System Inventory
  • Risk Classification Matrix
  • Regulatory Obligation Map
  • Governance Maturity Baseline
2

Implement

Build governance that holds under scrutiny

Establish a formal AI Governance Board with defined accountability across leadership, legal, technical, and domain functions. Deploy model risk controls. Define risk appetite for AI systems. Build documentation infrastructure, policies, standards, and audit trails, that satisfies regulators and institutional investors.

Outputs

  • AI Governance Charter
  • Model Risk Control Register
  • Risk Appetite Statement (AI)
  • Policy and Standards Documentation
3

Review

Monitor, report, and assure

Stand up continuous model performance monitoring against defined thresholds and Key Risk Indicators. Establish escalation protocols and board-level AI risk reporting cadences. Conduct periodic independent governance maturity assessments to identify gaps before regulators or investors do.

Outputs

  • KRI Dashboard and Monitoring Framework
  • Board and Executive Reporting Templates
  • Escalation and Incident Protocols
  • Periodic Maturity Assessment Reports
4

Adapt

Stay ahead of regulatory and model change

AI regulation evolves rapidly across jurisdictions. AI models drift over time. AIRA's Adapt phase builds the organisational capability to respond proactively, updating frameworks as models and rules change, scanning regulatory horizons, and embedding post-incident learning.

Outputs

  • Regulatory Horizon Scanning Process
  • Framework Review and Update Cadence
  • Post-Incident Learning Protocol
  • Regulatory Engagement Strategy

The four evaluation dimensions

Within each AIRA phase, AI systems are evaluated against four dimensions that determine governance requirements and risk classification. These dimensions are what the AIRA name encapsulates.

A

Accountability

Is there a named person, not a team, accountable for this AI system's decisions, performance, and conduct? Accountability must be assigned before deployment, not scrambled for after an incident.

I

Impact

What is the maximum potential harm this AI system can cause, to individuals, the organisation, or third parties, across financial, legal, reputational, and safety dimensions?

R

Reversibility

Can the AI system's actions and decisions be corrected, appealed, or reversed? Is there a documented process for human override, and can affected parties seek redress?

A

Auditability

Can the AI system's decision-making be reconstructed and explained? Are there sufficient logs, documentation, and traceability for an independent reviewer to determine what happened and why?

How the dimensions relate to the phases: In the Assess phase, each AI system is evaluated against these four dimensions to determine its risk classification and required controls. The Implement, Review, and Adapt phases then build and maintain the governance structures that address each dimension.

Built on established standards

AIRA is designed to be compatible with the four frameworks that matter most for AI governance, enabling organisations to demonstrate alignment across all of them through a single implementation.

ISO 42001

ISO/IEC 42001:2023

AI Management System Standard

The world's first international standard for AI management systems, published by ISO and IEC in December 2023. ISO/IEC 42001 specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) using the Plan-Do-Check-Act methodology. It is the only certifiable AI management system standard. AIRA is designed to be fully compatible with ISO/IEC 42001's requirements, providing organisations with the implementation layer that sits beneath the standard.

ISO/IEC 42001:2023 is a voluntary standard, not currently legally mandated. Certification is increasingly sought by organisations seeking competitive differentiation and to demonstrate governance maturity to investors and enterprise customers.

How AIRA aligns

  • PDCA-based AI governance lifecycle, directly maps to AIRA's Assess-Implement-Review-Adapt phases
  • Risk assessment and treatment requirements aligned with AIRA's classification methodology
  • AI system documentation and record-keeping requirements addressed by AIRA's control register outputs
  • Leadership accountability and AI policy requirements reflected in AIRA's governance charter deliverables
  • Supports third-party certification by accredited bodies including BSI, DNV, SGS, and A-LIGN

ISO 31000

ISO 31000:2018

Risk Management Guidelines

The international standard for enterprise risk management principles and guidelines. ISO 31000 provides a universal framework for identifying, assessing, and treating risk, adapted within AIRA specifically for AI system risk. The standard's principles of integration, structured approach, customisation, and continual improvement underpin AIRA's methodology.

ISO 31000 is a guidance standard, not certifiable. It is widely adopted across regulated industries and provides the enterprise risk management foundation on which AIRA's AI-specific methodology is built.

How AIRA aligns

  • Risk management principles applied to AI system identification and classification
  • Risk treatment hierarchy (avoid, reduce, share, accept) applied to AI risk appetite
  • Integration with organisational governance structures and reporting
  • Continual improvement cycle aligned with AIRA's Adapt phase

NIST AI RMF

NIST AI Risk Management Framework (2023)

AI Risk Management Framework

Published by the US National Institute of Standards and Technology in January 2023. The NIST AI RMF provides a structured approach to managing AI risk across four core functions: Govern, Map, Measure, and Manage. AIRA's four-phase methodology is designed to be compatible with the NIST AI RMF, enabling organisations to demonstrate alignment with both frameworks simultaneously.

The NIST AI RMF is a voluntary US framework widely adopted in financial services, healthcare, and government sectors. It does not carry legal force but is increasingly referenced in regulatory guidance and enterprise procurement requirements.

How AIRA aligns

  • GOVERN function: aligned with AIRA's accountability structures and governance charter
  • MAP function: aligned with AIRA's AI system inventory and risk classification
  • MEASURE function: aligned with AIRA's KRI monitoring and maturity assessment
  • MANAGE function: aligned with AIRA's control deployment and incident protocols

EU AI Act

Regulation (EU) 2024/1689

EU Artificial Intelligence Act

The world's first comprehensive AI regulation, in force from 1 August 2024 with phased enforcement from 2025–2026. The EU AI Act establishes risk-based obligations for AI systems, from prohibited applications to high-risk system requirements including risk management systems, technical documentation, human oversight, transparency measures, and conformity assessments. AIRA is designed to enable compliance with high-risk AI system obligations.

The EU AI Act applies to organisations whose AI systems are used by EU residents, regardless of where the organisation is headquartered. Australian and UK organisations with EU market exposure may have direct obligations under the Act.

How AIRA aligns

  • Risk classification methodology aligns with EU AI Act Annex III high-risk categories
  • Technical documentation requirements addressed by AIRA control register and audit trail outputs
  • Human oversight and fundamental rights impact assessment processes embedded in AIRA's Implement phase
  • Ongoing monitoring requirements covered by AIRA's Review phase KRI framework
  • Maximum penalties: €35 million or 7% of global annual turnover for most serious violations

Who AIRA is designed for

Enterprise organisations deploying AI across operations, products, or internal decision-making processes

Investment firms conducting AI company due diligence or managing AI risk across a portfolio

Regulated industries navigating sector-specific AI compliance obligations in financial services, healthcare, energy, or critical infrastructure

AI-native companies building governance maturity for fundraising, enterprise sales, or regulatory approval

Implement AIRA in your organisation

AIRiskAware provides specialist advisory support for organisations implementing the AIRA framework, from initial assessment through to governance design, ISO 42001 alignment, and ongoing board-level assurance.