An AI governance framework is the policies, decision rights, controls, and audit artifacts that establish accountability for AI deployment. A 2026 implemen
By Matthew Bertram · President of ModalPoint, CEO of EWR Digital · 2026
An AI governance framework is the set of policies, decision rights, technical controls, and audit artifacts that establishes accountability for how a company deploys, monitors, and retires its AI systems. For capital-intensive operators (oil and gas, manufacturing, utilities, chemicals, mining, infrastructure), the question is not whether to adopt one. The question is which framework, scoped to which AI uses, with which evidence, on which timeline. This guide answers all four for the 2026 regulatory environment.
Three jurisdictions moved on AI accountability in the last twelve months. State (Texas TRAIGA, effective January 1, 2026). Federal (NIST released a concept note for an AI RMF Critical Infrastructure Profile on April 7, 2026, with the Profile in active development across all 16 critical infrastructure sectors). International (EU AI Act phased in high-risk obligations August 2026, EU Product Liability Directive turning AI into strict-liability product December 2026). The framework you choose now is the one your audit, your insurer, your investor, and potentially your regulator will read in 2027.
Most published “AI governance framework” content is written by consulting firms and compliance vendors selling products. This guide is written from inside the operator side, by a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), and it is opinionated about what actually works at scale in capital-intensive operations.
Strip away the consulting-deck language and an AI governance framework has six components:
If your current “AI governance framework” does not have all six, you do not have a framework. You have a policy.
Operator practice in 2026 converges on four anchor standards. They overlap. None is a complete substitute for another. Most working frameworks combine elements of all four:
The U.S. federal default. Voluntary, but referenced in federal contracting language and increasingly in state legislation. Four functions: GOVERN, MAP, MEASURE, MANAGE. On April 7, 2026, NIST released a concept note for an AI RMF Critical Infrastructure Profile, in active development across all 16 critical infrastructure sectors including energy, oil and gas, chemicals, water, and manufacturing. NIST has invited industry participation through a mailing list and Slack channel. Operators in any of those sectors should track the Profile work and engage early.
Published December 2023, adopted globally through 2025 and 2026. Certifiable. The structure parallels ISO 27001 (information security) and ISO 9001 (quality), which most industrial operators already operate under. Audit ecosystem is mature. Buyers and insurers in regulated industries are starting to require ISO 42001 certification for AI vendors in 2026 procurement cycles. If you sell into regulated supply chains, this is the cert that opens doors.
Statute, not framework. Applies to any AI system placed on the EU market or used to affect EU persons regardless of provider location. Annex III defines the high-risk categories. High-risk obligations phased in August 2026. The EU Product Liability Directive (transposed into member state law by December 2026) classifies AI as a product under strict liability with extra-territorial reach, which means a U.S. operator whose AI system causes harm to an EU customer can be sued in EU courts under EU strict-liability rules. Most operators are not scoped for this yet.
State statute (House Bill 149), signed June 22, 2025, effective January 1, 2026. The version that passed is significantly narrower than the original bill (HB 1709), which would have created a broad consequential-decision framework with mandatory impact assessments. Most of the broad private-employer compliance regime was eliminated. The final law focuses on intent-based prohibitions: intentional incitement to self-harm or crime, child sexual abuse material and child-impersonation deepfakes, government social scoring, and (for private employers) using AI with the intent to unlawfully discriminate against a protected class. Penalties are tiered: $10,000 to $12,000 per curable violation, $80,000 to $200,000 per uncurable violation, and $2,000 to $40,000 per day for continuing violations, with a 60-day cure period from AG notice. Texas remains consequential in the broader picture because Colorado, California, and New York have similar (and in some cases broader) bills moving. Operators with multi-state exposure should track each statute separately.
For the practical TRAIGA breakdown for Texas businesses, see TRAIGA: What Texas Businesses Actually Have to Do. For the federal NIST AI RMF picture, see the NIST AI RMF implementation guide for boards and operators. For U.S. companies with EU exposure, see EU AI Act: What U.S. Businesses Actually Need to Know in 2026.
Operators who try to implement all four standards simultaneously fail. Operators who pick one and ignore the others get exposed when the others bind. The sequence below is the one I have seen produce real artifacts inside capital-intensive operators in 12 months.
Stand up the AI inventory. Use NIST AI RMF as the taxonomy. Cover all production AI systems, all pilot AI systems, and any vendor-provided AI features inside enterprise software (CRM, ERP, marketing automation, predictive maintenance, security tools). Assign a risk tier to each. The inventory is the foundation; everything else cites it.
Document the decision rights chain for every high-risk and limited-risk system. Implement the technical control set required for each risk tier. Drift monitoring, input validation, rollback procedures, and human-in-the-loop checkpoints. This is where most operators discover they have AI systems running with no rollback path, which is its own remediation project.
Build the artifact-generation pipeline. Each AI system produces a standard set of audit artifacts on a defined cadence. Pre-deployment validation reports, runtime monitoring summaries, incident reports, and review minutes. The artifacts must be timestamped, signed, and retained. This is the evidentiary foundation that survives a regulatory inquiry or a breach-of-contract claim.
Map your framework to NIST AI RMF (always), ISO 42001 (if certification is in scope), EU AI Act Annex III (if EU-relevant), and any state laws (TRAIGA for Texas operators). Decide whether to pursue ISO 42001 certification in year two. Most operators discover the certification cost and timeline is meaningfully smaller than the litigation exposure of being uncertified, but the answer is operator-specific.
Most governance frameworks treat external AI mentions as a marketing problem. For capital-intensive operators, that frame is wrong.
When a generative engine produces a wrong summary of your company (capabilities, certifications, leadership, safety history), that summary becomes evidence. It can be cited in a regulatory inquiry. It can be screenshot into an investor diligence file. It can be quoted in an M&A negotiation. The summary is wrong, but it is on the public record, and you do not control its distribution.
This is the governance dimension of AI visibility most consultants miss. Generative engine optimization is upstream of the audit-artifact problem. If your governance framework does not include monitoring how AI engines describe your company, you are leaving an unmanaged accountability surface unmanaged.
For the long-form treatment of this, see AI Governance vs AI Visibility: A Two-Layer Control System.
Boards have three duties under emerging AI governance regimes: oversight (was a framework adopted), assurance (is it actually being followed), and disclosure (does our public reporting reflect the framework’s state). Most boards in 2026 have addressed oversight via a single agenda item (“we adopted an AI policy”), have done nothing on assurance, and have not even begun disclosure.
Under the federal civil rights statutes that already apply to AI today (Title VII, ECOA, FHA), strict liability attaches regardless of intent. The board cannot use “we delegated this to the CEO” as a defense if the framework was not actually being followed. Board-level documentation of assurance reviews, with named directors, dates, and discussion topics, is the difference between a defensible posture and an indefensible one.
For board chairs and audit committee chairs structuring this work, see the boardroom briefing on getting this right.
Most operators face more AI governance exposure from vendor systems than from internally-built systems. The CRM has AI scoring. The ERP has anomaly detection. The cybersecurity stack has multiple ML layers. Marketing automation, predictive maintenance, video surveillance, supply chain risk, fraud detection. Every one of these is an AI system you did not build but are accountable for.
Vendor AI questionnaires (sometimes called AI Bills of Materials or AI BOMs) are the operator-side artifact for managing this. Require them at procurement, refresh them annually, version-control them. ISO 42001 certification on the vendor side is the most reliable single signal of vendor governance maturity in 2026, but it is not yet universal.
Operators starting from zero in mid-2026 should not try to do everything. The first 90 days are inventory and classification. Just that. Without a complete inventory, every other governance step is operating on incomplete information. The inventory is also the artifact you most likely will need to produce first under any regulatory inquiry, so building it well in a non-stressed environment is high-leverage.
The second 90 days are decision rights and technical controls for high-risk systems only. Do not try to control everything. Control what would harm the company, its customers, or its workforce if it fails. The other systems can be managed under a lower-tier control set in year two.
The second half of the year is artifact generation and standards alignment. By month 12, you should have a defensible framework, a complete inventory, a rolling audit artifact pipeline, and a clear path to ISO 42001 certification in year two if certification is the right choice for your business.
This guide outlines a workable framework. The implementation is operator-specific. Matt Bertram works with boards, executive teams, and operations leadership at capital-intensive companies on the inventory, risk classification, and audit artifact phases of AI governance framework rollout. He speaks publicly on this topic at boards, energy industry events, and CMO convenings.
Matt is a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), a Goldman Sachs 10,000 Small Businesses graduate (Houston Cohort, April 2026), and the moderator of record on the Ericsson Enterprise Wireless AI panel at the Offshore Technology Conference 2026 (with co-panelists from Bechtel and Rockwell Automation).
For the runtime layer that ties these pillars together - the discipline that captures the attestation at decision time so traceability becomes evidence rather than guesswork - see the runtime Decision Integrity discipline that makes traceability defensible.
Matthew brings this to mainstage keynotes and closed-door board briefings. Check availability → · More insights