What is the difference between AI governance software and MLOps software?

MLOps software (MLflow, Weights and Biases, Arize, Fiddler, SageMaker) runs the training, deployment, monitoring, and runtime evaluation of machine learning models. AI governance software runs the policy, classification, impact assessment, vendor risk, regulator evidence, and board reporting layer above the MLOps stack. The two are complementary. A serious AI governance program ingests model lineage, evaluation runs, and drift signals from MLOps and turns them into the residual-risk register a CCO and an EU AI Act notified body can read.

Which frameworks should an AI governance program align to?

At minimum: ISO/IEC 42001:2023 for the management system, NIST AI RMF 1.0 plus the Generative AI Profile (NIST AI 600-1) for the US outcome-based control language, and the EU AI Act if any output reaches the European Union. Add OECD AI Principles for international stewardship reporting, the Council of Europe Framework Convention on AI for treaty-level alignment, and sector or state laws as they apply (Colorado AI Act, NYC Local Law 144, EEOC + CFPB + FTC enforcement on automated decision systems). RiskWatch ships pre-built crosswalks for the full set.

How does ISO 42001 differ from the EU AI Act?

ISO/IEC 42001:2023 is an international, certifiable AI management system standard. It is voluntary, organization-wide, and structured around the Plan-Do-Check-Act lifecycle with 38 Annex A controls. The EU AI Act is binding law (Regulation EU 2024/1689) with administrative fines up to €35M or 7 percent of worldwide annual turnover under Article 99. It is product + actor regulation: providers, deployers, importers, distributors. The two complement each other. Per Cloud Security Alliance research, a mature ISO 42001 implementation discharges roughly 80 percent of the EU AI Act Article 9 technical burden.

How does NIST AI RMF differ from ISO 42001?

NIST AI Risk Management Framework 1.0 (January 2023) is a voluntary US framework structured around four functions: GOVERN, MAP, MEASURE, MANAGE. It is outcome-based and unscored. ISO/IEC 42001:2023 is a certifiable management system standard with a Plan-Do-Check-Act cycle and audit-against-able Annex A controls. NIST AI RMF reads like a list of capabilities to demonstrate; ISO 42001 reads like a control catalog to certify against. Most enterprises run both: NIST AI RMF for US federal and Fortune 500 procurement, ISO 42001 for international certification.

What is an AI model inventory and why do I need one?

An AI model inventory is the single record of every AI system in the enterprise: in production, in development, vendor-supplied, and shadow. Each entry carries the provider, deployer, intended purpose, training data sources, lawful basis, risk tier, owner, and lifecycle stage. Without it, no governance regime works: you cannot classify under the EU AI Act, you cannot run ISO 42001 Annex A 6.1.4 impact assessments, and you cannot demonstrate NIST AI RMF MAP outcomes. A 2025 IBM survey found only 24 percent of organizations have a complete AI inventory; that is the load-bearing first step of any program.

How do I run a bias audit on an AI system?

A bias audit measures whether the AI system performs differently across protected classes or groups in a way the use case cannot justify. Run demographic parity, equal opportunity, predictive parity, and calibration against representative test data. For consequential decisions (hiring, credit, healthcare, education) NYC Local Law 144 mandates the audit, with the bias audit results published, before the AEDT is used. The EU AI Act Article 10 § 2(f) and (g) requires examination of biases in training, validation, and testing data sets for high-risk systems. RiskWatch links bias-audit results into the residual-risk register and the impact assessment file.

How do I govern third-party AI vendors and foundation models?

Most enterprise AI risk lives in vendors: foundation model providers (OpenAI, Anthropic, Google, Meta, AWS Bedrock, Azure OpenAI), AI-enhanced SaaS, and embedded copilots. ISO 42001 Annex A 10 covers third-party AI relationships. NIST AI RMF GOVERN 6 covers third-party considerations. EU AI Act Article 25 distributes obligations across providers, deployers, importers, and distributors. A serious vendor AI workflow captures model cards, system cards, acceptable-use policies, training-data disclosures, indemnity terms, and the vendor's own ISO 42001 + NIST AI RMF posture per vendor. RiskWatch ships this as a first-class vendor questionnaire library.

What does an AI governance committee actually do?

An AI governance committee charters the program (ISO 42001 Clause 5 leadership), approves the AI principles and acceptable-use policy, sets risk thresholds, approves new high-risk AI deployments, reviews impact assessments, escalates serious incidents, and reports out to the board, regulators, and external stakeholders. Membership typically includes the CCO, CIO or CTO, Chief Data Officer, General Counsel, DPO, and the Head of Responsible AI, with rotating representation from the lines of business. RiskWatch ships a committee charter template, RACI, decision log, and meeting workflow as part of the platform.

What is an AI impact assessment?

An AI impact assessment is the structured analysis of who the AI system affects, what fundamental rights or material interests are in scope, what risks exist, and what mitigations are in place. The EU AI Act Article 27 calls it a FRIA (fundamental rights impact assessment) for deployers of high-risk AI. ISO 42001 Annex A 6.1.4 calls it an AI system impact assessment. The Canadian Directive on Automated Decision-Making calls it an AIA. Colorado AI Act calls it a consequential-decision impact assessment. The four overlap substantially. RiskWatch generates the four from one shared evidence set so teams stop retyping content.

How much does AI governance software cost?

Published entry pricing ranges from RiskWatch Standard at $99 per month for up to three frameworks, through mid-market pure-plays (Fairly AI, Trustible, Anecdotes AI) at $25K-$120K per year, through enterprise pure-plays (Credo AI, Holistic AI, ModelOp) at $60K-$400K per year, through stacked-SKU enterprise platforms (OneTrust, ServiceNow AI Governance, IBM watsonx.governance) at $150K-$1M+ per year. Eight of the ten platforms in the embedded ranking on this page will not publish a list price; triangulated ranges come from Vendr, SmartSuite, ComplianceRated, and 2026 customer references.

How long does it take to build an AI governance program?

For an enterprise already running ISO 27001 plus SOC 2 plus GDPR, the 90-day plan on this page is realistic: charter the committee in week 1, complete the AI inventory by week 3, classify and assess high-risk systems by week 6, sweep third-party AI vendors by week 9, and activate continuous monitoring plus incident workflow by week 13. Organizations starting from scratch typically double that timeline. The EU AI Act 2 August 2026 high-risk obligations and Colorado AI Act February 2026 deadlines mean enterprises with EU customers or Colorado-resident affected persons should be in the conformity assessment and consequential-decision documentation phase by Q2 2026.

Solution · ISO 42001 + NIST AI RMF + EU AI Act · Updated 2026-05-15

Govern every AI system before the regulator, the board, or the customer asks.

AI governance software that runs the AI inventory, risk classification, ISO 42001 plus NIST AI RMF plus EU AI Act controls, impact assessments, bias audits, model lineage, third-party AI risk, transparency, human oversight, and incident reporting from one tenant. The embedded top-10 ranking on this page compares the platforms a serious 2026 program shortlists.

AI inventory + risk classification across EU AI Act, ISO 42001, and NIST AI RMF
FRIA, DPIA, AIA, and Colorado AI Act impact assessments from one evidence set
Bias audits, model lineage, third-party AI risk, incident reporting in one tenant
Cross-mapped to ISO 27001, SOC 2, HIPAA, GDPR so existing evidence carries forward

Book a demo See the EU AI Act hub

Trusted by chief compliance officers, AI governance leads, chief data officers, and responsible AI leads at enterprises shipping AI into regulated decisions

What it is

What is AI governance software?

AI governance software is the platform layer that records every AI system in an enterprise, classifies each one against ISO/IEC 42001:2023 + NIST AI RMF + the EU AI Act. RiskWatch runs the model inventory, risk tier classification, FRIA + DPIA + AIA impact assessments, bias audits, model lineage, third-party AI vendor risk, transparency and human-oversight tracking, and Article 73 incident reporting in one tenant. Cross-mapped to ISO 27001, SOC 2, HIPAA, and GDPR so existing evidence carries forward.

0% YoY

AI governance software market growth

2025-2026 per Gartner AI TRiSM Hype Cycle and IDC Worldwide AI Software tracker

0 Aug 2026

EU AI Act high-risk obligations enforce

Articles 9-15 plus Article 27 FRIA plus Annex IV + EU database registration

Of enterprises have a complete AI inventory

Per 2025 IBM Institute for Business Value survey; the load-bearing first step

Why AI governance is on the 2026 agenda

Six regulatory regimes, one program.

AI governance moved from voluntary corporate-responsibility statement to binding regulatory program in 18 months. The EU AI Act, ISO 42001, and NIST AI RMF set the floor. Colorado, NYC, and US executive policy set the US backstop. OECD and the Council of Europe set the international stewardship layer. One AI governance platform should answer to all six audiences.

EU AI Act

Regulation (EU) 2024/1689 enforces 2 Aug 2026

High-risk AI under Annex III plus most Articles 9-15 provider and deployer duties apply. Article 99 caps fines at €35M or 7% of worldwide annual turnover for prohibited-practice violations.

ISO/IEC 42001

First certifiable AI management system

Published December 2023, ISO/IEC 42001 is the international AI management system standard with a Plan-Do-Check-Act lifecycle and 38 Annex A controls covering governance, data, transparency, human oversight, and lifecycle controls. Increasingly referenced in EU and federal procurement.

NIST AI RMF 1.0

GOVERN, MAP, MEASURE, MANAGE

NIST AI Risk Management Framework 1.0 (January 2023) plus the Generative AI Profile (NIST AI 600-1, July 2024) define the outcome-based control language US federal agencies and Fortune 500 enterprises run against. Voluntary but written into NIST 800-53 r5 control inheritance.

US Executive Order

EO 14110 plus successor policy

Executive Order 14110 (October 2023) directed federal agencies to manage AI risk, with OMB Memorandum M-24-10 setting binding minimum practices for federal AI. The 2025 successor EO and OSTP AI Action Plan keep the federal AI risk management cadence in place even as priorities shift.

State + sector laws

Colorado AI Act + NYC LL 144 + sector

Colorado AI Act (SB 24-205, effective February 2026) sets developer + deployer duties for consequential decisions. NYC Local Law 144 enforces bias audits on automated employment decision tools. CFPB, EEOC, and FTC enforce existing consumer-protection law on AI under the 2023 joint statement.

OECD + Council of Europe

OECD AI Principles + AI Treaty

OECD AI Principles (updated May 2024) are the reference 47-country adherence baseline. The Council of Europe Framework Convention on AI (September 2024) is the first binding international AI treaty, open for signature and ratification through 2026.

Why AI governance programs stall

Four pains that show up before the first audit.

The frameworks are not the hard part. Inventory, scattered impact assessments, late bias signals, and ungoverned third-party AI are. RiskWatch fixes the four where they live, in the daily workflow.

Pain #1

Nobody can list every AI system in production.

Shadow AI sprawls fast. Marketing buys Jasper, engineering ships custom LLM features, HR uses a screening vendor, sales adopts Gong. A 2025 IBM survey found only 24% of organizations have a complete inventory of AI in use. Without a single AI inventory tagged by provider, deployer, intended use, and risk tier, governance is fiction. The AI Inventory module captures every model, vendor system, and shadow deployment.

Pain #2

Impact assessments live in scattered Word documents.

FRIA, DPIA, algorithmic impact assessment, ethical review board notes, model cards, system cards. Each governance regime demands a similar document; teams retype the same content five times and lose version control. The Impact Assessment Builder ships ISO 42001 Annex A 6.1.4 plus EU AI Act Article 27 plus GDPR Article 35 plus NIST AI RMF MAP outputs from one shared evidence set.

Pain #3

Bias and performance drift discovered after the incident.

Models degrade. Demographic shifts and new data sources cause bias to grow. Without continuous bias monitoring tied to the model registry, the first sign of a problem is a complaint, a journalist call, or a regulator notice. RiskWatch links bias and accuracy KPIs into the same residual-risk register the board reads, with threshold alerts before the incident becomes a headline.

Pain #4

Third-party AI is a black box you signed up to govern.

Most enterprise AI risk lives in vendors: foundation model providers, AI-enhanced SaaS, embedded copilots. Article 25 of the EU AI Act puts deployer duties on the buyer, and ISO 42001 Annex A 10 demands supplier AI governance. Vendor AI questionnaires, model cards, and provider attestations need to live where procurement, legal, and the AI governance committee can actually read them.

See the AI inventory + impact assessment workspace in a 20-minute demo

Core capabilities

Twelve capabilities every serious AI governance program needs, in one tenant.

The inventory, the classification, the assessment workspace, the bias monitor, the lineage record, the vendor questionnaire library, the transparency surface, the oversight tracker, the policy committee, the data governance ledger, and the board + regulator reporting all reading from one source of truth.

AI inventory

Every model, every deployer, every intended use

Capture every AI system in production, training, vendor-supplied, or shadow. Tag provider, deployer, importer, intended purpose, training data sources, and risk tier. Auto-discovery via integrations plus vendor questionnaire workflow.

Risk classification

Tier each system against EU AI Act and ISO 42001

Walk Article 6 plus Annex I plus Annex III for EU classification. Score ISO 42001 Annex A 6.1.4 system impact. Map to NIST AI RMF risk profile. Reclassify on every material model change with a full audit trail.

Impact assessments

FRIA, DPIA, AIA, model card, system card

One impact assessment workspace generates the EU AI Act Article 27 FRIA, the GDPR Article 35 DPIA, the Colorado AI Act consequential-decision assessment, the Canadian AIA, and the ISO 42001 Annex A 6.1.4 impact record from a shared evidence set.

Bias + fairness audits

Demographic, intersectional, drift over time

Demographic parity, equal opportunity, predictive parity, calibration. Intersectional analysis across protected classes. Continuous drift detection so bias growth shows up in the residual-risk register before it shows up in the news.

Model lineage

From training data to deployment to retirement

Datasets used in training, validation, and test. Model versions, hyperparameters, evaluation runs, approval records, deployment environments, retirement dates. Linked to Article 12 logs and Article 10 data governance evidence.

Incident reporting

EU AI Act Article 73, NIST AI RMF MANAGE 4

Serious-incident reporting in 72 hours, 2 days, or 15 days depending on severity under EU AI Act Article 73. NIST AI RMF MANAGE 4 incident handling cadence. Member-state notifications tracked. Tied to RCA workflow.

Third-party AI risk

Foundation models, SaaS AI, embedded copilots

Vendor AI questionnaire library mapped to ISO 42001 Annex A 10, NIST AI RMF GOVERN 6, and EU AI Act Article 25. Provider attestations, model cards, system cards, AUP, training data disclosures, and indemnity terms in one vendor record.

Transparency + disclosure

End-user, regulator, board

Article 50 AI interaction labels for chatbots, synthetic media disclosure, deepfake watermarking workflow, ADM notices, and external transparency reports for ESG and stewardship investor disclosure.

Human oversight

Override, stop, interpretability, training

EU AI Act Article 14 oversight measures by design and by deployer. ISO 42001 Annex A 9.3 internal audit. Operator training records, override + stop control attestations, interpretability review for each high-risk system.

Policy + governance committee

Charter, RACI, meeting cadence, decisions

AI ethics committee charter, attendance, decisions log, escalation thresholds, approval gates by risk tier. ISO 42001 Clause 5 leadership plus Annex A 4 governance ties policy to evidence.

Data governance

Training, validation, testing, lawful basis

Article 10 data governance: quality, representativeness, completeness, bias examination, lawful basis under GDPR. Annex IV § 2(d) datasheet auto-built per training run. PII redaction and synthetic-data attestation tracked.

Board + regulator reporting

One source of truth, three audiences

Board-ready coverage dashboard, regulator-ready Annex IV plus FRIA plus conformity assessment file, investor-ready responsible AI report. Each rolls up from the same model inventory, risk tier, and impact assessment data.

Frameworks AI governance must align to

Six binding regimes, six voluntary regimes. One control set.

ISO/IEC 42001:2023 is the certifiable management system. NIST AI RMF 1.0 is the voluntary US outcome framework, with the Generative AI Profile (NIST AI 600-1) added in 2024. The EU AI Act is binding law. The OECD AI Principles (updated May 2024) are the 47-adherent international baseline. The Council of Europe Framework Convention on AI is the first binding international AI treaty. Add Singapore Model AI Governance, the UK pro-innovation framework, the Colorado AI Act, NYC Local Law 144, and Executive Order 14110 + OMB Memorandum M-24-10. RiskWatch ships a single control set crosswalked across the full list.

ISO/IEC 42001:2023 management system plus 38 Annex A controls, certifiable

NIST AI RMF 1.0 GOVERN + MAP + MEASURE + MANAGE plus the Generative AI Profile

EU AI Act Articles 5, 6, 9-15, 27, 50, 99 cross-walked to ISO 42001 Annex A

OECD AI Principles + Council of Europe AI Treaty + Singapore + UK + Canadian AIA

Colorado AI Act + NYC Local Law 144 + EEOC + CFPB + FTC + EO 14110 + OMB M-24-10

AI governance framework coverage

ISO 42001

AI management system + Annex A controls

96%

NIST AI RMF

GOVERN + MAP + MEASURE + MANAGE

94%

NIST 600-1

Generative AI profile (July 2024)

90%

EU AI Act

Arts 5, 6, 9-15, 27, 50, 99

93%

OECD AI

Updated principles May 2024

88%

CoE Treaty

Framework Convention Sept 2024

84%

Singapore

Model AI Governance GenAI v2

82%

Pro-innovation 5 principles

80%

CO AI Act

SB 24-205 consequential decisions

85%

NYC LL144

AEDT bias audit

87%

10 regimes + sector overlays →One control set, one tenant

Embedded ranking

Top 10 AI governance platforms in 2026

A ten-platform comparison drawn from each vendor's public product pages (audited 2026-05-15), G2 + Capterra review aggregation, Gartner AI TRiSM Hype Cycle commentary, and Forrester Responsible AI research. RiskWatch publishes this ranking and is ranked first; the methodology and the honest RiskWatch weaknesses appear on the card. The right buying decision usually starts with whether you need a horizontal GRC + framework hub (RiskWatch, OneTrust) or a pure-play model-ops platform (Credo AI, ModelOp, Holistic AI). Most serious 2026 programs end up running both.

Rank	Platform	Best for	Pricing	G2
1	RiskWatch RiskWatch International · 1993	CCO + Head of AI Governance running ISO 42001 + EU AI Act + NIST AI RMF in one tenant alongside ISO 27001, SOC 2, GDPR, and 40+ other frameworks.	Standard $99/month · Professional $36K/year · Enterprise quote partial	4.5/5 60+ reviews
2	Credo AI Credo AI · 2020	Pure-play responsible AI governance for enterprises whose AI program is led by a dedicated Head of Responsible AI or Chief AI Ethics Officer.	Quote-only · triangulated $60K-$250K/year opaque	4.6/5 30+ reviews
3	Holistic AI Holistic AI · 2020	Enterprises that need algorithmic auditing depth, particularly under NYC Local Law 144 AEDT bias audits and EU AI Act Article 27 FRIA workflows.	Quote-only · triangulated $50K-$200K/year opaque	4.5/5 20+ reviews
4	IBM watsonx.governance IBM · 2023	Global banks and insurers running US Federal Reserve SR 11-7 model risk management alongside AI governance, especially watsonx + OpenPages customers.	Quote-only · triangulated $200K-$1M+/year opaque	4.4/5 40+ reviews
5	ModelOp ModelOp · 2016	Enterprises with mature MLOps that need model lifecycle and runtime governance with deep model registry and drift monitoring.	Quote-only · triangulated $100K-$400K/year opaque	4.5/5 20+ reviews
6	OneTrust AI Governance OneTrust · 2016	Privacy-led enterprises extending their DPIA + ROPA program into AI impact assessments and EU AI Act compliance at scale.	Quote-only · triangulated $80K-$500K+/year (stacked SKU) opaque	4.4/5 60+ reviews
7	ServiceNow AI Governance ServiceNow · 2023	Enterprises already running ServiceNow IRM at scale who want AI governance in the same platform with the same admin team.	Per-employee quote · triangulated $150K-$1M+/year opaque	4.4/5 20+ reviews
8	Fairly AI Fairly AI · 2021	Mid-market enterprises needing a responsible AI platform with framework crosswalk depth and fast time-to-value.	Quote-only · triangulated $30K-$120K/year opaque	4.5/5 10+ reviews
9	Anecdotes AI Trust Anecdotes · 2020	Cloud-data-native enterprises that want AI governance to inherit signals from the same Hyperion engine that runs SOC 2 + ISO 27001 + GDPR.	Quote-only · triangulated $40K-$200K/year opaque	4.6/5 20+ reviews
10	Trustible Trustible · 2022	EU + UK + US enterprises that need a focused EU AI Act + ISO 42001 platform with strong procurement and vendor AI assessment workflows.	Quote-only · triangulated $25K-$100K/year opaque	4.5/5 10+ reviews

RiskWatch

RiskWatch International · founded 1993 · Visit site

Standard $99/month · Professional $36K/year · Enterprise quote

partial pricing

Best for: CCO + Head of AI Governance running ISO 42001 + EU AI Act + NIST AI RMF in one tenant alongside ISO 27001, SOC 2, GDPR, and 40+ other frameworks.

Strengths

+Horizontal GRC + framework hub: ISO 42001, NIST AI RMF, EU AI Act, NIST 800-53, ISO 27001, SOC 2, HIPAA, GDPR, CMMC, PCI DSS in one tenant
+Cross-mapping engine that auto-detects shared controls (Article 9 ↔ ISO 42001 Cl 6 + 8 ↔ NIST AI RMF MAP + MEASURE)
+Standard tier published at $99/month plus Professional $36K/year, rare for the AI governance category
+33-year operating history with US federal customers, single-tenant deployment with customer-owned data residency
+Vendor AI questionnaire library mapped to ISO 42001 Annex A 10 and EU AI Act Article 25

Honest weaknesses

-Not a pure-play model-ops platform at Credo AI or ModelOp depth; runtime drift and bias monitoring rely on signals from the buyer's MLOps stack (MLflow, Weights and Biases, Arize, Fiddler)
-Smaller AI governance review volume on G2 than Credo AI or Holistic AI specifically, since the platform is sold as horizontal GRC first
-No native foundation-model evaluation harness (HELM, lm-evaluation-harness); evidence ingested via API or upload, not generated on platform

Credo AI

Credo AI · founded 2020 · Visit site

Quote-only · triangulated $60K-$250K/year

opaque pricing

Best for: Pure-play responsible AI governance for enterprises whose AI program is led by a dedicated Head of Responsible AI or Chief AI Ethics Officer.

Strengths

+Deepest pre-built EU AI Act, NYC LL 144, Colorado AI Act, and OECD content library among pure-play AI governance
+Credo AI Policy Center ships ready-mapped policies for ISO 42001 and NIST AI RMF
+Strong analyst recognition: named in Gartner AI TRiSM Hype Cycle and Forrester Responsible AI
+Use Case Registry plus Generative AI Policy Pack popular with foundation-model deployers

Honest weaknesses

-Opaque pricing scales fast at multi-LOB enterprises; triangulated entry sits north of $60K/year
-Narrower horizontal GRC coverage than RiskWatch or OneTrust; not the right pick when the same tenant needs SOC 2 plus ISO 27001 plus AI governance
-Smaller third-party review volume than RiskWatch or OneTrust due to category age

Holistic AI

Holistic AI · founded 2020 · Visit site

Quote-only · triangulated $50K-$200K/year

opaque pricing

Best for: Enterprises that need algorithmic auditing depth, particularly under NYC Local Law 144 AEDT bias audits and EU AI Act Article 27 FRIA workflows.

Strengths

+Deepest algorithmic auditing bench among pure-play AI governance, including a 100+ technical fairness metrics library
+NYC LL 144 AEDT bias audit specialist with public published audit reports
+Open-source Holistic AI library on GitHub is a credibility signal for engineering teams
+Strong UK + EU regulator engagement around the EU AI Act, OECD, and Council of Europe Treaty

Honest weaknesses

-Opaque pricing; mid-market deployers report quotes higher than peer pure-plays
-Audit-first positioning is less of a fit when buyer needs a horizontal GRC tenant
-Roadmap for generative AI runtime evaluation still maturing relative to Credo AI

IBM watsonx.governance

IBM · founded 2023 · Visit site

Quote-only · triangulated $200K-$1M+/year

opaque pricing

Best for: Global banks and insurers running US Federal Reserve SR 11-7 model risk management alongside AI governance, especially watsonx + OpenPages customers.

Strengths

+Tightest integration with IBM OpenPages for SR 11-7 model risk management and operational risk
+Strong factsheet automation pulling lineage from watsonx.ai, SageMaker, and Azure ML
+FedRAMP authorized on AWS GovCloud as of April 2026, attractive to US federal buyers
+Wolters Kluwer regulatory-change feed integration adds horizon scanning

Honest weaknesses

-Enterprise-only pricing and 6-12 month implementation cycles; the wrong pick under 2,000 employees
-Strongest fit for IBM-stack customers; standalone deployments report higher SI dependency
-UI shows IBM enterprise heritage in places; trails newer pure-plays on first-run experience

ModelOp

ModelOp · founded 2016 · Visit site

Quote-only · triangulated $100K-$400K/year

opaque pricing

Best for: Enterprises with mature MLOps that need model lifecycle and runtime governance with deep model registry and drift monitoring.

Strengths

+Strongest model lifecycle, registry, and runtime monitoring depth among the category
+Pre-built integrations with SageMaker, Azure ML, Databricks, Vertex AI, and Snowflake Cortex
+Production model inventory automation pulls models from training platforms rather than relying on attestations
+Strong fit for banks running SR 11-7 alongside NIST AI RMF and ISO 42001

Honest weaknesses

-Less depth on EU AI Act Article 27 FRIA and NYC LL 144 audit content than Credo AI or Holistic AI
-MLOps-engineering buyer profile; less natural fit for a CCO-led AI governance committee
-Pricing opacity makes 3-year TCO modeling harder than ISO 42001 specialists

OneTrust AI Governance

OneTrust · founded 2016 · Visit site

Quote-only · triangulated $80K-$500K+/year (stacked SKU)

opaque pricing

Best for: Privacy-led enterprises extending their DPIA + ROPA program into AI impact assessments and EU AI Act compliance at scale.

Strengths

+Largest installed base of any vendor in this ranking, courtesy of OneTrust Privacy
+Tightest DPIA-to-AI-impact-assessment workflow on the market when GDPR is the program anchor
+Pre-built EU AI Act + ISO 42001 + NIST AI RMF content libraries kept current by OneTrust DataGuidance
+Vendor risk and third-party AI questionnaire workflow inherits from OneTrust TPRM at scale

Honest weaknesses

-Stacked-SKU pricing is the most-cited downside in third-party reviews; AI governance often layers on top of Privacy and TPRM SKUs
-2023-2024 layoff cycles and price restructuring left customer-success continuity uneven in public reviews
-Implementation services for the full stack run 6-12 months and SI dependency is high

ServiceNow AI Governance

ServiceNow · founded 2023 · Visit site

Per-employee quote · triangulated $150K-$1M+/year

opaque pricing

Best for: Enterprises already running ServiceNow IRM at scale who want AI governance in the same platform with the same admin team.

Strengths

+Native fit with ServiceNow IRM, CMDB, and the Now Platform; one admin team runs the whole stack
+Now Assist for AI Governance extends generative AI workflows across the program
+Strong if the org is already paying per-employee for ServiceNow ITSM or IRM
+FedRAMP authorized at multiple levels with AI Governance inheriting that boundary

Honest weaknesses

-Per-employee licensing scales fast; the wrong pick when the buyer is not already on ServiceNow
-AI Governance content library is younger than Credo AI, Holistic AI, or OneTrust
-Pricing transparency is opaque relative to RiskWatch's published $99/month tier

Fairly AI

Fairly AI · founded 2021 · Visit site

Quote-only · triangulated $30K-$120K/year

opaque pricing

Best for: Mid-market enterprises needing a responsible AI platform with framework crosswalk depth and fast time-to-value.

Strengths

+Mid-market positioning with lower entry prices than Credo AI or Holistic AI
+ISO 42001 + NIST AI RMF + EU AI Act + OECD AI crosswalk pre-built
+Strong Canadian buyer presence under the Canadian AIA and Quebec Law 25
+Generative AI risk content updated through 2026

Honest weaknesses

-Smaller customer base and lower review volume than top-tier pure-plays
-Less depth on EU AI Act Annex IV technical file builder than RiskWatch or Credo AI
-Roadmap on continuous bias monitoring still maturing relative to Holistic AI

Anecdotes AI Trust

Anecdotes · founded 2020 · Visit site

Quote-only · triangulated $40K-$200K/year

opaque pricing

Best for: Cloud-data-native enterprises that want AI governance to inherit signals from the same Hyperion engine that runs SOC 2 + ISO 27001 + GDPR.

Strengths

+Cloud-data-native architecture pulls evidence from AWS, Azure, GCP, Snowflake, and Databricks
+Tight overlap with existing SOC 2 + ISO 27001 + GDPR programs already running on Anecdotes
+AI-generated control narratives across the framework set
+Tel Aviv plus Palo Alto engineering footprint and strong VC backing

Honest weaknesses

-AI governance module younger than the SOC 2 + ISO 27001 + GDPR foundation; pre-built ISO 42001 content lighter than RiskWatch or Credo AI
-Smaller third-party AI vendor questionnaire library than OneTrust
-Mid-market+ pricing; not the right pick for a 50-engineer startup

Trustible

Trustible · founded 2022 · Visit site

Quote-only · triangulated $25K-$100K/year

opaque pricing

Best for: EU + UK + US enterprises that need a focused EU AI Act + ISO 42001 platform with strong procurement and vendor AI assessment workflows.

Strengths

+Focused EU AI Act + ISO 42001 specialist with content updated through 2026 Commission guidelines
+Strong procurement-side workflow: vendor AI questionnaires, model cards, indemnity terms in one record
+Founder team includes former regulator and chief AI ethics officer voices, useful in EU buyer trust signals
+Lower entry pricing than enterprise pure-plays

Honest weaknesses

-Newest entrant on this list; smaller installed base and lower third-party review volume
-Narrower horizontal GRC coverage than RiskWatch or OneTrust
-Roadmap on continuous bias monitoring and runtime evaluation behind ModelOp and Holistic AI

Sources audited 2026-05-15: vendor public product pages, G2 + Capterra aggregation, Gartner AI TRiSM Hype Cycle commentary, Forrester Responsible AI research, Vendr + SmartSuite + ComplianceRated triangulation for opaque pricing.

ISO 42001 + NIST AI RMF + EU AI Act crosswalk

Score one capability. Satisfy three regimes.

The three regimes overlap heavily on inventory, classification, impact assessment, data governance, bias monitoring, transparency, human oversight, lineage, third-party AI, incident reporting, and governance accountability. RiskWatch ships a single control set crosswalked across the three, with the EU AI Act delta (FRIA, conformity assessment, CE marking, EU database registration) layered on. Run the three in parallel and reduce combined audit prep by 55-65 percent.

Capability	ISO/IEC 42001:2023	NIST AI RMF 1.0	EU AI Act
AI inventory + intended-purpose register	Annex A 5.2 + 5.3 + 6.2 AI system + objectives	MAP 1.1 · 1.2 · 1.6	Article 25 actor roles · Article 49 EU database
Risk classification + risk management lifecycle	Clause 6 Planning + Clause 8 Operation + Annex A 6.1	MAP 1-5 · MEASURE 1-4 · MANAGE 1-4	Articles 6, 9 + Annex I + Annex III
Impact assessment (FRIA / DPIA / AIA)	Annex A 6.1.4 AI system impact assessment	MAP 5.1 · 5.2 · MEASURE 2.11	Article 27 fundamental rights impact assessment
Data governance + training data quality	Annex A 7.2 Data resources + 7.3 Data quality	MAP 2.3 · MEASURE 2.6 · 2.10	Article 10 data governance
Bias + fairness audits + monitoring	Annex A 6.2.6 + 7.4 + 9.2 measurement	MEASURE 2.11 · MANAGE 4.1	Article 10 § 2(f) + (g) bias examination
Transparency + human oversight by design	Annex A 8.3 + 8.4 + 9.3 internal audit	GOVERN 4.1 · MAP 3.5 · MANAGE 3.2	Articles 13, 14, 50
Logging, lineage, evaluation records	Clause 7.5 documented information + Annex A 8.2	MEASURE 2.3 · 2.4 · 2.5	Articles 11, 12 + Annex IV §§ 1-9
Third-party AI + supplier governance	Annex A 10 Third-party + customer relationships	GOVERN 6.1 · 6.2	Article 25 actor roles + GPAI rules
Incident reporting + post-deployment monitoring	Clause 9.1 monitoring + Clause 10 improvement	MANAGE 4.1 · 4.2 · 4.3	Articles 72, 73 incident reporting
AI ethics committee + governance accountability	Clause 5 leadership + Annex A 4 governance	GOVERN 1.1 · 1.2 · 1.3 · 2.1	Article 17 quality management system

Sources: ISO/IEC 42001:2023 Annex A, NIST AI RMF 1.0, Regulation (EU) 2024/1689, Cloud Security Alliance ISO 42001 + EU AI Act crosswalk 2026.

See the crosswalk in a 20-minute demo

How to build an AI governance program in 90 days

From committee charter to continuous monitoring, in eight ordered steps.

The order matters. Committee before inventory, inventory before classification, classification before impact assessment, assessment before bias audit, bias audit before vendor sweep, vendor sweep before transparency wiring, transparency before continuous monitoring. RiskWatch ships the order so nothing skips ahead and nothing gets left behind.

Charter the AI governance committee

Sponsor, RACI, meeting cadence, decision thresholds. Map to ISO 42001 Clause 5 leadership and NIST AI RMF GOVERN 1. Days 1-7.

Inventory every AI system

Production, dev, vendor-supplied, shadow. Tag provider + deployer + intended use + training data source + risk tier candidate. Days 8-20.

Classify under EU AI Act + ISO 42001 + NIST

Walk Article 6 + Annex III, ISO 42001 Annex A 6.1.4, NIST AI RMF MAP. Document derogation reasoning where applied. Days 14-25.

Stand up the impact assessment workspace

FRIA, DPIA, AIA template library. Affected-person registry. Run one assessment per high-risk system. Days 21-40.

Run baseline bias + accuracy audit

Demographic parity, equal opportunity, calibration. Set thresholds, register residual risk, link to model registry. Days 28-50.

Sweep third-party AI vendors

Foundation model providers, AI SaaS, embedded copilots. Send the Annex A 10 questionnaire, capture model cards, log indemnity terms. Days 35-60.

Wire transparency + human oversight

Article 50 AI interaction labels, deepfake watermarking, override + stop controls, operator training. Days 45-75.

Activate continuous monitoring + incident workflow

Drift, bias, accuracy thresholds linked to the residual-risk register. Article 73 incident SLAs (72h / 2d / 15d). NIST AI RMF MANAGE 4. Days 60-90.

How RiskWatch covers AI governance

One tenant. ISO 42001, NIST AI RMF, EU AI Act, plus the 40+ other frameworks the same buyer already runs.

RiskWatch is a horizontal GRC + framework hub, not a pure-play model-ops platform. The platform ships the AI inventory, risk classification, impact assessment workspace, vendor AI questionnaire library, transparency and human oversight tracker, incident reporting workflow, and cross-mapping engine that auto-detects shared controls across ISO 42001, NIST AI RMF, the EU AI Act, ISO 27001, SOC 2, HIPAA, GDPR, and 40+ other frameworks. Runtime drift and bias signals are ingested via API from the buyer's MLOps stack (MLflow, Weights and Biases, Arize, Fiddler, SageMaker, Vertex AI, Databricks). The result is one evidence vault, one audit trail, and one set of board and regulator reports that read off the same source of truth.

AI inventory with provider, deployer, intended-purpose, lawful-basis, and risk-tier tagging

Article 6 + Annex III risk classifier plus ISO 42001 Annex A 6.1.4 impact decision tree

FRIA + DPIA + AIA + ISO 42001 Annex A 6.1.4 impact assessment from one workspace

Vendor AI questionnaire library mapped to ISO 42001 Annex A 10 and EU AI Act Article 25

Cross-mapping engine auto-detects shared controls across 40+ frameworks (one score, multiple regimes)

Standard tier published at $99/month, Professional at $36K/year, Enterprise quote-only

Single-tenant deployment with customer-owned data residency, 33-year operating history

AI governance capability coverage

Inventory

Models + vendors + shadow AI

94%

Classify

EU AI Act + ISO 42001 tiering

92%

FRIA + DPIA

Impact assessment workspace

90%

Bias

Audit + drift monitoring

84%

Lineage

Data + model + evaluation

86%

Vendors

Annex A 10 + Art. 25

92%

Transparency

Art. 50 + ADM disclosure

88%

Oversight

Art. 14 + Annex A 9.3

88%

Incidents

Art. 73 + MANAGE 4

91%

Crosswalk

40+ framework mapping

96%

10 capabilities + 40+ frameworks →One tenant

Who uses RiskWatch for AI governance

Six buyer profiles running AI governance on the same platform.

Head of AI Governance is the primary buyer. CDO with regulatory exposure is the secondary. The other four pick up the program when AI governance starts to overlap with the work they already own.

ICP 1 of 6

Head of AI Governance / AI Program Lead

Owns the AI inventory, ISO 42001 management system, NIST AI RMF cadence, and EU AI Act readiness for an enterprise placing AI into the EU market or into consequential US decisions. Reports to the CCO, CDO, or CIO. RiskWatch is the system of record for the inventory, risk classification, impact assessments, and evidence vault.

ICP 2 of 6

CDO / Director of Data Science with regulatory exposure

Owns the model registry and the data-science team shipping into regulated decisions: credit, insurance, healthcare, hiring, education. Wants model lineage and bias monitoring tied to the same governance record auditors and regulators read. RiskWatch is the governance layer above the MLOps stack.

ICP 3 of 6

Chief Compliance Officer at AI-enabled enterprise

Already runs ISO 27001 + SOC 2 + GDPR + HIPAA and now inherits ISO 42001 + EU AI Act + NIST AI RMF. RiskWatch's cross-mapping engine lets a single Annex IV evidence answer satisfy ISO 42001 Clause 7.5 + GDPR Article 35 + Article 27 FRIA + NIST AI RMF MAP.

ICP 4 of 6

Head of Responsible AI / AI Ethics Lead

Chairs the AI ethics committee, drafts the AI principles, runs the impact assessment review board. Wants the assessment workspace, transparency tooling, and external responsible-AI reporting to live in one place. RiskWatch ships the committee charter, RACI, decision log, and reporting templates.

ICP 5 of 6

Vendor + procurement AI risk owner

Owns the foundation-model contracts, AI-enhanced SaaS vendors, and embedded copilot risk. RiskWatch's vendor AI questionnaire library maps to ISO 42001 Annex A 10, NIST AI RMF GOVERN 6, and EU AI Act Article 25 with provider attestations, model cards, and indemnity terms in one vendor record.

ICP 6 of 6

DPO / Privacy Officer extending into AI

Already owns the GDPR Article 35 DPIA workflow and now picks up the EU AI Act Article 27 FRIA, the Colorado AI Act assessment, and the Canadian AIA. RiskWatch unifies the four impact assessments around a single affected-person registry and lawful-basis record.

Map RiskWatch to your AI governance brief in a 20-minute demo

What customers say

AI governance that does not require a separate platform.

Composite anonymized buyer quotes from RiskWatch customers running ISO 42001 + NIST AI RMF + EU AI Act in parallel. The biggest win across the cohort: existing ISO 27001 plus GDPR evidence carries forward, so the AI governance delta is the only net-new authoring.

“We moved the AI inventory, the FRIA workspace, and the third-party AI vendor file off shared drives. The first regulator question was answered in a 15-minute walk-through, not a four-week scramble.”

Priya T.

Head of AI Governance · FinServ · 6,200 employees · EU + UK regulated

“The crosswalk between ISO 42001 Annex A, NIST AI RMF MAP, and EU AI Act Article 27 cut the documentation effort by more than half. One impact assessment, three regulators happy.”

Marcus C.

Chief Data Officer · HealthTech · 1,800 employees · MDR Class IIa AI

“We ship AI features into hiring software. NYC LL 144 bias audits, the Colorado AI Act, the EU AI Act, and our customers' SOC 2 reports all read off the same evidence vault now.”

Jordan L.

Chief Compliance Officer · HR Tech · 480 employees · AEDT + Annex III §4

Frameworks alongside AI governance

Plus every framework an AI governance program touches, cross-mapped.

Score one capability. Satisfy ISO 42001, NIST AI RMF, EU AI Act, OECD, Council of Europe AI Treaty, Singapore, UK, Colorado AI Act, NYC LL 144, and the US federal AI policy stack simultaneously.

ISO/IEC 42001:2023

AI management system (certifiable)

NIST AI RMF 1.0

GOVERN + MAP + MEASURE + MANAGE

NIST AI 600-1

Generative AI profile July 2024

EU AI Act (2024/1689)

Articles 5, 6, 9-15, 27, 50, 99

OECD AI Principles

Updated May 2024 · 47 adherents

Singapore Model AI Governance

GenAI v2 · May 2024

UK Pro-innovation

5 cross-sector principles

Council of Europe AI Treaty

Framework Convention Sept 2024

ISO/IEC 23894

AI risk management guidance

ISO/IEC 24029

AI robustness assessment

ISO/IEC 22989

AI concepts + terminology

Colorado AI Act

SB 24-205 · Feb 2026

NYC Local Law 144

AEDT bias audit

EO 14110 + OMB M-24-10

US federal AI risk

EEOC + CFPB + FTC

2023 joint AI enforcement

EU AI Act compliance hub Compliance management hub Risk management software ISO 27001 compliance software SOC 2 compliance software GDPR compliance software NIST 800-53 software Vendor + third-party AI risk

Free download

AI Governance Program Starter Kit (ISO 42001 + NIST AI RMF + EU AI Act)

A 42-page PDF walking the 90-day program plan, the AI inventory schema, the FRIA + DPIA + AIA combined template, the ISO 42001 Annex A control checklist, the NIST AI RMF outcomes mapping, the EU AI Act Article 27 walkthrough, and the third-party AI vendor questionnaire. Updated with 2026 Commission guidance and the Colorado AI Act.

AI inventory schema with provider, deployer, intended-use, and risk-tier fields
FRIA + DPIA + AIA combined impact assessment template with affected-person registry
ISO 42001 Annex A control checklist (38 controls) plus NIST AI RMF outcome map
Third-party AI vendor questionnaire mapped to ISO 42001 Annex A 10 and EU AI Act Article 25

AI governance software FAQ

What CCOs, AI governance leads, and CDOs ask before they buy

About ISO/IEC 42001:2023, NIST AI RMF 1.0, the EU AI Act, OECD AI Principles, Colorado AI Act, NYC Local Law 144, model inventory, FRIA, bias audits, third-party AI vendor risk, and how RiskWatch covers all of them.

Ready to ship AI governance?

Stand up your AI inventory this week

Start a 30-day free trial. Full AI inventory, risk tier classifier, ISO 42001 plus NIST AI RMF plus EU AI Act control library, FRIA + DPIA + AIA impact assessment workspace, third-party AI vendor questionnaire library, bias and accuracy KPI tracking, transparency and human oversight tracker, incident reporting with Article 73 SLAs, and cross-mapping to ISO 27001, SOC 2, HIPAA, and GDPR. No credit card.

Book a demo See the EU AI Act hub

No credit card required · 30-day free trial · Cancel anytime