Playbook · Global · All sectors

AI in the enterprise:
a framework-aligned governance roadmap

The EU AI Act, NIST AI RMF and ISO/IEC 42001 now define how you build, deploy and prove your AI - and enterprise buyers ask for the evidence in every security review. Here is the 5-phase roadmap they inspect, and the runtime gap your existing stack cannot close.

EU AI Act NIST AI RMF + GenAI Profile ISO/IEC 42001 OWASP LLM Top 10 · MITRE ATLAS
The mandate

The frameworks that now define AI accountability

Three instruments set the bar for any enterprise building or deploying AI - regardless of where you are headquartered.

EU AI Act

Binding · extraterritorial

GPAI rules in force (Aug 2025); high-risk obligations by Dec 2027. Fines up to €35M / 7% of global turnover. Applies if your AI touches the EU.

NIST AI RMF + GenAI Profile

US baseline · voluntary

Govern · Map · Measure · Manage. The GenAI Profile (AI 600-1) adds 12 risks - prompt injection, data poisoning and more.

ISO/IEC 42001

Auditable · procurement benchmark

The certifiable AI management system. Crosswalks to NIST & the EU AI Act - and now a common vendor-review requirement.

Overlays that may apply: US state laws (Texas TRAIGA; Colorado & California ADMT, 2027) · India DPDP Act + AI Governance Guidelines · OWASP LLM Top 10 & MITRE ATLAS · your sector's own rules.
The through-line

What every framework converges on

Accountability sits with you, not the model
Risk-based controls across the lifecycle
Human oversight of AI decisions
Documented evidence, not assertions
The roadmap

Five phases buyers & auditors will inspect

A supervisor-ready sequence that maps to NIST functions, EU AI Act obligations and ISO 42001 controls.

PHASE 0
Govern
Own the risk before AI ships
AI policy & roles (ISO 42001) · NIST GOVERN · EU AI Act risk tiering · AI inventory
PHASE 1
Build & Test
Prove it's safe before it ships
Red-teaming - OWASP LLM Top 10 & MITRE ATLAS · NIST MAP/MEASURE · EU AI Act technical docs
PHASE 2
Deploy & Enforce
Control what the AI can access & do
Human oversight (EU AI Act Art. 14) · access control & agent guardrails · shadow-AI controls · NIST MANAGE
PHASE 3
Monitor & Respond
See it, contain it, report it
Logging & post-market monitoring (EU AI Act Art. 12/73) · serious-incident reporting · drift & output checks
CONTINUOUS
Assure & Disclose
Sustain trust; answer buyers & auditors
ISO 42001 audit & continual improvement · transparency (Art. 50) · disclosures · questionnaire evidence
The readiness gap

Why this is urgent, not theoretical

Adoption has outpaced control - and that gap is the exposure.

88%
had a confirmed or suspected AI-agent security incident this year
80%
report moderate-to-pervasive shadow AI
18%
have a formal AI security policy
21%
have mature governance for AI agents
Sources: Gravitee (survey of 919 organizations), ISACA & industry surveys, 2026.
The blind spot

The gap your existing stack cannot close

Your IAM/PAM, WAF and API gateways, DLP/CASB, SIEM and EDR are built for deterministic software. None can catch a legitimately-authorised AI agent, driven by untrusted input, doing something inside its permissions but outside your policy - the dominant 2026 failure mode (prompt injection, the "lethal trifecta", agentic data exfiltration).
IAM / PAM
identity authenticated, in scope
waved through
WAF / API gateway
request well-formed
waved through
DLP / CASB
sanctioned tool & channel
waved through
SIEM / EDR
no known-bad signature
waved through
Every layer says "yes." None can see the AI's intent vs your policy.
Where Trampolyne fits

Make your AI stay within intended bounds - and prove it

From pre-deployment testing, through runtime, to audit-ready evidence. Trampolyne supplies the technical controls and evidence that make each phase credible - the policies, documentation and processes stay yours.

Product Govern Build & Test Deploy & Enforce Monitor & Respond Assure
AI Red-Teaming
Shadow AI Detection & Runtime Control
Enterprise AI Security & Runtime Control
AI Compliance Assistant
core control & evidence Trampolyne provides  ·  supporting input.

AI Red-TeamingAWS Marketplace

Continuous adversarial testing on a scheduled cadence and on every material change. 27+ attack classes, working exploits + fixes, mapped to OWASP LLM Top 10 & MITRE ATLAS - the report your enterprise buyers ask for.

OWASP LLM Top 10MITRE ATLASNIST MAP + MEASUREEU AI Act tech docs

Enterprise AI Security & Runtime Control

Sits inline and evaluates every request before the model or agent acts - RBAC/ABAC/PBAC/NGAC enforcement in milliseconds. A deterministic guardrail over a non-deterministic model. No model rewrites.

EU AI Act Art. 14 Human OversightNIST MANAGEISO 42001 controls

Shadow AI Detection & Runtime Control

Sits between employees and every public AI tool. Classifies data by type, provenance and role, blocks sensitive data before it leaves, and logs every interaction - without killing productivity.

Data leakage to public AIGDPR / DPDPISO 42001 data controls

AI Compliance Assistant

Turns enforcement, red-team and runtime evidence into review-ready answers - a continuous, per-decision audit trail for auditors, your board and enterprise-buyer security questionnaires.

ISO 42001 audit evidenceEU AI Act logging & transparencyNIST GOVERN evidence
FAQ

AI governance questions we hear from CISOs & DPOs

Which AI regulations and frameworks apply to my enterprise?
For most mid-to-large enterprises and GCCs, three matter first: the EU AI Act (binding and extraterritorial - it applies if your AI is used in the EU), the NIST AI RMF (the US voluntary baseline: Govern, Map, Measure, Manage), and ISO/IEC 42001 (the certifiable AI management system now common in vendor security reviews). Overlays include US state laws (Texas TRAIGA, Colorado and California ADMT), India's DPDP Act, and OWASP LLM Top 10 / MITRE ATLAS for AI security.
Does the EU AI Act apply if my company is not based in the EU?
Yes. It applies where an AI system or its output is used in the EU, regardless of where you are headquartered. GPAI obligations have been in force since August 2025 and high-risk obligations apply by December 2027, with fines up to EUR 35M or 7% of global turnover.
What is the difference between the NIST AI RMF and ISO/IEC 42001?
The NIST AI RMF is a voluntary risk-management framework (Govern, Map, Measure, Manage, plus a Generative AI Profile). ISO/IEC 42001 is a certifiable AI management system - an auditable standard that enterprise buyers increasingly require in procurement. They crosswalk to each other and to the EU AI Act.
How do we prove AI governance to enterprise buyers and auditors?
With evidence, not assertions: a per-decision audit trail of what your AI was allowed or blocked from doing, adversarial red-team reports mapped to OWASP LLM Top 10 and MITRE ATLAS, and alignment documented against ISO/IEC 42001, the EU AI Act and the NIST AI RMF. That is the Assure phase of the roadmap.
Can our existing security stack (WAF, DLP, IAM, SIEM) secure AI agents?
No. Those tools are built for deterministic software. They cannot catch a legitimately-authorised AI agent, driven by untrusted input, doing something inside its permissions but outside your policy - the dominant 2026 failure mode. Closing it requires runtime, pre-execution policy enforcement that evaluates intent versus policy.
More playbooks

Governance playbooks for other markets

Same 5-phase structure, tuned to each market’s regulators and buyers.

Take the 2-page roadmap with you

Share it with your board, your buyers and your engineers - then see where you stand in a 20-minute call.

Positioning collateral, not legal advice. Trampolyne AI helps you align with regulatory expectations; it does not issue certifications.