> ## Documentation Index
> Fetch the complete documentation index at: https://nuggets.life/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise AI Governance Framework

## Governing AI at the point of execution

AI systems are no longer just generating outputs.\
They are taking actions across enterprise systems, data and infrastructure.

Enterprises can control who accesses systems.\
They cannot prove what AI does once inside them.

If an AI system in your environment executed a harmful action today, could you prove:

* Who authorized it?
* What constraints applied?
* Whether it should have been allowed?

For most organizations, the honest answer is **no**.

**The control point has shifted from access to execution.**

To address this, Nuggets Labs has developed the Enterprise AI Governance Framework, a vendor-neutral, practical model for governing AI systems that perform operational actions. It is based on real-world work with enterprises, regulators and infrastructure providers, and is designed to complement existing frameworks by introducing the control layer they do not define: Action Governance.

<div className="mt-6 max-w-xs">
  <a href="https://www.nuggets.life/nuggets-labs-enterprise-ai-governance-framework.pdf" className="button" target="_blank">
    Download the Framework

    <Icon icon="arrow-right" iconType="light" color="#fff" />
  </a>
</div>

## The problem

Traditional identity and security models were designed for a world where humans interact directly with software.

They answer who has access and what permissions they hold.

They do not answer who authorized an AI action, whether it should execute, whether it complies with policy and constraints, or whether it can be proven to an auditor or regulator.

As AI systems begin operating autonomously, this becomes the primary risk.

## The gap

Two governance layers already exist. One is missing.

<div className="grid grid-cols-1 md:grid-cols-2 gap-6 mt-6">
  <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800 p-6 flex flex-col">
    <h3 className="font-semibold text-lg mb-2 text-gray-900 dark:text-white">Model Governance</h3>

    <p className="text-gray-600 dark:text-gray-300 flex-1">
      Ensuring models are safe, reliable and fit for purpose. It is not the control point.
    </p>
  </div>

  <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800 p-6 flex flex-col">
    <h3 className="font-semibold text-lg mb-2 text-gray-900 dark:text-white">System Governance</h3>

    <p className="text-gray-600 dark:text-gray-300 flex-1">
      Ensuring infrastructure, data and integrations are secure. It is not the control point.
    </p>
  </div>
</div>

<div className="rounded-xl border-2 border-blue-500 dark:border-blue-400 bg-blue-50 dark:bg-blue-950 p-6 mt-6">
  <h3 className="font-semibold text-lg mb-2 text-blue-700 dark:text-blue-300">Action Governance</h3>

  <p className="text-blue-700 dark:text-blue-300">
    Determining whether AI actions are authorized to execute, enforcing that decision in real time, and producing verifiable evidence.
  </p>

  <p className="text-blue-800 dark:text-blue-200 font-semibold mt-3">
    This is the control point. This is what existing frameworks do not address.
  </p>
</div>

## The framework

The Enterprise AI Governance Framework introduces Action Governance as a new control layer for AI systems that act.

It operates after access, before execution. Every AI action is evaluated through a verifiable chain of responsibility:

<div className="flex flex-wrap justify-center items-center gap-4 text-lg font-semibold mt-6 mb-4 text-center text-gray-900 dark:text-white">
  <span>Identity</span>
  <span className="text-gray-400 dark:text-gray-500">→</span>
  <span>Authority</span>
  <span className="text-gray-400 dark:text-gray-500">→</span>
  <span>Intent</span>
  <span className="text-gray-400 dark:text-gray-500">→</span>
  <span>Action</span>
</div>

<p className="mt-4 text-center max-w-2xl mx-auto text-gray-600 dark:text-gray-300">
  These elements are assessed together at the point of execution. The decision is enforced in real time and recorded as verifiable evidence.
</p>

<Frame>
  <img src="https://mintcdn.com/nuggets-b89005a2/Mpwkvv7FlbFL8U8H/assets/ai-governance-lifecycle-white-bkg@5x.png?fit=max&auto=format&n=Mpwkvv7FlbFL8U8H&q=85&s=a78de27e585ab8359fc638129c027153" alt="AI Governance Lifecycle White Bkg" width="2975" height="3215" data-path="assets/ai-governance-lifecycle-white-bkg@5x.png" />
</Frame>

The framework defines three governance domains, supported by Runtime Governance and a Trust Infrastructure Layer. It complements standards such as NIST, ISO and the EU AI Act by introducing the missing execution control layer.

The framework is designed to be used, not just read. For procurement teams, CISOs and enterprise architects evaluating AI systems, these three steps provide a practical starting point.

<div className="grid grid-cols-1 md:grid-cols-3 gap-6 mt-6">
  <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800 p-6">
    <h3 className="font-semibold text-lg mb-3 text-gray-900 dark:text-white">1. Classify</h3>
    <p className="text-gray-600 dark:text-gray-300">Map your active AI deployments against the risk tiers in the framework. Identify which systems are already operating at the High or Critical tier — systems that execute actions, not just generate outputs.</p>
  </div>

  <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800 p-6">
    <h3 className="font-semibold text-lg mb-3 text-gray-900 dark:text-white">2. Gap-assess</h3>
    <p className="text-gray-600 dark:text-gray-300">Can you verify the identity of every AI actor? Prove the authority it was operating under? Produce tamper-resistant audit evidence on demand? If the answer to any is no, that is your governance gap.</p>
  </div>

  <div className="rounded-xl border border-gray-200 dark:border-gray-700 bg-gray-50 dark:bg-gray-800 p-6">
    <h3 className="font-semibold text-lg mb-3 text-gray-900 dark:text-white">3. Prioritize</h3>
    <p className="text-gray-600 dark:text-gray-300">Establish identity and delegated authority controls for your highest-risk systems first, before expanding to full policy enforcement and runtime governance. IAM is the foundation. Action Governance is the next layer. Both are required.</p>
  </div>
</div>

## Download the framework

Most organizations already have AI systems capable of taking action. Very few can prove those actions were authorized.

The full framework covers the trust stack, governance domains, risk classification, governance roles, infrastructure primitives, standards alignment and a procurement question set for evaluating AI vendors.

<div className="mt-6 max-w-xs">
  <a href="https://www.nuggets.life/nuggets-labs-enterprise-ai-governance-framework.pdf" className="button" target="_blank">
    Download the Framework

    <Icon icon="arrow-right" iconType="light" color="#fff" />
  </a>
</div>

*New to these concepts? [Visit the Enterprise AI Governance Glossary ](https://www.nuggets.life/docs/nuggets-labs/enterprise-ai-governance-framework-glossary)for definitions of the key terms used in this framework.*