Mindcat Consulting Logo
Mindcat Consulting
HomeServicesIndustriesAI Use CasesResourcesSolutionsLocationsAbout UsContact

Menu

  • Home
  • Services
  • Industries
  • AI Use Cases
  • Resources
  • Solutions
  • Locations
  • About Us
  • Contact

Mindcat Consulting

Expert Salesforce implementation and AI automation. Certified partner since 2010 — UAE, India, and USA.

S

Newsletter

Thoughts on Salesforce, AI, and building things that matter. Subscribe for insights from the field.

Read on Substack

@shivanathd

Top Services

  • Salesforce Integration
  • Salesforce Optimization
  • AI Automation
  • Salesforce Consulting
  • Technical Debt Alleviation

Top Locations

  • New York
  • San Francisco
  • Dubai
  • Chicago
  • Los Angeles

Resources

  • Choosing a Partner
  • Evaluation Guide
  • Compare Partners
  • Consulting vs In-house
  • Choosing an AI Partner
  • AI Governance Playbook
  • Privacy Policy

Quick Links

  • Home
  • Services
  • Products
  • AI Tools
  • Industries
  • AI Use Cases
  • Resources
  • Solutions
  • Locations
  • About Us
  • Contact
  • FAQ
  • Compare

Contact Us

Dubai, UAE (HQ)
info@mindcat.ai
+971 4 266 2348
Chat on WhatsApp
Kerala, India
india@mindcat.ai
+91 9940060028 / +91 9745040044

© 2026 Mindcat Consulting. All rights reserved.

Enterprise AI Governance Playbook

EU AI Act, NIST AI RMF, ISO 42001, and DIFC Regulation 10 explained in plain terms, with a practical starting point for compliance and legal leaders, and the IT teams who build the controls.

Mindcat Research Team
July 1, 2026
13 min read

Table of Contents

Why AI Governance Became a Board-Level IssueThe EU AI Act in Plain TermsThe NIST AI RMF in Plain TermsISO 42001 in Plain TermsDIFC Regulation 10: A Gulf-Specific RequirementWhere to Start: Matching the Framework to Your FootprintA Starter Checklist for This QuarterBuilding a Governance Framework That Holds Up

Why AI Governance Became a Board-Level Issue

For two years, AI governance lived in a slide deck next to data privacy and vendor risk. That changed once regulators started issuing fines and audit findings tied to live AI deployments. The EU AI Act carries penalties up to €35 million or 7% of global annual turnover for the most serious violations, a figure that puts AI risk in the same conversation as antitrust and data protection at the board level.

Enforcement is what moved AI governance out of the policy folder. The EU AI Act's prohibitions on unacceptable-risk AI took effect in February 2025. Obligations for high-risk systems follow on August 2, 2026. Generative AI model providers already report under the Act's general-purpose AI rules. Boards that treated AI governance as a someday project now face a hard date on the calendar.

The pressure doesn't stop at the EU border. A company in Mumbai or Dubai that sells software with an AI feature into the EU market, or whose AI output reaches EU users, falls under the Act's reach regardless of where the company is headquartered. Add NIST AI RMF references showing up in US federal contracts and vendor security questionnaires, plus ISO 42001 certification requests from enterprise buyers during procurement, and AI governance turns into a sales-cycle requirement as much as a compliance one.

The shift shows up in procurement paperwork before it shows up in a courtroom. Enterprise buyers in finance and healthcare now build AI governance questions into vendor security reviews. They want to know which framework your AI feature maps to, and who signs off on a model before it ships. A vendor without a documented answer loses the deal before the legal team ever reads a contract.

The number that gets attention:

Fines for prohibited AI practices under the EU AI Act reach €35 million or 7% of global annual turnover, whichever is higher. High-risk system violations carry penalties up to €15 million or 3% of turnover.

The EU AI Act in Plain Terms

A Four-Tier Risk System

The EU AI Act sorts every AI system into one of four risk tiers, and the tier determines what you owe regulators. Unacceptable-risk systems are banned outright. High-risk systems carry the heaviest compliance burden. Limited-risk systems face transparency duties. Minimal-risk systems face no mandated obligations under the Act itself.

Unacceptable risk

Banned outright: government social scoring, manipulative AI that exploits vulnerabilities, and most real-time biometric identification in public spaces.

High risk

The heaviest obligations: hiring and HR tools, credit and insurance scoring, biometric identification, education access, and critical infrastructure control.

Limited risk

Transparency duties only: chatbots must disclose they're AI, and synthetic media such as deepfakes must carry a label.

Minimal risk

No obligations under the Act beyond existing law. Spam filters and AI-assisted inventory tools sit here for most companies.

What Counts as High-Risk in an Enterprise Setting

Annex III of the Act lists the use cases that trigger high-risk status, and several sit inside ordinary enterprise software. A résumé-screening tool used in hiring qualifies. So does a credit-scoring model, an insurance-pricing algorithm tied to life or health coverage, and an AI system used to evaluate employee performance for promotion or termination decisions. If your CRM or internal tooling stack includes an AI feature that scores, ranks, or filters people for access to a job, a loan, insurance, or a public service, treat it as high-risk until a legal review says otherwise.

What High-Risk Systems Owe Regulators

Providers and deployers of high-risk AI systems carry a defined set of obligations under Articles 9 through 15 of the Act:

Risk management

A documented risk management process that runs across the system's lifecycle, not a one-time assessment at launch.

Data governance

Controls over the data used to train and test the model, including checks for known sources of bias.

Documentation and logging

Technical documentation and automatic logging detailed enough to reconstruct how the system reached a given output.

Human oversight

A mechanism that lets a person review, override, or stop the system's output before it causes harm.

The Extraterritorial Reach

Article 2 of the Act applies to any provider that places an AI system on the EU market, and to any deployer whose AI system's output is used within the EU. The company itself does not need to sit inside EU borders. A consultancy in Bangalore building an AI hiring tool for a European client falls under the Act. A UAE-based fintech selling an AI credit-scoring product to an EU bank falls under the Act. Geography of your headquarters doesn't determine exposure here; the location of your customer and your AI system's output does.

The NIST AI RMF in Plain Terms

The National Institute of Standards and Technology published the AI Risk Management Framework in January 2023 as a voluntary framework for any US organization building or deploying AI. NIST AI RMF carries no penalty for non-compliance on its own, but it has become the reference framework that federal agencies cite in procurement language and that enterprise security teams cite in vendor questionnaires, inside and outside the US.

Four Functions, One Continuous Cycle

Govern

Sets the organizational foundation: who owns AI risk decisions, what risk tolerance the organization accepts, and what policies apply before a model gets built. Without Govern, the other three functions run without an owner.

Map

Ties risk to a specific use case. A fraud-detection model carries different risks than a marketing-copy generator, and Map is where a team documents context, intended use, and the people affected before deployment.

Measure

Tests the system against the risks Map identified: accuracy testing, bias testing across demographic groups, and red-team exercises that probe for failure modes before they reach production.

Manage

Turns test results into action: prioritizing which risks get fixed first, monitoring the system after launch, and running an incident response process when something breaks in production.

NIST added a Generative AI Profile in 2024 that maps the same four functions onto large language model risks such as hallucination, prompt injection, and training-data leakage. Vendor security reviews now ask where an AI feature sits inside the NIST AI RMF, and federal contractors need an answer ready before the question comes up.

ISO 42001 in Plain Terms

ISO/IEC 42001, published in December 2023, is the first international standard for an AI management system, and an organization can earn certification against it the same way it certifies against ISO 27001 for information security. The standard follows the same Annex SL high-level structure as ISO 27001, so a company already certified against ISO 27001 recognizes the shape of ISO 42001 right away: policy, planning, support, operation, performance evaluation, and improvement.

Certification requires a documented AI policy that states the organization's intent for responsible AI use, a risk assessment process specific to AI systems, and an AI impact assessment process that looks at effects on individuals and groups, not technical risk alone. The standard also requires defined roles for AI governance, a management review cycle, and an internal audit program that checks the management system works in practice rather than on paper.

The certification cycle runs on a plan-do-check-act loop. An organization sets AI objectives, implements controls, measures whether the controls work, and adjusts the system based on what it finds. ISO 42001 certification carries weight with enterprise buyers who require a recognized standard before signing a vendor agreement involving AI, and it gives a Gulf or South Asian company a credential that reads the same way to a buyer in Frankfurt as it does to one in Dubai.

Certification is optional, and that's the point worth weighing before committing budget to it. The EU AI Act and DIFC Regulation 10 apply whether or not a company pursues ISO 42001. NIST AI RMF asks for the same risk discipline without a certification body involved at all. ISO 42001 earns its cost when a customer contract or a tender requires the certificate itself, not just the underlying controls.

DIFC Regulation 10: A Gulf-Specific Requirement

Entities operating inside the Dubai International Financial Centre face AI governance obligations under DIFC Regulation 10, which sits alongside the Centre's existing data protection regime. The regulation applies to DIFC-registered entities and covers how they build and operate AI systems, with the DFSA holding enforcement authority over regulated financial firms in the Centre.

This is a region-specific requirement, not a global one, and it sits on top of whatever the EU AI Act or NIST AI RMF already requires for a company's other markets. A bank or fintech registered in the DIFC needs a governance program that satisfies DIFC obligations on its own terms. A company headquartered elsewhere with DIFC operations needs to map which of its AI systems touch the Centre at all. Guidance from the DIFC Authority and the DFSA continues to be clarified, so treat the specific requirements as a moving target and confirm current obligations with the regulator or with counsel before finalizing a compliance program built around this regulation alone.

Where to Start: Matching the Framework to Your Footprint

Most organizations don't pick one framework and stop there. They map their AI systems against whichever frameworks apply to where they operate and what they build, then construct a single internal control set that satisfies all of them at once. The frameworks that apply to your organization depend on two questions: where do you operate, and what kind of AI system are you building or deploying.

Framework Status Applies to Core requirement
EU AI Act Binding law Any company whose AI system reaches the EU market or EU users Risk classification, documentation, human oversight for high-risk systems
NIST AI RMF Voluntary framework US federal contractors and vendors managing AI risk for US enterprise buyers Govern, Map, Measure, Manage risk cycle
ISO 42001 Certifiable standard Any organization seeking a recognized AI management system credential Documented AI policy, risk and impact assessment, continual improvement cycle
DIFC Regulation 10 Binding regulation Entities registered or operating in the Dubai International Financial Centre AI governance program specific to DIFC-regulated activity

Order of operations matters more than framework choice. Data governance and risk classification come first regardless of which framework you target, because every framework above asks the same opening question: what AI systems do you run, and what risk does each one carry. An organization that builds an accurate AI system inventory and risk classification first can map that work onto the EU AI Act's risk tiers, NIST's Map function, or ISO 42001's risk assessment process without redoing the underlying analysis for each one.

A Starter Checklist for This Quarter

A full governance program takes months to build. A working starting point takes weeks, and it gives you defensible footing if a regulator, auditor, or enterprise customer asks what you've done so far.

Four steps to take this quarter:

1. Build an AI system inventory. List every AI feature in production or development, including third-party tools and AI features embedded in vendor software such as Salesforce Einstein or Microsoft Copilot.

2. Classify each system by risk. Run every system on the inventory against the EU AI Act's four tiers, even if the EU Act doesn't apply to your business yet. The classification work transfers to the other frameworks.

3. Name an accountable owner. Assign one named person, not a committee, who owns AI governance decisions and answers for them.

4. Document an incident response path. Write down what happens when an AI system produces a harmful, biased, or incorrect output: who gets notified, who decides whether to pull the system, and how the decision gets recorded.

None of these four steps requires outside help to start. They require time and an owner willing to push the inventory past the systems everyone already knows about and into the AI features buried inside existing software contracts.

Building a Governance Framework That Holds Up

The EU AI Act, NIST AI RMF, ISO 42001, and DIFC Regulation 10 solve overlapping problems through different mechanisms. One is binding law with fines attached. One is a voluntary baseline that shows up in procurement. One is a certifiable management standard. One is a regional regulation tied to a specific financial center. None of them substitutes for the others. Enterprise organizations with operations in the UAE and India, and a presence in the US, need a working answer for more than one.

Mindcat's AI governance practice builds frameworks aligned to the EU AI Act, NIST AI RMF, ISO 42001, and DIFC Regulation 10 for clients in the UAE and India, and for US enterprises building AI products, starting with the AI system inventory and risk classification work that every framework above depends on. The work runs alongside implementation rather than after it, because a governance framework written after the AI system has already shipped costs more to retrofit and protects less.

Build Your AI Governance Framework

We help enterprises align AI governance to the EU AI Act, NIST AI RMF, ISO 42001, and DIFC Regulation 10 across the UAE and India, and for US enterprises building AI products.

Related Resources

AI Governance and Compliance Services

Frameworks aligned to the EU AI Act, NIST AI RMF, ISO 42001, and DIFC Regulation 10.

MCP Governance Guide

Governance considerations for the Model Context Protocol in enterprise AI deployments.

AI Partner Evaluation Framework

How to evaluate an AI implementation partner before you sign.

Our Services

Salesforce Consulting

Expert guidance to optimize your Salesforce investment.

Explore Service

AI Automation

Streamline processes with intelligent automation solutions.

Explore Service

AI Readiness Assessment

Prepare your business for the future of artificial intelligence.

Explore Service

Explore More Solutions

All AI Use CasesSalesforce ProductsIndustry SolutionsGet Started