What it is
AI governance is the fastest-growing compliance category of 2026: the EU AI Act is in force, ISO/IEC 42001 (the AI management system standard) is being adopted, and the NIST AI Risk Management Framework is the reference in the US. TATER's AI Governance page (under Governance & Risk) gives you the two things every AI governance program needs:
- An AI System Inventory — a register of every AI tool, GenAI/LLM, ML model, AI feature, or AI agent your organization uses, classified by EU AI Act risk tier.
- A control checklist — 22 curated controls spanning ISO 42001, NIST AI RMF, and the EU AI Act, assessed pass / fail / in-progress / not-applicable, rolling up to a governance posture %.
Because TATER is an AI-native platform, AI systems connect to the rest of your program: link an AI system to the vendor that supplies it, the risks it drives, and the controls it relates to.
The AI System Inventory
Click + Register AI System and capture:
| Field | Why it matters |
|---|---|
| Name & description | What the system is and does. |
| System type | GenAI/LLM, ML model, AI feature, AI vendor tool, AI agent, or other. |
| Provider & model/version | Who supplies it (OpenAI, Anthropic, Microsoft, internal…) and which model. |
| EU AI Act risk tier | The classification that determines your obligations (see below). |
| Lifecycle stage | Proposed → in-development → production → retired. |
| Owner | The accountable person. |
| Data categories | What data the system processes (PII, financial, confidential…). |
| Human oversight | How humans can oversee or intervene — required for high-risk systems. |
| Risk assessment & next review | Whether the system has been assessed, and when it's due for review. |
| Linked vendor | Connect the AI supplier to your TPRM register. |
Systems flag ⚠ Needs review when their risk assessment isn't complete, they're still unclassified, or their review date has passed — so nothing slips before an audit.
EU AI Act risk tiers
| Tier | What it means |
|---|---|
| Prohibited | Banned practices (e.g. social scoring, manipulative techniques). If you classify a system here, escalate immediately. |
| High-risk | Subject to the heaviest obligations: a risk management system, data governance, technical documentation, logging, transparency, human oversight, and a conformity assessment. |
| Limited-risk | Transparency obligations — users must be told they're interacting with AI. |
| Minimal-risk | Most AI; no specific obligations beyond good practice. |
| GPAI | General-purpose AI models — documentation, copyright policy, and (for systemic-risk models) extra measures. |
The control checklist
The Control Checklist tab lists 22 controls grouped by framework:
- ISO/IEC 42001 — AI management system clauses (scope, policy, risk & impact assessment, lifecycle controls, monitoring, continual improvement, Annex A).
- NIST AI RMF — the four functions: GOVERN, MAP, MEASURE, MANAGE.
- EU AI Act — the key obligations: inventory & classification, no prohibited practices, AI literacy, risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness/cybersecurity, and GPAI obligations.
Set each control's status as you implement it. The governance posture % = passing ÷ (assessed, excluding N/A), shown in the KPI strip and the Insights report.
Reporting & your AI agent
- TATER Insights — the AI Governance Posture report shows your inventory by risk tier, systems needing review, and control posture by framework. Schedule it to your inbox or export it.
- MCP — your AI agent (Claude, Copilot, …) can govern AI through five tools:
list_ai_systems,register_ai_system,update_ai_system,get_ai_governance_posture, andset_ai_governance_control. Ask it to "inventory the AI tools we use and classify each under the EU AI Act," and it will register them and flag the high-risk ones.
Roles
Auditor and Admin can register/edit AI systems and set control statuses; Admin can delete inventory items. Everyone with access can view the inventory and posture.