Mapping AI identity risk to the 11 frameworks that matter.
Auditors and insurers don't want to hear that AI is "handled". They want evidence. An AI identity inventory is where that evidence starts.
The common thread across every framework
From the EU AI Act and ISO/IEC 42001 to the NIST AI RMF and DORA, the modern wave of AI and resilience expectations share a premise: you should know which AI systems and identities you run, what they can reach, who is accountable, and be able to show records of oversight. You cannot evidence control over something you can't see.
Where AIRM fits
AIRM maps to 11 governance frameworks, EU AI Act, ISO/IEC 42001, NIST AI RMF, DORA, ISO/IEC 27001, UK NCSC CAF, Essential Eight, MAS TRM, CERT-In, BSI and Cyber Essentials. Not by claiming certification, but by supplying the underlying evidence: a live inventory of every AI and non-human identity, its access and owner, its risk score, and a record of how it's monitored and acted on.
What you can put in front of an auditor
- An inventory of AI agents, service principals and OAuth grants in the tenant, with owners and permissions.
- Risk scoring and blast-radius for each identity, tracked over time.
- A quarterly compliance pack, an artefact a board or insurer will actually accept.
A word on scope
AIRM supports these frameworks; it doesn't replace legal or compliance advice, and adopting it isn't the same as certification. What it does is remove the blind spot that makes the AI sections of those frameworks hard to evidence, and give an MSP a credible, recurring compliance service to deliver.
Turn governance into evidence.
Register free and generate a risk report mapped to the frameworks your clients are asked about, board- and insurer-ready from day one.
Free NHI Risk Score →