Governance & compliance

The frameworks AIRM maps to.

Every AI identity finding in AIRM maps to 11 security and AI-governance frameworks, including the AI-specific regulations now coming into force. Here's what each one is, why it touches AI and non-human identity, and how AIRM helps you evidence it.

AI-specific governance
Built for the new AI regulations
EU · AI regulationOfficial source ↗

EU AI Act

The EU's Artificial Intelligence Act (Regulation (EU) 2024/1689) is the first comprehensive, risk-based law for AI. It has been in force since August 2024, with the main high-risk obligations applying from August 2026.

Why it matters for AI identity: It expects organisations to know which AI systems they run, keep them under human oversight, and hold records, difficult when AI agents and Copilot identities appear without review.

How AIRM helps: AIRM gives you a live inventory of every AI identity in Microsoft 365, owner, access and risk, the evidence base for oversight and record-keeping.

ISO · AI managementOfficial source ↗

ISO/IEC 42001

ISO/IEC 42001:2023 is the first international standard for an AI management system (AIMS), how an organisation governs AI responsibly.

Why it matters for AI identity: Conformity expects defined controls over AI assets and their risks. Your AI identities are part of that asset base.

How AIRM helps: AIRM supplies continuous discovery, risk scoring and reporting that feed AIMS controls and audit evidence.

US · AI frameworkOfficial source ↗

NIST AI RMF

The NIST AI Risk Management Framework (AI RMF 1.0, published 2023) is a voluntary US framework built around four functions: Govern, Map, Measure and Manage.

Why it matters for AI identity: You can't Map or Measure AI risk you can't see, and agent identities are a blind spot in most environments.

How AIRM helps: AIRM operationalises Map and Measure for AI identities: discovery, blast-radius and anomaly scoring you can track over time.

Security & operational resilience
The established frameworks, extended to non-human identity
ISO · Information securityOfficial source ↗

ISO/IEC 27001

ISO/IEC 27001:2022 is the international standard for an information security management system (ISMS), including access-control requirements.

Why it matters for AI identity: Non-human identities hold standing access that often escapes ISMS access reviews.

How AIRM helps: AIRM inventories every non-human identity, its permissions and owner, evidence for access-control and review clauses.

EU · Financial resilienceOfficial source ↗

DORA

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) sets ICT risk and resilience rules for EU financial entities, applying from 17 January 2025.

Why it matters for AI identity: DORA expects control over ICT assets and third-party/identity risk, including the service principals and AI tools connected to your systems.

How AIRM helps: AIRM surfaces non-human and third-party AI access and its blast radius, supporting ICT-risk visibility.

EU · CybersecurityOfficial source ↗

NIS2

The NIS2 Directive (EU) 2022/2555 raises baseline cybersecurity and incident-reporting duties across essential and important entities, and was due to be transposed into national law by October 2024.

Why it matters for AI identity: Identity is a primary attack surface the NIS2 risk-management measures are expected to cover.

How AIRM helps: AIRM gives continuous visibility of the AI and non-human identity attack surface, and of changes to it.

UK CAF

The NCSC Cyber Assessment Framework (CAF) is the UK's outcome-based framework for assessing the cyber resilience of essential functions.

Why it matters for AI identity: Several CAF objectives concern identity, access management and asset visibility.

How AIRM helps: AIRM provides the identity inventory and monitoring that evidence those objectives.

Cyber Essentials

Cyber Essentials is the UK government-backed, NCSC-run baseline certification built on five technical controls, including user access control.

Why it matters for AI identity: Service-principal and AI-agent access is rarely covered by basic user access controls.

How AIRM helps: AIRM extends access hygiene to non-human identities, flagging excessive or dormant access.

AU · ASD / ACSCOfficial source ↗

Essential Eight

The Australian Signals Directorate's Essential Eight (delivered via the ACSC) are eight prioritised mitigation strategies, including restricting administrative privileges, with a three-level maturity model.

Why it matters for AI identity: Privileged non-human identities are an under-managed slice of admin privilege.

How AIRM helps: AIRM identifies privileged and high-blast-radius non-human identities so you can restrict them.

MAS TRM

The Monetary Authority of Singapore's Technology Risk Management Guidelines set expectations for technology and cyber risk in financial institutions.

Why it matters for AI identity: Identity and access management is a core TRM expectation, increasingly extending to AI.

How AIRM helps: AIRM provides identity-risk evidence and monitoring aligned to TRM access-management expectations.

IN · CERT-InOfficial source ↗

CERT-In

India's CERT-In 2022 directions set cyber-security expectations for entities operating in India, including reporting incidents within six hours and retaining logs for 180 days.

Why it matters for AI identity: Logging and monitoring obligations extend to the identities acting in your environment.

How AIRM helps: AIRM contributes continuous identity monitoring and change history toward those obligations.

AIRM supports these frameworks with visibility, evidence and continuous monitoring. It does not by itself constitute certification, audit or legal compliance, framework mapping is indicative, and scope should be confirmed with your assessor.

Agentless · complements Microsoft

See where every tenant stands, free.

Run a full AIRM risk report on any Microsoft 365 tenant and get its findings mapped to all 11 frameworks, with the actions to close the gaps.

Chat with Sabiki
Ask about NHI risk, pricing or the MSP programme
Hi 👋 Want your NHI Risk Score, or a question about deploying Sabiki? Ask away, or register free.
Free NHI Risk Score →
Prototype, vendor chat widget mounts here (e.g. Intercom Fin).