Skip to content

Module 8 — AI Governance, Risk & Compliance

Duration: ~3 hrs · Status: Mandatory Lessons: 13 total — 10 short theory · 1 mandatory lab · quiz · summary Framework coverage: NIST AI RMF (in-practice deep dive) · EU AI Act Articles 9, 11, 12, 14, 15, 73 · GDPR · HIPAA (touch) · MITRE ATLAS case studies

Module outcomes

By the end of this module, the learner can: 1. Build a NIST AI RMF-aligned program from a green-field starting point, mapping engineering activities to the four functions. 2. Design an EU AI Act compliance plan for a high-risk system, including the Article 11 documentation package. 3. Articulate the org-design choices for an AI security program (reporting, scope, hiring, budget). 4. Author a model card and a system card that hold up to enterprise/auditor scrutiny. 5. Walk a real-world AI incident as a teardown — pre-incident posture, attack chain, IR execution, post-incident actions.

Lesson list

NIST AI RMF in practice (~10 min)

  • L8.1.1 — NIST AI RMF in practice: from framework to program (Theory, ~5 min, mandatory)
  • L8.1.2 — NIST AI RMF Profiles: GenAI, secure software, sector-specific (Theory, ~5 min, mandatory)

EU AI Act compliance (~10 min)

  • L8.2.1 — EU AI Act compliance program design (Theory, ~5 min, mandatory)
  • L8.2.2 — Article 11: the technical documentation package (Theory, ~5 min, mandatory)

Building an AI security program (~10 min)

  • L8.3.1 — Org design: reporting, scope, hiring (Theory, ~5 min, mandatory)
  • L8.3.2 — Procurement & vendor management for AI (Theory, ~5 min, mandatory)

Incident reporting & disclosure (~5 min)

  • L8.4.1 — AI incident reporting obligations (Theory, ~5 min, mandatory)

Documentation artifacts (~10 min)

  • L8.5.1 — Model cards: structure, audience, common gaps (Theory, ~5 min, mandatory)
  • L8.5.2 — System cards, data sheets, AI-BOM revisited (Theory, ~5 min, mandatory)

Case study (~5 min)

  • L8.6.1 — Case study teardown: a 2025 AI incident (Theory, ~5 min, mandatory)

Lab (~60 min)

  • L8.7(Lab) Author a model card + risk assessment for the M1 RAG app (~60 min, mandatory)

Wrap-up

  • Quiz — 12 questions, 70% to pass (~10 min, mandatory)
  • Summary — bridge to Module 9 capstone (~3 min, mandatory)

Why this module exists

Modules 0–7 trained the engineering side of AI security. Module 8 is the governance side — the artifacts, programs, and regulatory obligations that surround the engineering work. By 2026 every meaningfully-sized AI deployment touches one of: NIST AI RMF (federal procurement, enterprise governance reference), EU AI Act (any EU market), GDPR/HIPAA (any sensitive data), customer governance reviews (any B2B sale). M8 is where engineering meets these surfaces.

The lab (L8.7) is the only mandatory lab in this module and the final non-capstone lab in the course. It assembles artifacts from earlier modules — the L2.6 threat model, the L4.9 AI-BOM, the L7.9 logging stack, the L7.7 defense measurements — into a single governance package: a publishable model card + risk assessment for the M1 RAG app. That package is exactly what enterprise customers, auditors, and regulators ask for.

What's next

Module 9 — Capstone Project. The Helios Health scenario: you red-team a fictional SaaS launching an LLM-powered medical-records assistant. Full report (threat model + red-team findings + remediation plan + pre-launch checklist). ~4 hours.