A research office building an AI governance framework can choose from three broad templates: a NIST-aligned risk profile (Govern, Map, Measure, Manage), an ISO/IEC 42001-informed management system (certifiable, PDCA-based), or a McKinsey-style operating model built around strategic alignment and cross-functional leadership. Most research offices need a hybrid: NIST’s risk logic, ISO’s audit trail, and an operating model that assigns clear ownership to a research-integrity or grants office.
An AI governance framework is a structured set of policies, roles, and controls that determines how an organisation approves, monitors, and audits its use of artificial intelligence. For a university research office, that means one coherent document — not three disconnected policies bolted together after a compliance scare.
- What is an AI governance framework, and why do research offices need one now?
- What is the NIST framework for AI governance?
- What does ISO/IEC 42001 add that NIST does not?
- How does a McKinsey-style operating model differ?
- A hybrid template research administrators can adapt
- Common questions research administrators ask
- What this means for research offices
What is an AI governance framework, and why do research offices need one now?
An AI governance framework sets out who approves an AI tool, what risk tier it sits in, how its use is documented, and who is accountable if it goes wrong. Research offices are being asked to produce one with no established house style, because most published templates were written for enterprise IT or financial services, not for grant review panels, ethics boards, or manuscript preparation.
The pressure has three sources. Funders including UKRI now expect disclosure of generative-AI use in grant applications and peer review. Publishers following ICMJE‘s updated recommendations and COPE‘s 2023 position statement require that AI tools never be listed as authors, since they cannot take responsibility for a work’s accuracy. And institutional research-integrity offices increasingly sit between both obligations, needing one internal policy that satisfies funder disclosure rules and publisher authorship rules simultaneously.
What is the NIST framework for AI governance?
The NIST AI Risk Management Framework (AI RMF 1.0), published by the US National Institute of Standards and Technology in January 2023, is a voluntary, non-certifiable framework built around four functions: Govern (culture, policy, accountability), Map (context and risk identification), Measure (assessment and monitoring tools), and Manage (mitigation and incident response). NIST extended it with a Generative AI Profile (NIST AI 600-1) in July 2024, addressing risks specific to large language models — hallucination, confidentiality leakage, and content provenance — which is directly relevant to research offices vetting AI writing or coding assistants.
NIST’s advantage for a research office is flexibility: the four functions map cleanly onto existing committee structures (a research-integrity committee can own “Govern”, an ethics board can own “Map”) without requiring a new certification budget.
What does ISO/IEC 42001 add that NIST does not?
ISO/IEC 42001:2023, published in December 2023, is the world’s first international standard for an AI management system (AIMS). Unlike NIST’s RMF, it is certifiable, structured around the Plan-Do-Check-Act cycle, and shares the Annex SL high-level structure used by ISO 9001 and ISO 27001 — meaning an institution that already runs an ISO 27001 information-security management system can extend the same audit infrastructure to cover AI.
ISO 42001 requires documented objectives, an AI policy statement, competence records, and internal audits — heavier than NIST, but it produces an external certificate a funder, publisher, or partner university can verify without reading the underlying policy.
| Feature | NIST AI RMF | ISO/IEC 42001 | McKinsey-style operating model |
|---|---|---|---|
| Legal status | Voluntary, non-certifiable | Certifiable international standard | Not a formal standard |
| Structure | Govern, Map, Measure, Manage | Plan-Do-Check-Act (Annex SL) | Steering committee + risk-tiered use-case pipeline |
| Published | January 2023 (v1.0) | December 2023 | Synthesised industry practice |
| Best fit for a research office | Fast-start policy with existing committees | Cross-institution or multi-site consortium needing an auditable certificate | Research office already running agile grant/portfolio management |
How does a McKinsey-style operating model differ?
A McKinsey-style operating model is not a codified standard like NIST or ISO — it is a way of organising governance around strategic value rather than compliance alone. It typically features a cross-functional steering committee (research administration, legal, IT, and academic leadership), a risk-tiered pipeline that prioritises AI use cases by potential value and harm, and an emphasis on iterative, agile policy revision rather than a fixed annual review cycle.
For a research office, this approach fits best where AI adoption is already fast-moving — for example, where multiple departments are independently piloting AI-assisted literature review, grant-matching, or peer-review triage tools and need one visible decision body rather than a static rulebook.
A hybrid template research administrators can adapt
Most research offices do not need to choose exactly one template. A workable hybrid borrows NIST’s risk logic, ISO’s documentation discipline, and an operating-model steering committee:
- Governance body: a standing AI governance committee reporting to the research-integrity office, with named leads from ethics, grants, IT security, and library/scholarly-communications teams.
- Risk tiers: classify each AI use case (e.g., grant-matching tool, AI writing assistant, peer-review triage) as low, moderate, or high risk, following NIST’s Map function.
- Policy register: a single living document recording each approved tool, its risk tier, approval date, and named accountable owner — the ISO-style audit trail.
- Disclosure rules: a mandatory statement in every grant application and manuscript describing any generative-AI assistance, aligned with ICMJE and funder disclosure requirements.
- Review cadence: quarterly light-touch review for low-risk tools, annual full review for high-risk tools, consistent with NIST’s Manage function and ISO’s continual-improvement clause.
Where AI tools contribute to a manuscript’s preparation without meeting authorship criteria, research offices should record that contribution distinctly from the CRediT contributor roles assigned to human authors — CASRAI originated the CRediT taxonomy in 2014, and the standard is now stewarded by NISO as ANSI/NISO Z39.104-2022, with no AI-specific role currently defined within it.
Common questions research administrators ask
What is the NIST framework for AI governance?
The NIST AI Risk Management Framework is a voluntary US framework, published January 2023, built around four functions — Govern, Map, Measure, and Manage. It is not certifiable but gives organisations a structured, adaptable process for identifying and mitigating AI risk without requiring an external audit.
What are the six pillars of AI governance?
Most governance frameworks converge on six pillars: accountability, ethics and fairness, risk management, transparency and explainability, compliance and security, and human oversight. A research office’s framework should assign a named owner to each pillar rather than treating them as abstract principles.
What is the AI governance framework in the UK?
The UK follows a pro-innovation, principles-based approach set out in its 2023 AI white paper, enforced through existing sector regulators rather than a single AI Act. This contrasts with the EU AI Act, which entered into force in August 2024 with a risk-tiered, legally binding structure and phased obligations running into 2026.
What this means for research offices
No single template is complete on its own. NIST gives research offices a fast, low-cost starting structure; ISO/IEC 42001 gives multi-site consortia and partner universities an externally verifiable certificate; a McKinsey-style operating model gives fast-moving institutions a decision body that can keep pace with new AI tools arriving faster than annual policy cycles can absorb them.
The practical move for most research administrators is to start with NIST’s four functions as the policy skeleton, borrow ISO’s documentation discipline for the audit trail, and add a steering committee only once AI use cases multiply beyond what one compliance officer can track. As funder disclosure rules and publisher authorship policies continue to tighten through 2026 and beyond, the institutions that move first from ad hoc guidance to a documented, ownership-assigned framework will be the ones able to demonstrate compliance without reconstructing their records after the fact.








