EW-AiRM™ (Enterprise-Wide AI Risk Management Framework) is an open, three-layer governance framework developed by Prof. Markus Krebsz and first listed on the OECD.AI Policy Observatory in April 2023.

It gives organisations a structured, auditable method for governing AI risk from the boardroom to the technical team.

The three layers each address a distinct governance challenge:

• The Strategic Layer comprises six pillars — Necessity Assessment, Organisational Readiness, Technological Maturity, Risk Tolerance, Governance and Accountability, and Through-the-Lifecycle Monitoring — which must be documented before any AI system is deployed.
• The Operational Layer is grounded in the MIT AI Risk Repository (CC BY 4.0): more than 1,000 risks across seven domains and 24 subdomains, mapped to 831 controls across Primary, Secondary, and Tertiary tiers.
• The Resilience Layer covers eight AI Black Swan categories — scenarios that sit outside the operational taxonomy, from foundation model integrity collapse to the quantum cryptographic transition.

Running across all three layers is HAiPECR, a seven-dimension ethical overlay mapped to the UNESCO 2021 Recommendation on the Ethics of AI. EW-AiRM™ augments — rather than replaces — NIST AI RMF, ISO 42001, and COSO ERM, and is aligned with the EU AI Act and UNECE ECE/TRADE/486 (2024).

NIST AI RMF and EW-AiRM™ are designed to work together, not to compete.

NIST AI RMF provides a voluntary, function-based approach (Govern, Map, Measure, Manage) developed by the US National Institute of Standards and Technology.

EW-AiRM™ operates across three architectural layers — Strategic, Operational, and Resilience — that span a different dimension: organisational depth rather than lifecycle stage.

In practice, organisations use NIST AI RMF as the method for managing individual AI system risk, and EW-AiRM™ as the enterprise governance architecture that determines which systems get deployed, how accountability is structured, and what Black Swan scenarios the board must rehearse.

The two frameworks are complementary layers of the same governance stack.

Recommended approach: adopt NIST AI RMF at the system level; deploy EW-AiRM™ at the enterprise level. They do not conflict.  

See the regulatory comparison table above. Complement, not duplicate. The EU AI Act sets what is prohibited and what is high-risk. EW-AiRM™ tells you how to run governance on the systems you decide to keep.

No, it isn't:

ISO/IEC 42001 is a certifiable international standard for AI management systems — organisations that implement it can obtain third-party certification through an accredited audit body.

EW-AiRM™ is an open governance framework, not a certifiable standard. The distinction matters, but so does the relationship: the two are designed to work together.

ISO 42001 answers: does the organisation have an AI management system that meets the standard?

EW-AiRM™ answers: what is the enterprise governance architecture — the pillars, the ethical overlay, the Black Swan rehearsals — that sits around and above the management system?

A common implementation pattern: achieve ISO 42001 certification to satisfy procurement and regulator requirements, and deploy EW-AiRM™ as the enterprise governance architecture that covers the strategic and resilience dimensions ISO 42001 does not address.

EW-AiRM™ implementation at Standard or Full Tier includes documented evidence structures that are compatible with ISO 42001 audit requirements.

ISO 42001 certifies the system. EW-AiRM™ governs the enterprise. Both are needed in a regulated organisation.

COSO ERM (Enterprise Risk Management — Integrating with Strategy and Performance, 2017) is the leading enterprise risk management framework used by boards, audit committees, and CFOs globally.

EW-AiRM™ is designed explicitly as an AI-specific extension of the COSO ERM architecture — not a replacement.

COSO ERM established the principle that risk management must be integrated with strategy and performance across the enterprise.

EW-AiRM™ applies that principle to AI: its six strategic pillars map directly to COSO ERM's five components (Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information and Communication), and its three-layer architecture reflects the COSO cube structure rendered for AI deployments.

In practice: organisations that already have a COSO ERM programme should treat EW-AiRM™ as the AI governance module that integrates with — and reports into — their existing enterprise risk structure. The KXI (Key Performance/Risk/Control Indicators) dashboard in EW-AiRM™ Standard and Full Tiers is designed to feed directly into the board risk reporting cycle that COSO ERM mandates.

COSO itself published 'Realize the Full Potential of Artificial Intelligence' (2021), which acknowledges the gap between generic ERM and AI-specific governance. EW-AiRM™ fills that gap operationally.

Yes — but EW-AiRM™ and the EU AI Act work at different layers, and understanding the distinction is essential.

The EU AI Act is binding European law that prohibits certain AI uses, classifies high-risk systems, and mandates conformity assessments, transparency obligations, and post-market monitoring.

It tells organisations what they cannot do and what documentation is required for high-risk deployments.

EW-AiRM™ tells organisations how to govern what they are permitted to keep.

The framework's six strategic pillars map directly to the EU AI Act's requirements for risk management systems, data governance, transparency, and human oversight, while the Resilience Layer covers scenarios — such as regulatory step-change (Black Swan Cat 4) — that the Act's conformity requirements do not address.

EU AI Act compliance is a floor, not a ceiling. An organisation that satisfies the Act's conformity requirements for a high-risk system has met the minimum legal obligation. EW-AiRM™ ensures that the governance architecture above that floor — risk tolerance, board accountability, ethical overlay, resilience planning — is also in place.

EW-AiRM™ at Standard Tier or above produces the documented evidence structures (risk assessments, accountability records, HAiPECR logs, KXI dashboards) that EU AI Act auditors and national market surveillance authorities expect to see.  

HAiPECR is EW-AiRM™'s seven-dimension ethical overlay, developed by Prof. Markus Krebsz and listed on the OECD AI Policy Observatory since April 2023.

The name is an acronym: Human oversight, Accountability, inclusivity (lowercase intentional — it is an embedded prerequisite, not a standalone pillar), Privacy, Explainability, Conduct, Resilience.

Originally, HAiPECR stood for "Human-Ai Paradigm for Ethics, Conduct and Risk" which is based on the 10-year conduct risk research lineage that came before EW-AiRM.

HAiPECR runs across all three EW-AiRM™ layers as a pre-deployment filter and a continuous review lens. It is not a compliance checklist.

Every AI system must pass a documented HAiPECR review before deployment, and the review repeats at every material change.

The lowercase 'i' in HAiPECR is intentional: inclusivity is embedded as a prerequisite across all other dimensions rather than treated as a standalone pillar.

HAiPECR maps to all ten UNESCO 2021 principles — not nine — because the 2024 UNESCO Neurotech recommendation is incorporated into the Privacy dimension.

The "i" stands for inclusivity. It is deliberately lowercase to signal that inclusivity is not a standalone pillar but an embedded prerequisite across every dimension. Typography carries meaning in framework design.

The MIT AI Risk Repository is a publicly available, peer-reviewed database maintained by MIT FutureTech.

It catalogues more than 1,000 AI risks across seven domains and 24 subdomains, and is published under the Creative Commons CC BY 4.0 licence, meaning it is free to use, adapt, and build upon.

It was chosen as the operational backbone of EW-AiRM™ precisely because it is not a private taxonomy — it is publicly licensed, independently maintained, and academically rigorous.

The MIT AI Risk Repository is distinct from the MIT AI Mitigation Database, which catalogues controls rather than risks.

EW-AiRM™ uses both: the Repository for risk classification and the Mitigation Database as one input into the controls mapping. The 765,944 risk-to-control mappings represent the cross-product of the two databases, providing the most comprehensive publicly available mapping of AI risks to controls currently available.

The MIT AI Risk Repository (CC BY 4.0) is the reason EW-AiRM™'s Operational Layer can be both comprehensive and open. Every risk classification is independently verifiable against a publicly available source.  

Three reasons:

• It is publicly licensed (CC BY 4.0). It is peer-reviewed and maintained by MIT FutureTech.
• It contains more than 1,000 risks across 7 domains and 24 subdomains,
• broad enough to use as a substrate without locking the organisation into a particular vendor view.

The eight AI Black Swan categories form EW-AiRM™'s Resilience Layer — the third and highest architectural layer.

Each category covers a scenario that falls outside the operational taxonomy of the MIT AI Risk Repository: risks that are low-probability, high-impact, and structurally different from the day-to-day risks managed in the Operational Layer. Every category has a named owner at board or C-suite level.

Each category is treated as a scenario rehearsal in EW-AiRM™. At Standard Tier, six categories are rehearsed annually; at Full Tier, all eight are rehearsed annually with pre-positioned response plans and named owners documented at board level. Categories 7 (Multi-agent emergence) and 8 (Quantum cryptographic transition) were added in the 2024–2025 framework revision to reflect the rapid deployment of agentic AI and NIST's post-quantum cryptography standards (FIPS 203, 204, 205).

The eight AI Black Swan categories are unique to EW-AiRM™. No other publicly available AI governance framework provides a named, owner-assigned taxonomy of systemic AI resilience scenarios.  

Yes. EW-AiRM™ is grounded in publicly licensed standards. The MIT AI Risk Repository is CC BY 4.0. HAiPECR is documented and citable. The book sets out the full architecture in print. The companion tools are free to use.

EW-AiRM™ is a trademark of De-Risking Solutions Ltd (UK Co. No. 09900565). The trademark protects framework integrity. The framework itself is open.

HAiPECR is mapped to the UNESCO 2021 Recommendation. EW-AiRM™ is the enterprise complement to UNECE ECE/TRADE/486 (2024). HAiPECR has been listed on the OECD AI Policy Observatory since April 2023. Prof. Markus Krebsz is on the EU AI Office DG CNECT Expert Group, a GPAI Code of Practice plenary participant, and UNESCO I4T Network founding member.

Three good entry points. Read the framework overview for the concept. Compare the three implementation tiers to see scope. Or visit the companion tools site for the assessments. The book is forthcoming from Wiley Finance in 2026 — add yourself to the launch list via Contact.

EW-AiRM™ was developed by Prof. Markus Krebsz, a board portfolio executive and AI governance practitioner based in the United Kingdom.

Prof. Krebsz is the Founding Director of De-Risking Solutions Ltd and the Human-Ai.Institute. He has served as an Independent Non-Executive Director on the Supervisory Council of Revolut Bank UAB since 2017.

His credentials in AI governance are extensive and span policy, standards, academia, and regulated enterprise.

EW-AiRM™ is designed and maintained by practitioners who are simultaneously shaping the international standards it references. Prof. Krebsz was the author of UNECE ECE/TRADE/486 — the Common Regulatory Arrangement — which EW-AiRM™'s Resilience Layer is aligned with.

HAiPECR was developed before the UNESCO 2021 Recommendation was finalised and was subsequently mapped to it as a peer framework.

No other publicly available AI risk management framework was developed by someone serving simultaneously as an international standards author, independent bank NED, ForHumanity Certified Auditor, and UNESCO founding member.