Home
Framework
Tiers
Consulting
Training
Assessments
The Book
Companion Tools
Demo(Lite)
FAQs
About
Insights
Contact
Home
Framework
Tiers
Consulting
Training
Assessments
The Book
Companion Tools
Demo(Lite)
FAQs
About
Insights
Contact
Home
Framework
Tiers
Consulting
Training
Assessments
The Book
Companion Tools
Demo(Lite)
FAQs
About
Insights
Contact
Home
Framework
Tiers
Consulting
Training
Assessments
The Book
Companion Tools
Demo(Lite)
FAQs
About
Insights
Contact

THE FRAMEWORK

EW-AiRM™: Enterprise-wide AI Risk Management, in three deliberate layers.

A practitioner-grade framework grounded in publicly licensed standards, built for the people doing AI risk work inside organisations under live regulatory scrutiny.

DimensionEW-AiRM™NIST AI RMFISO 42001COSO ERMEU AI Act
UNECE-groundedYes
(ECE/TRADE/486)
NoNoNoNo
Primary scope Enterprise-wide AI
Risk Governance
framework
& approach		AI Risk
Management		AI
Management
System		(Traditional)
Enterprise
Risk 
Management
AI Regulation
Target audienceBoards,
Risk functions,
CTOs, CISO,
Risk community
US Federal &
Enterprise
Any
organisation
CFO, Board,
ERM teams
Operators &
Providers (EU)
Layers Strategic,
Operational,
Resilience
+ HAiPECR
Govern, 
Map,
Measure,
Manage
Plan,
Do,
Check,
Act
Strategy,
Performance
Prohibited,
High-risk,
GPAI
CertifiableNo
(Open framework)
No
(Voluntary)
Yes
(ISO audit)
No
(Guidance)
Public, EU-wide
Regulation
Open / free Yes
(CC BY 4.0 base)
YesPaid 
standard
Paid
guidance
Public 
regulation
UNESCO-alignedYes (HAiPECR)NoPartialNoPartial (GPAI)

ARCHITECTURE

Three layers. Each does a job the others cannot.

Most AI risk frameworks pick a level and stay there. EW-AiRM™ deliberately spans three, because the strategic questions cannot be answered with operational tools, and the operational layer cannot anticipate Black Swans.

LAYER 1

Strategic

Six pillars. Necessity, readiness, maturity, tolerance, governance and accountability, through-the-lifecycle monitoring. Sets the conditions any AI deployment has to meet before it goes live.

LAYER 2

Operational

MIT AI Risk Repository (CC BY 4.0): more than 1,000 risks across 7 domains and 24 subdomains. Mapped to 831 controls, primarily security. For control mappings in Primary, Secondary, and Tertiary tiers.

LAYER 3

Resilience

Eight AI Black Swan categories. Includes multi-agent emergence and the quantum cryptographic transition (NIST FIPS 203/204/205). For risks that do not fit the operational taxonomy.

STRATEGIC LAYER

The six pillars.

Each pillar is a question the organisation must answer in writing before a system can be deployed, and a check that must hold across the deployment lifecycle.

P1

Strategic Alignment
+ Necessity Assessment

Is AI the right tool for this problem at all? If a deterministic system would do the job, AI is the wrong answer.

P2

Organisational Readiness

Does the organisation have the people, the controls, and the decision rights to deploy this responsibly?

P3

Technological Maturity

Is the underlying model, vendor, and integration pattern ready for this use case at this risk level?

P4

Risk Tolerance

Has the board signed off on the residual risk, and is the tolerance documented at the right level of granularity?

P5

Governance & Accountability

Who owns the decision, and who owns the incident? Named, not implied.

P6

Through-the-Lifecycle Monitoring
+ Adaptability

What changes trigger a re-review? Who runs the re-review? What is the kill-switch SLA?

ETHICAL OVERLAY

HAIPECR: seven dimensions, mapped to UNESCO.

HAIPECR is the ethical filter that runs across all three layers. Mapped to the UNESCO 2021 Recommendation on the Ethics of AI (10 core principles, not 9). Listed on the OECD AI Policy Observatory since April 2023.

H

Human oversight Named accountability, override tested.

A

Accountability Mapped to UNESCO P5.

i

Inclusivity Embedded prerequisite, not a pillar.

E

Explainability Transparency, fairness, non-discrimination.

C

Conduct UN Universal Conduct Risk Paradigm.

P

Privacy Data protection, safety, security.

R

Resilience Sustainability, intergenerational rights.

UNESCO MAPPING: H → P7 Human Oversight A → P5 Accountability i → P4 Multi-stakeholder Governance + P9 Awareness & Literacy P → P3 Privacy + P2 Safety & Security (+ 2024 UNESCO Neurotech) E → P6 Transparency & Explainability + P10 Fairness C → P1 Proportionality / Do No Harm R → P8 Sustainability

RESILIENCE LAYER

Eight AI Black Swan categories.

For risks that sit outside the operational taxonomy. Each category is a scenario rehearsal, with named owners and a pre-positioned response.

Cat 1 — Foundation model integrity collapse

A frontier model vendor experiences a security or alignment incident compromising every system built on top. Owner: CISO + Chief AI Officer.

Cat 2 — Cascading agent failure across systems

An agent in one part of the organisation triggers downstream errors in dependent systems. Owner: Head of AI Operations.

Cat 3 — Adversarial misuse at scale

External actors industrialise misuse of deployed AI for fraud, impersonation, or social engineering. Owner: Fraud + CISO.

Cat 4 — Regulatory step-change

A jurisdiction reclassifies AI uses you depend on as prohibited or high-risk overnight. Owner: General Counsel + Compliance.

Cat 5 — Data poisoning of public training corpora

Public datasets you fine-tune on are intentionally poisoned, surfacing biased or unsafe outputs. Owner: Head of Data.

Cat 6 — Compute and supply chain disruption

Loss of access to compute, model weights, or critical inference infrastructure. Owner: CTO.

Cat 7 — Multi-agent emergence

Multiple deployed agents interact in ways that produce emergent behaviours none was designed for. Owner: Chief AI Officer + Risk.

Cat 8 — Quantum cryptographic transition

Cryptographic primitives underlying AI system identity, signing, and data integrity become breakable. Migration to NIST FIPS 203 / 204 / 205. Owner: CISO + Architecture.

FLOOR CONDITIONS

Five things every tier must do.

1

Named accountability for every deployed AI system

2

HAIPECR run as a pre-deployment filter, documented

3

Human override capability tested with a 4-hour SLA

4

Documented board or executive risk acceptance

5

Incident reporting pathway, with named recipient

WHERE THIS COMES FROM

The framework lineage.

EW-AiRM™ is grounded in publicly licensed standards: the MIT AI Risk Repository (CC BY 4.0), the UNESCO 2021 Recommendation on the Ethics of AI, NIST AI RMF, ISO 31000 (general risk), ISO 42001 (AI risk management systems), and the UNECE (ECE/TRADE/486, 2024). HAIPECR was originated by Prof. Markus Krebsz and has been listed on the OECD AI Policy Observatory since April 2023.

Want the practical version?

The framework is the conceptual picture. The three-tier comparison shows what it looks like in deployment.

See the three tiers →
Read the FAQ

The Human-Ai.Institute is an independent Think/Do Tank convening multilateral and multi-stakeholder dialogue on AI governance. The Institute engages with the UN, UNESCO, OECD, the EU Commission, and governments worldwide.

Home of EW-AiRM™ — the open, three-layer framework for enterprise-wide AI risk management, grounded in publicly licensed standards and aligned with UNESCO, UNECE, NIST, ISO, and the EU AI Act.

CONSULTING, TRAINING & ADVISORY

Commercial consulting, training, and advisory services are provided by De-Risking Solutions Ltd. and RiskAi.Ai

AI & TECHNOLOGY SOLUTIONS

AI, Agentic tools and technology solutions are provided by Human-Ai.Solutions.

© 2026 The Human-Ai.Institute.

EW-AiRM™ and HAiPECR are trademarks of
De-Risking Solutions Ltd., registered in England and Wales
(Company Number 09900565). All rights reserved.





Listed on the OECD AI Policy Observatory · Founding member of the UN University AI Network · Aligned with UNESCO, UNECE WP.6, NIST, and ISO 42001