Appearance
Governance, Documentation Standards, and Capability
This page covers the organization-level foundations that every per-system risk cycle consumes: the internal policies and procedures (ORF-448), the governance ladder and risk tolerance (ORF-453), the documentation standards that keep registers comparable (ORF-454), and the human capability the whole method depends on (ORF-455). Together with the four pillar alignments (ORF-449–ORF-452, covered under Reference pillars and context scoping), these are the eight requirements of OFF-23.
The framework presumes this machinery exists whenever the per-system cycle runs: acceptance decisions reference an approved tolerance, escalations reference a decision ladder, registers follow a common schema, and treatment plans lean on trained people. OFF-23 is where each of those artifacts gets a documented home.
Primary source
SDAIA, National Artificial Intelligence Risk Management Framework, SDAIA-P145, version 1.0, April 2026. This page draws on the sections «الغرض من الإطار» (purpose), «نطاق الإطار» (scope), «الجمهور المستفيد» (audiences), and the governance expectations embedded in the treatment and monitoring stages. The Arabic text is authoritative; English renderings are unofficial translations.
Internal AI risk management policies and procedures (ORF-448)
The framework is explicit that it does not replace an entity's own rulebook. It provides guiding lines, methodologies, and tools that help entities build their internal policies and procedures for identifying, assessing, treating, or accepting AI risks, in a manner suited to their institutional position. The deliverable under ORF-448 is that internal policy, built with the framework as the guiding reference and covering the five-stage cycle: context and scope, risk identification, risk assessment, risk treatment, and monitoring and review.
Two framework positions shape the policy's scoping rules:
- Focus proportional to impact. The framework concentrates on systems with high impact on individuals, assets, and operations — including predictive models, natural language processing, image and video analysis, intelligent automation, and general-purpose models. The internal policy's scoping rules should reflect that concentration.
- Flexibility without loss of method. The framework targets all government and private entities across sectors and maturity stages and grants flexibility in application without prejudicing the principles of methodical risk management. The policy records how the organization exercises that flexibility.
The policy should also state which of the framework's three audience roles the organization occupies per AI system — developer, operator, or policymaker — since what it demonstrates differs accordingly.
Risk governance, decision rights, and risk tolerance (ORF-453)
The framework rests on building an institutional, technical, and organizational environment capable of comprehending AI risks and dealing with them proactively, through clear governance and defined controls. ORF-453 holds the three artifacts the per-system cycle consumes:
- An approved risk tolerance («مستوى التحمل المعتمد») and acceptable risk level with its controls. Acceptance in the per-system cycle is only available when residual risk is demonstrably within this tolerance (
MRF-424,MRF-426,MRF-427); defining and approving it happens here, once. - A decision-rights and escalation ladder in which the decision level matches the system's riskiness — which role or body decides at which risk level, including who can approve conditional release, restricted use, or suspension.
- Documented roles, approval paths, and escalation paths, for accountability, transparency, and reviewability.
The division of labor with the app level is clean: per-system decisions and their evidence live in the MFF-23 requirements; ORF-453 holds the enterprise artifacts those decisions reference.
AI risk documentation standards (ORF-454)
A unified national methodology only works if registers are comparable. ORF-454 sets the organization-wide standards per-system registers follow: unified terminology, a unified method of documentation and comparison, documented risk scenarios, and register-quality expectations: organized, auditable entries that feed treatment and escalation decisions.
The framework requires standards and per-system register upkeep; it does not prescribe a single centralized repository. A consolidated portfolio view is a reasonable implementation choice, with register ownership staying with each system.
The framework's worked example supplies a concrete register schema, recording per risk: classification, description, source, intent, timing, associated vulnerabilities, affected groups, nature of impact, likelihood with factor-by-factor justification, impact, risk level, treatment strategy, executable controls, decision, residual risk, and monitoring arrangements. Review outputs (MRF-429), monitoring results (MRF-428), and incident records and lessons learned (MRF-430) all land in the register under these standards.
AI risk awareness and capability development (ORF-455)
The framework names strengthening entities' readiness, growing human capabilities, and entrenching risk awareness among its stated aims, and its own worked scenario shows why. The highest-frequency mitigations there are human ones: mandatory human review, awareness of the model's limits, data-entry discipline. Risk controls that depend on people only hold in operation if the people are trained for them.
ORF-455 evidences two things:
- Risk-derived training and awareness. Training and awareness content for the personnel who develop, operate, and review AI systems, derived from each system's actual risks and treatment plans — not a generic curriculum. Capability content differs by role: design-stage risk integration for developers, operating procedures and incident duties for operators. The framework also treats erosion of human competence through sustained reliance on AI as a register-worthy risk in its own right; its illustrative treatments include continuous skills programs, tasks reserved for unassisted human work, and periodic competence assessment.
- The policy function, where the organization owns one. The framework's third audience, policymakers, has a distinct capability need: assessing the readiness of existing governance frameworks, identifying gaps, and developing graduated policies and rules that support responsible innovation and protect individuals and society, grounded in a clear methodology for classifying risks and the required control levels. In an organizational context this belongs to whoever owns internal AI policy.
Cross-framework mapping (preview)
Preview
- ISO/IEC 42001 — policies, governance roles, risk criteria, documentation discipline, and competence correspond to the management-system leadership, planning, support, and documented-information clauses; Modulos realises much of this overlap through shared controls.
- NIST AI RMF — the four requirements on this page map naturally onto the Govern function's policy, accountability, and workforce outcomes.
- FINMA AI Governance / UAE Consumer AI — the same governance-first pattern appears in the supervisory frameworks: an org-level template holding policy, tolerance, and training, consumed by per-use-case execution templates.
These are framework-level adjacencies; cross-framework reuse is realised at the control layer, not as clause-by-clause equivalence.
Related pages
Reference pillars and context scoping
The other half of OFF-23: the four pillar alignments — ORF-449–452
Risk treatment, monitoring, and incidents
The per-system activities that consume the tolerance and ladder — MRF-424–430
Governance operating model
How projects, requirements, controls, and evidence fit together in Modulos
Operationalizing in Modulos
The OFF-23 / MFF-23 rollout sequence, control split, and evidence model
Source attribution
The authoritative source is the National Artificial Intelligence Risk Management Framework (SDAIA-P145, version 1.0, April 2026), published by the Saudi Data and Artificial Intelligence Authority. This page draws on the purpose, scope, and audience sections and the governance expectations embedded in the treatment and monitoring stages, with illustrative measures from the applied scenario in the appendix. The Arabic text is authoritative; English renderings are unofficial translations. Requirement and control codes are Modulos template identifiers, not SDAIA references.
Disclaimer
This page is for general informational purposes and does not constitute legal advice. The framework is advisory and creates no new obligations. Verify against the current published edition and consult qualified advisers.