Teleosyn AI

← Back to home

About This Framework

Built on primary sources, maintained like a living standard

The Enterprise AI Strategy Suite was designed by practitioners who have stood up AI governance programs inside regulated industries. Every artifact cites the standard it implements. Every claim is traceable to a primary source.

Who built this

The suite was developed by a team with direct experience standing up AI governance programs for enterprise clients in financial services, healthcare, manufacturing, and the public sector. The authors include practitioners who have:

  • Led AI Centers of Excellence at Fortune 500 companies
  • Advised boards and audit committees on AI risk posture
  • Navigated NIST AI RMF and ISO 42001 gap assessments with external auditors
  • Designed model risk management programs for FINRA-regulated environments

The framework is not a theoretical exercise. It was refined through the messy reality of enterprise implementation: the board questions that don’t have clean textbook answers, the compliance gaps that only surface under auditor scrutiny, and the organizational dynamics that determine whether a governance program actually runs or just exists on paper.

Want to talk through your situation with the team? Book a working session →

Standards mapping

Every section of the framework is mapped to at least one primary standard. The table below shows which standards each major document area addresses and links to the relevant artifacts.

NIST AI Risk Management Framework (AI RMF 1.0)

NIST's voluntary framework organizes AI risk management around four functions: GOVERN, MAP, MEASURE, and RESPOND, with a companion Playbook that lists suggested actions for each. Every governance and operational artifact in the Enterprise Program maps to one or more GOVERN or MANAGE actions explicitly.

ISO/IEC 42001:2023: AI Management System

ISO 42001 is the first auditable AI management system standard, modeled on the familiar Annex SL structure used by ISO 27001 and ISO 9001. The framework's governance charter, policy register, and audit artifacts are structured to satisfy the Clause 4–10 requirements so an organization can use them as the documented evidence base for a gap assessment or certification audit.

HIPAA (45 CFR Parts 160, 162 & 164): Healthcare AI

HIPAA's Security Rule and Privacy Rule apply to AI systems that create, receive, maintain, or transmit protected health information. The framework's HIPAA sector appendix addresses administrative safeguard requirements for AI system access controls, audit logs, and workforce training.

FINRA & SOX: Financial Services AI

FINRA's supervision rules (NASD 3010, FINRA 3120) and the SEC's existing recordkeeping requirements apply when AI assists in producing investment advice, communications, or trading decisions. The SOX internal controls appendix addresses AI's role in financial reporting processes.

SOC 2 Type II: AI trust services criteria

The Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (CC-series) apply to AI systems within the scope of a SOC 2 audit. The model lifecycle runbook and incident response playbook generate the operational evidence an auditor needs for CC6, CC7, and CC9.

FedRAMP: US Federal AI Cloud Security

FedRAMP's moderate and high baselines apply to cloud AI services used by US federal agencies and their contractors. The FedRAMP appendix maps the relevant NIST 800-53 controls (AC, AU, CA, CM, IR, RA, SA, SI control families) to the framework's operational runbooks.

US state AI laws (Colorado SB 205, and similar)

A growing set of US state laws (Colorado's AI Act, Connecticut's proposed framework, and others in active drafting) require impact assessments and reasonable care against algorithmic discrimination for high-risk automated decisions. These laws borrow much of their risk-tiering logic from the EU AI Act, so the same classification work supports both. The Risk Tiering Wizard and Algorithmic Impact Assessment Template map directly to the statutory requirements.

EU Artificial Intelligence Act (2024/1689)

For organizations with any EU-facing operations, the EU AI Act creates a risk-tiered regulatory regime: prohibited practices, high-risk systems (Annex III), GPAI models (Articles 53 to 55), and limited or minimal risk categories, with staggered enforcement dates beginning February 2025. It's also the template several US state laws are drawing from, so understanding it clarifies where domestic requirements are headed even for US-only operations. The Risk Tiering Wizard operationalizes the classification decision; the Algorithmic Impact Assessment Template covers the conformity documentation requirements for high-risk systems.

GDPR (EU) 2016/679: AI data processing implications

GDPR's lawful basis, data minimisation, purpose limitation, and automated decision-making rights (Articles 13 to 14, 22) impose obligations on any AI system processing personal data of EU residents. Several US state privacy laws (California, Colorado, Virginia) echo the same principles, so the same privacy appendix and Algorithmic Impact Assessment cover both.

How the framework is kept current

Governance frameworks decay when regulations change and documents don’t. Here’s how we prevent that.

Regulatory monitoring

The Regulatory Pulse feed tracks major milestones (EU AI Act enforcement dates, NIST updates, state legislation) and triggers a document review when a provision materially affects a framework artifact.

Annual standards review

Each standards body (NIST, ISO, EU) runs a periodic review cycle. We review the framework against any updated guidance or errata within 90 days of publication.

Generator-based authoring

All 89+ Office and drawio artifacts are produced by generator scripts, not hand-edited. When a section needs updating, the generator is edited and the artifact regenerated, eliminating the version drift that plagues manually maintained document suites.

Versioned changelog

Every substantive update is logged in the Changelog with a date and a description of what changed and why, so compliance teams can demonstrate to auditors that the framework is actively maintained.