Your Clients Know These Frameworks. Do You?
When a US enterprise client sends your BPO a vendor questionnaire about AI governance, their legal team is working from a framework. When a foreign investor asks your mining operation how you govern your AI systems, their due diligence checklist references a standard. When a Philippine company applies for cyber liability insurance and the underwriter asks about AI controls, the questions come from somewhere.
That somewhere is almost always one of two frameworks: the NIST AI Risk Management Framework or the COSO Internal Control guidance for Generative AI. Sometimes both. Increasingly, ISO 42001 is added to the mix.
Most Philippine business leaders deploying AI have never read these documents. Most of their technology vendors have never read them either. The gap between what these frameworks require and what Philippine organizations actually have documented is where compliance risk — and contract risk — lives.
I spent years running governance, risk, and assurance at Shell's North American operations. COSO is the internal control framework that underpins every serious financial audit. NIST frameworks are the US government's standards for risk management. These are not new ideas invented for AI — they are established methodologies applied to a new problem. And a forensic accountant who has spent decades working with both is exactly the right person to translate them for Philippine business leaders who need to pass the audit, not just read the framework.
Who this article is for
Philippine business leaders — BPO managing directors, mining CFOs, logistics operations heads, professional services firm owners — who are deploying AI and need to understand what governance frameworks their US clients, foreign investors, and insurers are referencing. No technology background required. This is a controls conversation, not a technology conversation.
Two Frameworks. Two Different Questions.
NIST and COSO are complementary, not competing. They answer different questions — and together they cover the full scope of what auditors, investors, and clients want to see.
Published by the US government in 2023. Voluntary but increasingly referenced in procurement, contracts, and insurance. Organizes AI risk management into four functions: Govern, Map, Measure, and Manage. Focuses on the full AI system lifecycle — from design through deployment and monitoring. Used by US federal agencies, enterprise procurement teams, and defense contractors. If your client is a US company or government-adjacent, they know NIST.
Published in early 2026. COSO is the internal control framework behind every financial audit your foreign investors have ever run on your books. The GenAI guidance applies COSO's five-component Internal Control framework to AI specifically. Where NIST asks what risks exist, COSO asks whether your controls are designed correctly and operating effectively. If your investors or auditors use COSO for financial reporting — and they do — they now expect it for AI too.
The one-sentence version
NIST tells you what to govern. COSO tells you how to prove you're governing it. Most Philippine organizations can't do either right now. The FAIG assessment measures both.
NIST AI RMF — What It Actually Requires
The NIST AI Risk Management Framework organizes AI governance into four integrated functions. This is not abstract theory — these are the categories US procurement teams check when they audit your AI practices.
Establish accountability, policies, and oversight for AI. Who owns each AI system? Who approved it? What is your acceptable use policy? What is your board or leadership's visibility into AI risk?
Identify and categorize AI risks in context. What AI systems are in use? What data do they touch? What decisions do they influence? Where are the highest-consequence failure points?
Analyze and assess AI risks quantitatively and qualitatively. How often do AI outputs get human review? What is your error rate? How do you validate AI outputs before they affect operations or clients?
Prioritize and address AI risks with documented controls. What is your incident response procedure? How do you handle AI failures? What is your rollback and remediation process?
The honest assessment of most Philippine organizations against these four functions: they can partially answer Map (they know what tools they're using), they have almost nothing documented for Govern, Measure, or Manage. That is the gap that creates compliance risk.
COSO GenAI — What It Actually Requires
COSO's Internal Control framework has five components. Every financial auditor in the world knows these. In 2026, COSO published guidance applying all five to generative AI. Here is what each component means in practice for an organization deploying AI:
Tone at the top. Does leadership take AI governance seriously? Are there defined roles and accountability for AI oversight? Is there an ethical standard for AI use?
Have you identified which AI use cases carry material risk? Have you assessed the likelihood and impact of AI failures? Is shadow AI being tracked?
What specific controls prevent AI failures? Human review checkpoints, access restrictions, output validation, vendor data agreements — documented and operating.
Do the right people know what AI is being used and what risks exist? Are clients and investors informed? Is there a clear escalation path when AI issues arise?
Are controls being tested? Is AI performance tracked over time? Are there regular reviews of the AI inventory to catch new ungoverned deployments?
The critical insight from the 2026 COSO GenAI guidance: AI governance is not a technology problem — it is an internal control problem. The questions COSO asks about AI are identical in structure to the questions it asks about financial reporting controls. Is there accountability? Are controls designed correctly? Are they operating effectively? Can you produce evidence?
That reframing matters enormously for Philippine business leaders. You do not need a team of AI engineers to build a governance framework. You need the same controls discipline that a good financial audit requires — applied to AI.
Why a Forensic Accountant Is the Right Person for This
Most AI governance advice in the Philippines comes from technology vendors trying to sell you software, or consultants whose background is IT rather than controls. The gap in that advice is exactly what COSO identifies: controls are not a technology question. They are an accountability question.
The discipline I applied as Shell's Governance, Risk, and Assurance Manager — identifying what can go wrong, designing a control to prevent it, testing that the control works, documenting the result, reporting it to leadership — is a direct application of the COSO framework to operational risk. I applied this methodology to a $36 billion payment cards business, to retail operations across North America, and to forensic analysis supporting anti-corruption work with Philippine authorities.
The methodology does not change when the risk is AI rather than financial fraud. The questions are the same: Where is the accountability? Who owns the data? Can the control be audited? What happens when it fails?
That is the lens the FAIG assessment applies — and it is the lens your US clients and foreign investors are using when they audit your AI governance.
How FAIG Maps to NIST and COSO
The Fisher AI Implementation Gauge was built to measure exactly what these frameworks require — in a format practical for Philippine SMBs rather than Fortune 500 compliance departments.
Data Governance maps to NIST Map function and COSO Control Activities — where does your data go, who processes it, what are your vendor agreements.
Security Posture maps to NIST Manage function and COSO Risk Assessment — do your AI vendors meet a baseline security standard, are sub-processors identified.
Human Oversight maps to NIST Govern and Measure functions and COSO Control Activities — are humans reviewing AI outputs before they affect clients or operations.
Vendor Due Diligence maps to NIST Map function and COSO Control Environment — have you evaluated your AI vendors the way you would evaluate a financial auditor.
Organizational Readiness maps to NIST Govern function and COSO Control Environment — do you have the policies, roles, and change management to govern AI after deployment.
Your FAIG score tells you, across all five categories, exactly where your documentation gaps are before your client or investor asks.
ISO 42001 — The Third Framework Worth Knowing
ISO/IEC 42001:2023 is the international AI management system standard — the AI equivalent of ISO 9001 for quality or ISO 27001 for information security. It is now required for EU AI Act compliance and increasingly referenced in enterprise vendor requirements globally.
For most Philippine SMBs, full ISO 42001 certification is not the immediate priority. But knowing what it requires — and building governance documentation aligned with it — means that when a client or investor references it, you can respond intelligently rather than scrambling.
The FAIG framework and Monte's governance engagement methodology are designed to produce documentation aligned with NIST AI RMF, COSO GenAI, and ISO 42001 simultaneously. You do not build three separate frameworks. You build one well-structured governance package that satisfies all three.
The most common mistake Philippine organizations make
Treating AI governance as a one-time project rather than an ongoing control. COSO's GenAI guidance is explicit: shadow AI — tools deployed without governance review — is one of the highest risks in 2026. Organizations that build a governance framework today and then stop monitoring will find their framework outdated within six months as new AI tools get deployed by staff without oversight. Governance is a monitoring function, not a documentation exercise. The organizations that get this right build it into their operating rhythm — the same way financial controls are reviewed in every audit cycle.
What You Need to Be Able to Show
If a US client or foreign investor sent you an AI governance questionnaire today, here is what they would expect to see — mapped to the frameworks they are using:
- AI system inventory with ownership assigned — satisfies NIST Map and COSO Control Environment
- Data flow documentation for each AI system — satisfies NIST Map and COSO Control Activities
- Vendor data processing agreements — satisfies NIST Manage and COSO Control Activities
- Human oversight checkpoints documented — satisfies NIST Govern/Measure and COSO Control Activities
- Incident response procedure tested — satisfies NIST Manage and COSO Monitoring Activities
- Leadership visibility into AI risk — satisfies NIST Govern and COSO Control Environment
- Regular review process for new AI deployments — satisfies COSO Monitoring and NIST Govern
Most Philippine organizations can produce this documentation set in four to six weeks with the right methodology. The FAIG assessment identifies exactly which gaps are most critical for your specific situation before any work begins.
Find out where your gaps are — before your client does.
Take the free FAIG assessment — 15 questions, 5 minutes, no signup. Aligned with NIST AI RMF, COSO GenAI, and ISO 42001. Or message Monte directly to discuss your specific situation.
Free assessment · No upfront fees · Independent advice · Based in Makati