§ AI Governance Operating Stack·client-side · no sign-up

Stand up an AI register and tier the risk.

The spine of the stack. Add each AI system or use case once, get a transparent risk tier from a documented rubric (materiality × data sensitivity × deployment × autonomy), see the controls that tier calls for under NIST AI RMF and SR 26-2, and export the whole register to CSV and JSON.

Your register is saved in this browser and reused by the rest of the stack. It is a starting point built by senior practitioners — readiness, not a model validation or a certification.

Your data never leaves your browser — nothing is uploaded. The register lives only in this browser's storage.
§ Read this first

This wizard is a structured starting point for a materiality-based risk-tiering conversation, framed against the NIST AI RMF and SR 26-2. The tiers, scores, and controls are our own structured heuristics, not codified regulatory definitions. This is not a model validation, not legal or regulatory advice, and not a certification. DSE prepares programs for audit and does not certify or guarantee any examination outcome. Nothing you enter is uploaded.

§ 01 — Your AI register·saved in this browser

Your AI register

Each AI system or use case is one record. Owner is a role or team, never a person. The register persists in this browser and is reused across the stack. Use Export to keep a copy or move it to another machine.

§ 02 — Add or edit a system·the rubric runs on save

System details

Fill the fields and save. The wizard computes the risk tier and the required controls, then writes the record to your register.

Record New system
Drives the autonomy term in the rubric. Generative and agentic AI fall outside SR 26-2 model-risk scope.
Give the system a name before saving.
·

··

Why this tier

·

How the rubric scored it

Required controls for this tier

§ Frameworks in scope·organize the program around these

·

Copied to clipboard.
§ 03 — How the rubric works·fully transparent

The tiering rubric

Show the exact points, bands, and control mapping

The tier is a simple, transparent points total across four factors. It is a structured heuristic to organize a governance conversation — not a codified NIST AI RMF or SR 26-2 tier definition.

Materiality
high = 3 · med = 2 · low = 1 — financial, customer, and reputational exposure if the system is wrong.
Data sensitivity
regulated = 3 · confidential = 2 · internal = 1 · public = 0 — consumer NPI, credit, or other regulated data raises the stakes.
Deployment
cloud = 2 · vendor = 2 · internal = 1 — third-party and cloud paths add exposure and shift controls to vendor/third-party risk.
Autonomy (from type)
agentic = 3 · genAI = 2 · vendor-embedded = 2 · predictive = 1 — how much the system acts on its own.
Tier bands
total ≥ 9 → Tier 1 (High) · 6–8 → Tier 2 (Moderate) · ≤ 5 → Tier 3 (Limited).
Controls
Each tier maps to readiness controls framed against the NIST AI RMF functions (Govern, Map, Measure, Manage) and SR 26-2's validation, effective-challenge, and monitoring expectations. Fair-lending testing is added whenever Fair Lending (ECOA/Reg B) is in scope, regardless of tier.

Rubric last reviewed: 2026-06-28. Framework references (NIST AI RMF 1.0; SR 26-2, the April 2026 interagency guidance that replaced SR 11-7 and the SR 21-8 BSA/AML statement) are re-checked quarterly. This is guidance, not legal advice.

Last reviewed: 2026-06-28 · Initial release — Wave 1 spine of the AI Governance Operating Stack: a client-side AI register, a transparent risk-tiering rubric, required-controls mapping, and CSV + JSON export/import.

§ When you want it built for you·fixed-fee, senior-only

From a starter register to an auditor-ready program.

This wizard gets your inventory and tiering started. When a tier carries real obligations, a principal pressure-tests the tiering, maps controls to SR 26-2 and the frameworks around it, and scopes the readiness work in a 30-minute call.

Scope a call Open the Control Center

More free tools: All AI Governance Tools  ·  Model Risk Tiering Calculator  ·  AI System Inventory

§ What this is·and what it isn't

A register and a tiering starting point. Not certification.

This wizard is a structured heuristic for building an AI inventory and organizing a materiality-based tiering conversation framed against the NIST AI RMF and SR 26-2. It does not perform a model validation, does not provide legal or regulatory advice, and does not certify NIST AI RMF, SR 26-2, or any other compliance. The tiers, scores, and controls are our own structured device, not codified regulatory definitions.

DSE provides AI governance and compliance readiness consulting. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance. We cannot guarantee passing an audit or avoiding enforcement, and we do not provide legal advice. We work alongside your counsel.