The VALID Framework
A universal AI governance model structured as a dependency hierarchy. Five layers. 26 controls. One governing principle.
VALID is not a compliance checklist. It is a governance architecture built on an organisational truth: you cannot govern what you cannot see, you cannot prove what you have not measured, you cannot trust what you have not monitored, you cannot govern what no one owns, and you cannot recover what you were not prepared to lose.
The framework is published under CC BY-ND 4.0 and freely available for adoption, reference, and implementation with attribution.
Five Layers. One Governance System.
Each layer both depends on and enables the others. A gap in any single layer compromises every other layer.
Every governance system begins with inventory. The Visibility layer requires organisations to register all AI systems, document data lineage, conduct proxy variable audits, document limitations and failure modes, and detect shadow AI.
Maintain a comprehensive register of all AI systems, including purpose, owner, risk classification, and lifecycle status.
Document data sources, quality measures, transformation steps, and lineage for each AI system.
Audit all proxy variables used by AI systems to identify potential sources of indirect discrimination.
Document known limitations, failure modes, and edge cases for each AI system.
Discover unauthorised AI systems running in your organisation. Addresses unregistered AI systems through network analysis and integration scanning.
You Cannot Skip Layers
The VALID Framework is structured as a dependency hierarchy. Accountability requires Visibility. Lifecycle Monitoring requires Accountability. Integrity requires Lifecycle Monitoring. Defence requires Integrity. A maturity score cannot advance until the layer beneath it reaches functional level (score ≥ 3).
Six Maturity Levels
Your VALID maturity score reflects the lowest-performing layer. Governance cannot be claimed until every layer is functional.
Unaware
No governance controls in place. AI systems are operating without oversight.
Aware
Visibility layer partially complete. Organisation has begun AI inventory.
Accountable
Visibility and Accountability layers functional. Evidence can be produced for regulators.
Monitored
Lifecycle Monitoring active. Drift detection and governance triggers operational.
Advanced
Integrity assured. Named owners in place. Comprehensive governance with continuous improvement. All controls satisfied.
Resilient
Full governance maturity including agentic defence. Organisation can withstand AI incidents and regulatory scrutiny.
Mapped to Regulatory Requirements
VALID controls map directly to the EU AI Act, ISO 42001, and NIST AI RMF. Achieving VALID maturity means satisfying the underlying regulatory obligations simultaneously.
| Regulation / Standard | Requirement | VALID Controls |
|---|---|---|
| EU AI Act Art. 9 | Risk Management | L-01, L-02, L-04 |
| EU AI Act Art. 13 | Transparency | A-01, V-05 |
| EU AI Act Art. 14 | Human Oversight | A-04, D-05 |
| EU AI Act Art. 15 | Accuracy / Robustness | D-04, D-05 |
| ISO 42001 A.6.2.5 | - | D-05, L-02 |
| ISO 42001 A.9.2 | - | D-05, A-06 |
| NIST AI RMF Govern | - | I-01, I-02, I-03 |
| NIST AI RMF Map | - | V-01, V-02, V-03 |
| NIST AI RMF Measure | - | A-02, L-02 |
| NIST AI RMF Manage | - | D-01, D-02, D-05 |
An Academically Grounded Framework
VALID is not a marketing construct. It is a peer-reviewed governance architecture developed through academic research.
Publication
SSRN white paper
UK Trademark
Filed (Nice Classes 41, 42)
Licence
CC BY-ND 4.0
“Norivo is the commercial platform that implements the VALID Framework. The framework is developed through peer-reviewed research and validated through real-world application.”
Book a Scoping Call
Every engagement is structured around the VALID Framework: 26 controls across 5 layers, delivered as a managed service.
Read the VALID White Paper