Framework
Tiered Governance Model
A 4-tier AI governance model (T0-T3) for banks, insurers, and asset managers. Aligned to NIST AI RMF, ISO/IEC 42001, and the EU AI Act.
The four tiers
T0 — Read-only
AI used for read-only tasks: summarisation, classification, search. No agent actions, no tool calls, no write access. Lowest risk. Typically no model risk management required.
T1 — Advise
AI used to advise a human: a draft email, a draft report, a draft code review. The human reviews and approves before any action. Low risk. Standard model risk management.
T2 — Act under supervision
AI acts on behalf of a human, but every action is logged, attributed, and reversible within a defined window. The human can audit and roll back. Medium risk. Enhanced model risk management.
T3 — Act autonomously
AI acts without human approval. Every action is logged and audited after the fact. The agent has the Substrate Pattern and Defence in Depth in place. Highest risk. Full model risk management, including the EU AI Act's high-risk system requirements.
Regulations mapped
NIST AI RMF 1.0
US National Institute of Standards and Technology AI Risk Management Framework. The 4 tiers map to the Govern, Map, Measure, Manage functions.
ISO/IEC 42001
International AI management system standard. The 4 tiers map to the AI management controls and the AI risk treatment.
EU AI Act
European Union AI regulation. T3 maps to "high-risk AI systems" with the corresponding conformity assessment, documentation, and human oversight requirements.
UK AI policy
UK pro-innovation approach. The 4 tiers map to the five cross-sectoral principles: safety, security, transparency, accountability, and contestability.
India IndiaAI Mission
India's national AI programme. The 4 tiers are aligned with the IndiaAI compute cluster access tiers and the application review process.
FAQ
What is the Tiered Governance Model for AI?
A 4-tier framework (T0-T3) for AI governance in regulated industries. T0 is read-only AI. T1 is advise-only AI. T2 is act-under-supervision AI. T3 is act-autonomously AI. Each tier has its own risk profile, model risk management, and regulatory implications.
How does the Tiered Governance Model relate to NIST AI RMF?
The 4 tiers map cleanly to the NIST AI RMF functions. T0 = Map + Manage. T1 = Map + Measure + Manage. T2 = all four with elevated controls. T3 = all four with the highest controls, including human-AI configuration, ongoing monitoring, and post-deployment audit.
How does the Tiered Governance Model relate to the EU AI Act?
T3 maps to "high-risk AI systems" under the EU AI Act, with the corresponding conformity assessment, technical documentation, risk management, data governance, transparency, human oversight, accuracy/robustness/cybersecurity, and post-market monitoring. T2 maps to "limited risk" with the corresponding transparency obligations. T0 and T1 are below the EU AI Act's risk thresholds.
Who uses the Tiered Governance Model?
The Tiered Governance Model was developed at Neul Labs, applied in production at regulated financial-services firms, and presented to the FCA sandbox and is now used by other AI teams building in regulated industries — banking, insurance, asset management, healthcare. It is the standard model for AI governance in production at Neul Labs.
What is Regulus?
Regulus is the EU + UK compliance plane for Google ADK (Agent Development Kit). It implements the Tiered Governance Model for production agent systems: 6 plugins, 10 regulations (EU AI Act, GDPR, DORA, NIS2, EHDS, UK GDPR, FCA SYSC, PRA SS1/23, PRA SS2/21, NHS DSPT), 6 governance frameworks (NIST AI RMF, ISO/IEC 42001, 23894, 23053). It was open-sourced by Neul Labs and Skelf Research (not at any employer).