A few days ago I published a piece about a law most companies have not actioned — Article 4 of the EU AI Act, in force since February 2, 2025, which asks every organization that uses AI to ensure its people have sufficient AI literacy and to be able to show the evidence. The response told me something: people are not confused about whether AI governance matters. They are confused about what it actually is — what the pieces are, how they connect, and what “done” looks like.
So here is the whole discipline on one page.
Six questions, one map
Most organizations today cannot produce a single, defensible answer to six questions: What AI do we use? Who owns it? What data does it touch? What actions can it take? Which laws apply? What evidence proves we controlled it? Agentic AI — AI that plans, calls tools, holds memory, and acts with delegated authority — adds harder ones: Which non-human identity acted? Which tool was called? What was delegated? Who can stop it?
The map answers those questions with five functions and one extension.
Govern is who decides: principles, a council with a RACI, a management system and acceptable-use policy, role-based training.
Map is what exists: use cases, applications, models, data, tools, vendors, MCP servers.
Measure is what could go wrong: risk classification, threat taxonomy, evals and red teaming, rights and safety impact.
Manage is what you do about it: human oversight, lifecycle gates, vendor review, incident response.
And Prove — the green column — is what convinces an auditor, a board, an insurer, or a customer: the acceptable-use policy, the documented risk assessment, the executive risk report, the board memo, the logs and training and incident records.
Then the blue band. When AI stops answering questions and starts taking actions, governance extends to an agentic control plane: every agent gets a registry entry, a unique identity, a policy record, a gateway for its tool calls, rules for its memory, observability over its behavior, a budget and a time box — and a kill switch with a human checkpoint.
One more detail worth noticing: the arrow that runs from Prove back to Govern. Governance is not a binder. It is a loop. Evidence feeds decisions, decisions produce controls, controls produce evidence.
What this means for each seat at the table
If you sit on a board or run the company: the map shows you the one thing you personally touch — the artifacts in the Prove column. The executive risk report and the board memo are the documents oversight is exercised through. You do not need to know how a gateway works. You need to know that one exists, and to have the record that says so.
If you are the CISO: this is your operating diagram. The threat taxonomy, the red-team requirements, the agentic control plane — these are the surfaces enterprise security questionnaires now ask about by name. Cyber insurers are beginning to ask too, because an organization that can produce an agent registry and an incident log is a measurably different risk than one that cannot.
If you are counsel or compliance: the map translates statutes into operations. Article 4’s training obligation lands in Govern (role-based training) and Prove (training records). The EU AI Act’s risk tiers land in Measure. Colorado’s AI law lands across intake, classification, and disclosure. The map is how legal requirements become somebody’s job.
If you are an employee who uses AI at work: the map explains why the rules exist — and Article 4 says you are entitled to literacy sufficient to your role. That is a 25–35 minute commitment, not a career change.
If you are a regulator, auditor, or enterprise buyer: the green column is your checklist. Ask for the artifacts. An organization that has them can hand you dated, attributed, independently verifiable records. An organization that does not will tell you about its culture.
Where the two platforms fit
This map is not theoretical to us — it is the product architecture.
SanctumShield (sanctumshield.com, $99/month) is the Prove column as a service: regulation-anchored artifacts — acceptable-use policy, executive risk report, board memo, and their companions — generated for your organization’s specific context, each carrying a verification URL good for five years. It complements the enforcement platforms (Google’s Agent Platform, Wiz, and their peers do the runtime work); what it produces is the evidence layer those platforms do not.
SanctumShield Academy (academy.sanctumshield.com, $199/month for 10 rotating seats) is the training row made real: one curriculum, five persona tracks — Board & CEO, CISO, CTO/IT, Legal, and Employee Essentials — spanning 19 modules and roughly 290 pages of CISO-grade governance curriculum and reference material, covering the EU AI Act, Colorado’s AI law, DORA, HIPAA, GDPR, NIST AI RMF, and ISO/IEC 42001 in plain English. Certification is a timed, deterministically scored exam; passing produces a credential with a public verification URL, tamper-evident via SHA-256, valid for three years. Seats rotate; credentials belong to people. A 100-person staff can be credentialed for a few hundred dollars.
Between them: the free, fully public glossary at sanctumshield.com/glossary — every term on this map defined in practitioner English, current through the agentic-era vocabulary (agent identity, tool gateways, MCP supply chain, memory governance, and the rest). Start there. It costs nothing and it is where the map lives.
Said plainly
Three limits, stated the way we would want any vendor to state them. Reading a map is not the same as operating a program — the map tells you what to build; building it is work. Training and artifacts are evidence a compliance case is built from, not compliance itself — “sufficient” is a judgment for your counsel. And no single vendor covers this whole diagram — runtime enforcement, evidence, and literacy are different layers, and anyone who claims all three in one box is selling you the box.
Where to start
The map’s home, with every term defined: sanctumshield.com/glossary. The curriculum, published openly before you spend anything: academy.sanctumshield.com/curriculum.
The discipline fits on one page. The evidence is the point. Judgment is not evidence. Govern accordingly.