THE FRAMEWORK
Traditional ERM was built for risk that behaves deterministically, with failures that leave a traceable causal chain. AI breaks both assumptions. EW-AiRM™ is the layer that closes the gap, built to augment what you already run, not replace it.
ARCHITECTURE
Most AI risk frameworks pick a level and stay there: EW-AiRM™ deliberately spans three layers, because the strategic questions cannot be answered with operational tools alone, and the operational layer cannot anticipate Black Swans. And the HAiPECRTM ethical filter running across all of them. With a AI controls library drawn from over 800 evidence-based mitigations, not just asserted from first principles.
LAYER 1
Six pillars. Necessity, readiness, maturity, tolerance, governance and accountability, through-the-lifecycle monitoring. Sets the conditions any AI deployment has to meet before it goes live.
Can also be applied retrospectively, as part of an enterprise's AI maturity assessment.
Complemented by HAiPECRTM, the ethical filter: the same seven questions asked at every significant AI decision, across all three layers, aligned to UNESCO's 2021 Recommendation.
LAYER 2
MIT AI Risk Repository (CC BY 4.0): more than 1,000 risks across 7 domains and 24 subdomains.
Mapped to 831 controls in 4 quadrants (Governance & Oversight, Technical & Security, Operational Process, Transparency & Accountability).
For control mappings in Primary, Secondary, and Tertiary tiers.
This layer does not ask organisations to build an AI risk taxonomy from scratch; it gives practitioners the evidence base and the tools to apply it.
LAYER 3
Eight AI Black Swan categories -governed, governed through Robust Foundations, Continuous Sensing, Adaptive Response.
Includes multi-agent emergence and the quantum cryptographic transition (NIST FIPS 203/204/205).
For risks that do not fit the operational taxonomy.
The response to unknown unknows is resilience, not prediction.
FLOOR CONDITIONS : The 5 Non-Negotiables
1
Named accountability for every deployed AI system
2
HAIPECR run as a pre-deployment filter, documented
3
Human override capability tested with a 4-hour SLA
4
Documented board or executive risk acceptance
5
Incident reporting pathway, with named recipient
STRATEGIC LAYER
Each pillar is a question the organisation must answer in writing before a system can be deployed, and a check that must hold across the deployment lifecycle.
P-I
Strategic Alignment
+ Necessity Assessment
Is AI the right tool for this problem at all? If a deterministic system would do the job, AI is the wrong answer.
P-II
P-III
Technological Maturity
Is the underlying model, vendor, and integration pattern ready for this use case at this risk level?
P-IV
Risk Tolerance
Has the board signed off on the residual risk, and is the tolerance documented at the right level of granularity?
P-V
Governance & Accountability
Who owns the decision, and who owns the incident? Named, not implied.
P-VI
Through-the-Lifecycle Monitoring
+ Adaptability
What changes trigger a re-review? Who runs the re-review? What is the kill-switch SLA?
ETHICAL OVERLAY
HAIPECR is the ethical filter that runs across all three layers. Mapped to the UNESCO 2021 Recommendation on the Ethics of AI (10 core principles, not 9). Listed on the OECD AI Policy Observatory since April 2023.
Human oversight - Named accountability, override tested.
Accountability - mapped to UNESCO P5.
Inclusivity - an embedded prerequisite,
not a pillar. (Hence, the lowercase "i").
Ethics - Explainability, Transparency, fairness, non-discrimination.
Conduct - based on the Universal Conduct Risk Paradigm (UCRP).
Privacy - Data protection, safety, security.
Resilience - Sustainability, intergenerational rights.
UNESCO MAPPING:
H → P7 Human Oversight
A → P5 Accountability
i → P4 Multi-stakeholder Governance + P9 Awareness & Literacy
P → P3 Privacy + P2 Safety & Security (+ 2024 UNESCO Neurotech)
E → P6 Transparency & Explainability + P10 Fairness
C → P1 Proportionality / Do No Harm
R → P8 Sustainability
UNESCO MAPPING: H → P7 Human Oversight A → P5 Accountability i → P4 Multi-stakeholder Governance + P9 Awareness & Literacy P → P3 Privacy + P2 Safety & Security (+ 2024 UNESCO Neurotech) E → P6 Transparency & Explainability + P10 Fairness C → P1 Proportionality / Do No Harm R → P8 Sustainability
RESILIENCE LAYER
For risks that sit outside the operational taxonomy. Each category is a scenario rehearsal, with named owners and a pre-positioned response.
A frontier model vendor experiences a security or alignment incident compromising every system built on top. Owner: CISO + Chief AI Officer.
An agent in one part of the organisation triggers downstream errors in dependent systems. Owner: Head of AI Operations.
External actors industrialise misuse of deployed AI for fraud, impersonation, or social engineering. Owner: Fraud + CISO.
A jurisdiction reclassifies AI uses you depend on as prohibited or high-risk overnight. Owner: General Counsel + Compliance.
Public datasets you fine-tune on are intentionally poisoned, surfacing biased or unsafe outputs. Owner: Head of Data.
Loss of access to compute, model weights, or critical inference infrastructure. Owner: CTO.
Multiple deployed agents interact in ways that produce emergent behaviours none was designed for. Owner: Chief AI Officer + Risk.
Cryptographic primitives underlying AI system identity, signing, and data integrity become breakable. Migration to NIST FIPS 203 / 204 / 205. Owner: CISO + Architecture.
WHERE THIS COMES FROM
EW-AiRM™ is grounded in publicly licensed standards: the MIT AI Risk Repository (CC BY 4.0), the UNESCO 2021 Recommendation on the Ethics of AI, NIST AI RMF, ISO 31000 (general risk), ISO 42001 (AI risk management systems), and the UNECE (ECE/TRADE/486, 2024). HAIPECR was originated by Prof. Markus Krebsz and has been listed on the OECD AI Policy Observatory since April 2023.
Here's a comparsion of EW-AiRMTM with those other frameworks and the EU AI Act:
| Dimension | EW-AiRM™ | NIST AI RMF | ISO 42001 | COSO ERM | EU AI Act |
|---|---|---|---|---|---|
| UNECE-grounded | Yes (ECE/TRADE/486) | No | No | No | No |
| Primary scope | Enterprise-wide AI Risk Governance framework & approach | AI Risk Management | AI Management System | (Traditional) Enterprise Risk Management | AI Regulation |
| Target audience | Boards, Risk functions, CTOs, CISO, Risk community | US Federal & Enterprise | Any organisation | CFO, Board, ERM teams | Operators & Providers (EU) |
| Layers | Strategic, Operational, Resilience + HAiPECR | Govern, Map, Measure, Manage | Plan, Do, Check, Act | Strategy, Performance | Prohibited, High-risk, GPAI |
| Certifiable | No (Open framework) | No (Voluntary) | Yes (ISO audit) | No (Guidance) | Public, EU-wide Regulation |
| Open / free | Yes (CC BY 4.0 base) | Yes | Paid standard | Paid guidance | Public regulation |
| UNESCO-aligned | Yes (HAiPECR) | No | Partial | No | Partial (GPAI) |
The framework is the conceptual picture. The three-tier comparison shows what it looks like in deployment.
The Human-Ai.Institute is an independent Think/Do Tank convening multilateral and multi-stakeholder dialogue on AI governance. The Institute engages with the UN, UNESCO, OECD, the EU Commission, and governments worldwide.
Home of EW-AiRM™ — the open, three-layer framework for enterprise-wide AI risk management, grounded in publicly licensed standards and aligned with UNESCO, UNECE, NIST, ISO, and the EU AI Act.
Commercial consulting, training, and advisory services are provided by De-Risking Solutions Ltd. and RiskAi.Ai
AI & TECHNOLOGY SOLUTIONS
AI, Agentic tools and technology solutions are provided by Human-Ai.Solutions.
Listed on the OECD AI Policy Observatory · Founding member of the UN University AI Network · Aligned with UNESCO, UNECE WP.6, NIST, and ISO 42001
EW-AiRM™ and HAiPECRTM are trademarks of De-Risking Solutions Ltd., registered in England and Wales (Company Number 09900565). All rights reserved.
© 2026 The Human-Ai.Institute.