EW-AiRM™ · The Book

Enterprise-Wide AI Risk Management (EW-AiRM™)

Wiley Finance, 2026. A practitioner's framework for governing AI risk across the organisation, by Prof. Markus Krebsz. With forewords by Tobias Adrian, IMF, and Prof. Tshilidzi Marwala, Rector of the United Nations University.

Add me to the launch list
See the framework

INSIDE THE BOOK

Six parts.

Part 1

Part I — Setting the Stage

Why AI governance needs a new architecture, starting with what we're actually talking about.

Chapters 1 - 3

Before you can govern AI, you need to agree on what counts as AI in the first place. Part I opens with sixteen precise, working definitions, from traditional machine learning through to agentic AI, foundation models, shadow AI and device-embedded AI, so a boardroom conversation about "AI risk" is finally about the same thing for everyone in the room. It then turns an honest, unflinching eye on the frameworks you already have: exactly where COSO, ISO 31000 and the standard ERM toolkit hold up against AI risk, and exactly where they don't. Part I closes by laying out the EW-AiRM™ architecture itself, three layers, six pillars, one ethical filter, as the blueprint everything that follows is built from.

Part 2

Part II — The Strategic Layer: Getting the Foundations Right

The six pillars that decide whether an AI deployment should happen at all, and whether you're ready for it.

Chapters 4 - 9

The largest part of the book, and the one most organisations skip. Six chapters, one pillar each: whether a deployment is genuinely necessary, whether the organisation is actually ready to govern it (including a full AI literacy requirement by role, and a governance culture maturity model), whether the data and technology stack can support it (with dedicated coverage of quantum resilience in your AI cryptographic stack, years before most risk functions are thinking about it), how risk appetite and prioritisation actually get decided, and how accountability holds up under pressure, including a named table of Governance Theatre Warning Signs for spotting the difference between governance that looks right and governance that works. It closes with the KXI methodology for monitoring an AI system through its entire lifecycle, not just at deployment.

Part 3

Part III — The Ethical Filter: HAiPECR

Seven dimensions, one continuous overlay, mapped directly to UNESCO's own principles

Chapter 10

The chapter that turns "ethical AI" from an aspiration into something you can actually assess. Each of HAiPECR's seven dimensions, Human oversight, Accountability, inclusivity, Privacy, Ethics, Conduct risk and Rights, gets its own cross-layer assessment table, mapped explicitly to UNESCO's 2021 Recommendation on the Ethics of Artificial Intelligence and the wider regulatory doctrine behind it. This is the shortest part in the book and the one doing the most structural work: HAiPECR doesn't sit beside the three layers, it runs through all of them, and this is where you see exactly how.

Part 4

Part IV — The Operational Layer: From Identification to Response

Where risk becomes evidence, and evidence becomes a working control library.

Chapters 11 - 13 

The engine room. Chapter 11 works through the MIT AI Risk Repository's seven domains and twenty-four subdomains one by one, each with its own risk profile and EW-AiRM™ governance augmentation. Chapter 12 builds the enhanced control framework across four quadrants, including a fully worked example (hallucination risk, taken step by step through the four-step control-to-risk mapping methodology) so the method is demonstrated, not just described. Chapter 13 is where the framework meets the calendar: the five non-negotiable requirements with their specific failure modes, the three-tier implementation model from SME to enterprise, a five-stage roadmap (Assess, Enhance, Build, Implement, Sustain), and six named implementation pitfalls with how to prevent each one before it costs you.

Part 5

Part V — The Resilience Layer: AI Black Swans and Adaptive Governance

The risks nobody can fully anticipate, and exactly what to do on the day one materialises.

Chapter 14

The most dramatic chapter in the book, and the most operational. Eight categories of AI Black Swan, from emergent capability and systemic foundation-model concentration through to multi-agent emergence and the coming quantum cryptographic transition, each with its own governance response, not just a description of the danger. A full multi-agent containment architecture. A complete incident classification taxonomy with severity tiers, regulatory notification obligations and a Severity 1 critical incident response protocol you could hand to a crisis team on the worst day of the year. It closes with the post-incident learning cycle, because resilience isn't just surviving the black swan, it's institutionalising what you learned from it.

Part 6

Part VI — The EW-AiRM™ Road Ahead

How the framework keeps itself current, and where AI regulation is heading next

Chapter 15

The book's closing argument, and its safeguard against its own obsolescence. A jurisdiction-by-jurisdiction map of the global regulatory landscape, and the business case for early compliance as competitive advantage rather than cost. Then the part that sets EW-AiRM™ apart from a framework frozen at publication: the Taxonomy Governance Protocol, the mechanism that keeps the framework's evidence base current as the field moves, plus a ranked hierarchy of four alternative sources should the MIT AI Risk Repository itself ever become unavailable. This is the chapter that answers the question every serious reader eventually asks: what happens to this framework in three years?

ABOUT THE AUTHOR

Prof. Markus Krebsz

Board portfolio executive, AI governance practitioner, and author. Founder of De-Risking Solutions Ltd and the Human-Ai.Institute. Independent Non-Executive Director on the Supervisory Council of Revolut Bank UAB since 2017. Honorary Professor at the University of Stirling. Clinical Professor of Practice at Woxsen University. Author of UNECE ECE/TRADE/486 (Common Regulatory Arrangement, 2024). Member of the EU AI Office DG CNECT Expert Group, GPAI Code of Practice plenary participant, UNESCO I4T Network founding member, ForHumanity Certified Auditor. HAIPECR has been listed on the OECD AI Policy Observatory since April 2023.

Full bio →

Get The Launch Announcement.

One email when the book is published. Optionally, the quarterly framework update. No other use of your address.

Form Submitted. We'll get back to you soon!

Oops! Some Error Occurred.