AI Governance and Risk: An 8-Week Cybersecurity Course

What this cybersecurity course is

AI Governance and Risk is an 8-week cybersecurity course for compliance, risk, and governance professionals expanding into AI governance. The curriculum sequences eight weekly modules across the AI governance lifecycle: governance foundations (frameworks landscape, why AI governance is its own discipline), the EU AI Act (provisions, prohibited uses, high-risk system requirements, foundation model rules), the NIST AI Risk Management Framework (Govern, Map, Measure, Manage and the NIST AI 600-1 generative AI profile), ISO/IEC 42001 (AI management standard, certification path, audit), AI audit methodology (planning, evidence gathering, reporting, remediation), AI risk frameworks at organizational scale, organizational AI governance design (RACI, escalation paths, exception handling), and a capstone in which the learner documents a complete AI governance program for a hypothetical organization. Every module pairs primary-source standards with a practical artifact a working governance team can use. Cybersecurity is the connective tissue: AI governance in 2026 sits inside the cybersecurity organization at most enterprises because AI risk is a security risk. Authored by Julian Calvo, Ed.D., M.S. Applied AI specializing in Cybersecurity at Northeastern.

The course follows the AI governance lifecycle from foundations through program design rather than the chapter order of a generalist GRC text. Week 1 grounds the learner in why AI governance is its own discipline. Weeks 2 through 4 walk the three anchor frameworks every AI governance professional has to know: the EU AI Act, NIST AI RMF, and ISO/IEC 42001. Weeks 5 and 6 develop the audit and risk practice that makes the frameworks operational. Week 7 designs the organizational structure that runs the program. Week 8 integrates the work into a complete AI governance program. Pedagogically the design draws on Kolb's experiential learning cycle (1984) and on cybersecurity audit practice from ISACA. Evidence quality is opinionated: every claim about a framework is anchored to the official publishing body. IAPP AIGP and ISACA AAIA study materials inform the practitioner sections without reproducing copyrighted content.

What you will learn

• Define AI governance as a discipline and place it correctly inside or alongside the cybersecurity organization
• Classify any AI system into the four EU AI Act risk tiers and identify the cascading obligations
• Walk the NIST AI Risk Management Framework Govern, Map, Measure, Manage functions and the seven trustworthy AI characteristics
• Apply NIST AI 600-1 generative AI risks to a working AI portfolio
• Walk ISO/IEC 42001 Clauses 4 through 10, Annex A controls, and the certification path
• Plan and execute an AI audit that produces actionable findings and a remediation plan
• Build an AI risk register at organizational scale with NIST AI 600-1 categories and ISO 31000 treatment options
• Design a working AI governance program: RACI, escalation, exception handling, intake, metrics
• Map an AI program to the IAPP AIGP and ISACA AAIA bodies of knowledge for credentialing readiness
• Author a complete AI governance program for a hypothetical organization as a portfolio capstone

8-week curriculum

1. Week 01 · 6h · 5 topics

   AI Governance Foundations

   What AI governance is, why it has emerged as its own discipline alongside cybersecurity GRC and privacy, and the framework landscape every AI governance professional has to know. Sets the vocabulary the rest of the course returns to.

   Learning objectives and topics

   Learning objectives.

   • Define AI governance as a discipline and distinguish it from AI safety research and from generic technology governance
   • Map the AI governance framework landscape (EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD AI Principles, US AI executive orders, state laws)
   • Identify why AI governance sits inside or alongside the cybersecurity organization at most enterprises
   • Author a one-page foundations document the course returns to in every later week

   Topics.

   • What AI governance is and why it has its own discipline
   • The AI governance framework landscape
   • Why AI governance sits in or alongside the cybersecurity organization
   • Authoring the AI governance foundations document
   • How the AIGP and AAIA credentials map to the course

   Assessment: 5 questions · 360 minutes total

2. Week 02 · 6h · 5 topics

   The EU AI Act in Detail

   The EU AI Act is the binding regulation that sets the legal floor for AI systems placed on the EU market. This module walks the risk-tier classification, the prohibited uses, the high-risk system obligations, and the foundation model rules.

   Learning objectives and topics

   Learning objectives.

   • Classify an AI system into the four EU AI Act risk tiers (prohibited, high-risk, limited-risk, minimal-risk)
   • Identify the eight prohibited AI practices in Article 5
   • Map the high-risk AI system obligations across Articles 9 through 15
   • Identify the foundation model and general-purpose AI obligations
   • Author a one-page risk classification memo for a hypothetical AI system

   Topics.

   • EU AI Act structure and the risk tier model
   • Prohibited AI practices in Article 5
   • High-risk AI system obligations across Articles 9 through 15
   • Foundation model and general-purpose AI obligations
   • Authoring a risk classification memo

   Assessment: 5 questions · 360 minutes total

3. Week 03 · 6h · 5 topics

   NIST AI Risk Management Framework in Detail

   NIST AI 100-1 is the voluntary US framework that federal agencies and many enterprises use as the operational backbone of an AI risk function. This module walks the four functions (Govern, Map, Measure, Manage) and the NIST AI 600-1 generative AI profile.

   Learning objectives and topics

   Learning objectives.

   • Walk the four NIST AI RMF functions (Govern, Map, Measure, Manage) and their categories and subcategories
   • Apply the seven trustworthy AI characteristics (validity, safety, security, accountability, explainability, privacy, fairness) as a working checklist
   • Apply the NIST AI 600-1 generative AI profile to a hypothetical generative AI system
   • Map NIST AI RMF subcategories to the EU AI Act articles covered in week 2
   • Author a one-page NIST AI RMF subcategory crosswalk for a hypothetical AI system

   Topics.

   • NIST AI RMF structure: Govern, Map, Measure, Manage
   • The seven trustworthy AI characteristics
   • NIST AI 600-1: the generative AI profile
   • NIST AI RMF and EU AI Act crosswalks
   • Authoring a NIST AI RMF subcategory crosswalk

   Assessment: 5 questions · 360 minutes total

4. Week 04 · 6h · 5 topics

   ISO/IEC 42001 AI Management System

   ISO/IEC 42001 is the AI management system standard published in 2023. It defines the policies, processes, roles, and continuous improvement an organization needs to operate AI responsibly, with a certification path. This module walks the structure, the certification process, and the audit expectations.

   Learning objectives and topics

   Learning objectives.

   • Walk the ISO/IEC 42001 structure (Clauses 4 through 10) and Annex A controls
   • Compare ISO/IEC 42001 to ISO/IEC 27001 and identify the AI-specific additions
   • Walk the ISO/IEC 42001 certification path and the typical audit cadence
   • Identify the relationship between ISO/IEC 42001 and the broader ISO 23894 risk management standard and ISO/IEC 5338 lifecycle
   • Author a one-page ISO/IEC 42001 control crosswalk for a hypothetical AI system

   Topics.

   • ISO/IEC 42001 structure: Clauses 4 through 10 and Annex A
   • ISO/IEC 42001 versus ISO/IEC 27001
   • ISO/IEC 42001 certification path and audit cadence
   • ISO 23894 and ISO/IEC 5338 in the AI standards stack
   • Authoring an ISO/IEC 42001 control crosswalk

   Assessment: 5 questions · 360 minutes total

5. Week 05 · 6h · 5 topics

   AI Audit Methodology

   AI audit work applies internal audit methodology to AI systems. The module walks audit planning, evidence gathering, reporting, and remediation tracking, and covers the ISACA Advanced in AI Audit (AAIA) practice areas at a working level.

   Learning objectives and topics

   Learning objectives.

   • Plan an AI audit (scope, objectives, criteria, evidence requirements)
   • Gather evidence for AI controls (data lineage, model cards, evaluation results, logging)
   • Identify the technical concepts an auditor needs without an engineering background
   • Write an AI audit report and a remediation plan a control owner will act on
   • Author a one-page audit plan for a hypothetical AI system

   Topics.

   • AI audit planning: scope, objectives, criteria, evidence
   • Evidence gathering for AI controls
   • Technical concepts the auditor needs without an engineering background
   • AI audit reporting and remediation
   • Authoring an audit plan

   Assessment: 5 questions · 360 minutes total

6. Week 06 · 6h · 5 topics

   AI Risk Frameworks at Organizational Scale

   AI risk identification, scoring, treatment, and monitoring at organizational scale. The module integrates ISO 23894 risk technique with the NIST AI RMF Map and Manage functions and operationalizes them as a risk register a working program can run.

   Learning objectives and topics

   Learning objectives.

   • Identify AI risks across the lifecycle (training, deployment, operation, retirement)
   • Score AI risks using a likelihood-impact matrix tuned for AI considerations
   • Apply the four risk treatment options (avoid, transfer, mitigate, accept) to AI risks
   • Design AI risk monitoring (drift, abuse, incident, regulatory change)
   • Author a one-page AI risk register for a hypothetical AI system

   Topics.

   • AI risk identification across the lifecycle
   • Scoring AI risk: likelihood and impact tuned for AI
   • Risk treatment: avoid, transfer, mitigate, accept
   • AI risk monitoring: drift, abuse, incident, regulatory change
   • Authoring an AI risk register

   Assessment: 5 questions · 360 minutes total

7. Week 07 · 6h · 5 topics

   Organizational AI Governance Design

   An AI governance program needs an organizational structure that runs it. This module covers RACI, escalation paths, exception handling, intake processes, and the named roles a working AI governance program assigns.

   Learning objectives and topics

   Learning objectives.

   • Design a RACI for AI governance covering policy, classification, audit, risk, exceptions
   • Design an escalation path from analyst to executive to board
   • Design an exception handling process with documented residual risk and accountability
   • Design an intake process for new AI use cases that triggers the right governance steps
   • Author a one-page AI governance program org chart and process map

   Topics.

   • RACI for AI governance
   • Escalation paths from analyst to board
   • Exception handling and documented residual risk
   • Intake process for new AI use cases
   • Authoring the AI governance program org chart and process map

   Assessment: 5 questions · 360 minutes total

8. Week 08 · 6h · 5 topics

   Capstone: A Complete AI Governance Program

   Synthesize the seven weekly artifacts (foundations document, EU AI Act risk classification, NIST AI RMF subcategory crosswalk, ISO/IEC 42001 control crosswalk, audit plan, AI risk register, org chart and process map) into a complete AI governance program for a hypothetical organization.

   Learning objectives and topics

   Learning objectives.

   • Integrate the seven weekly artifacts into a single AI governance program document
   • Author the program charter, policy, and procedure layer
   • Document the audit, risk, and exception handling cycle
   • Document the metrics the program reports to leadership and the board
   • Submit the capstone for self-review against the published rubric

   Topics.

   • Capstone scoping: the hypothetical organization
   • Program charter, policy, and procedure layer
   • Audit, risk, and exception handling cycle
   • Program metrics for leadership and the board
   • Capstone submission and self-review

   Assessment: 5 questions · 360 minutes total

Capstone

Author a complete AI governance program for a hypothetical organization that an auditor or regulator could review without follow-up questions

The capstone integrates the seven prior weekly artifacts (foundations document, EU AI Act risk classification, NIST AI RMF subcategory crosswalk, ISO/IEC 42001 control crosswalk, audit plan, AI risk register, org chart and process map) into a single 25 to 40 page AI governance program document. The program covers the charter, the policy and procedure layer, the audit and risk and exception cycle, and the metrics the program reports to leadership and the board. The capstone is graded against three named failure modes: framework gap, operational gap, accountability gap. A passing capstone earns the DecipherU AI Governance and Risk certificate of completion.

Who it is for

• Compliance and risk professionals expanding into AI governance at enterprises shipping AI features
• Privacy professionals (CIPP, CIPM, CIPT) adding AI governance to their practice
• Internal auditors preparing for AI audit work or for the ISACA AAIA
• GRC analysts and managers building AI governance programs at AI-native or AI-adopting organizations
• Cybersecurity GRC professionals whose programs now include AI risk
• Legal and policy professionals advising on the EU AI Act, US AI executive orders, or state AI laws
• Compliance professionals targeting the IAPP Artificial Intelligence Governance Professional (AIGP) credential

Who it is not for

• Total beginners with no compliance, risk, audit, or privacy experience. Build foundational GRC skills first.
• AI engineers wanting to learn the technical side of AI security. The course is governance and program work, not engineering. Engineers should look at AI Security Engineering.
• Buyers seeking IAPP AIGP or ISACA AAIA proctored exam content. The course is portfolio-driven and aligns with the bodies of knowledge but does not reproduce exam material.
• Professionals expecting a single proctored exam at the end. The course awards a certificate of completion based on capstone submission, not a third-party exam.

Prerequisites

• At least 2 years of compliance, risk, audit, privacy, or GRC experience
• Working familiarity with at least one major framework (NIST CSF, ISO 27001, SOC 2, GDPR, or HIPAA)
• Basic LLM literacy as a user (no engineering required)
• Comfort reading regulatory and standards text such as the GDPR or NIST publications
• Willingness to commit roughly 50 hours of focused study and artifact production across 8 weeks

What you get

• 50 hours of original cybersecurity AI governance curriculum across 8 weekly modules
• Seven portfolio-grade artifacts produced across the 8 weeks (foundations document, EU AI Act risk classification, NIST AI RMF subcategory crosswalk, ISO/IEC 42001 control crosswalk, audit plan, AI risk register, org chart and process map)
• Certificate of completion issued for learners who finish all 8 weekly assessments and submit a capstone that scores at least 4 of 5 across the three named failure modes. The certificate is a digital credential with a verifiable URL listing the curriculum and the assessment outcomes.
• Lifetime access to course updates as the EU AI Act, NIST AI RMF, and ISO/IEC 42001 evolve
• DecipherU community access (Defender tier and above) for peer review of the capstone and post-course Q&A

Author

Frequently asked questions

Who is this cybersecurity AI governance and risk course for?

Compliance, risk, audit, and privacy professionals expanding into AI governance. Privacy professionals (CIPP, CIPM, CIPT) adding AI governance to their practice. GRC analysts and managers building AI governance programs. Cybersecurity GRC professionals whose programs now include AI risk. Compliance professionals targeting the IAPP AIGP or ISACA AAIA credentials. The course assumes 2-plus years of compliance, risk, audit, privacy, or GRC experience.

What primary sources does this AI governance course cite?

NIST AI Risk Management Framework (AI 100-1), NIST Generative AI Profile (AI 600-1), the EU AI Act consolidated text (Regulation 2024/1689), ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 5338, ISO 31000, IAPP AIGP body of knowledge, ISACA AAIA body of knowledge, and CISA AI deployment guidance. Every framework claim is anchored to the official publishing body.

How long does the AI governance and risk course take to complete?

Roughly 50 hours of focused study and artifact production across 8 weekly modules. Most learners complete it in 8 to 12 weeks at 5 to 7 hours per week. Self-paced. The capstone is a complete AI governance program the learner can show to a hiring panel or use as a working document for an actual AI governance program kickoff.

Will the course prepare me for the IAPP AIGP or the ISACA AAIA?

It is not a proctored exam prep course. The curriculum aligns with the work products both credentials emphasize: framework knowledge (EU AI Act, NIST AI RMF, ISO/IEC 42001), audit methodology, risk management, and program design. Pair this course with the official IAPP AIGP body of knowledge or ISACA AAIA review materials for the proctored exam content the credential bodies own. The capstone is the kind of artifact both credentials expect a candidate to produce.

How does the course connect AI governance to cybersecurity?

Most enterprises in 2026 place AI governance inside the cybersecurity organization or report it through the CISO. AI risk is in part a security risk: prompt injection is injection, data poisoning is supply chain, model extraction is data exfiltration. The course teaches the AI-specific extensions on top of a cybersecurity GRC foundation rather than as a separate program, which is how working enterprises actually structure the function.

What is the capstone deliverable for the AI governance course?

A complete AI governance program for a hypothetical organization. The 25 to 40 page document integrates the prior weekly artifacts: foundations document, EU AI Act risk classification, NIST AI RMF subcategory crosswalk, ISO/IEC 42001 control crosswalk, audit plan, AI risk register, org chart and process map. The capstone is graded against three named failure modes: framework gap, operational gap, accountability gap.

Related cybersecurity content

• Cybersecurity for AI convergence area overview
• AI Security Engineering ($597, 12 weeks): the engineering counterpart to this governance course
• AI Sales and Solutions Engineering ($497, 12 weeks): the go-to-market counterpart for sellers
• All Cybersecurity for AI career paths
• AI for Cybersecurity convergence area (the inverse direction)