AI TRiSM and enterprise AI governance: are your controls ready?

TL;DR: AI TRiSM has shifted from a Gartner framework to an operating requirement as enterprises expand AI use, regulators codify obligations, and attackers target GenAI platforms, according to WitnessAI, McKinsey, Gartner, CrowdStrike, and the EU AI Act. Legacy controls cannot reliably interpret conversational data exposure, so governance now needs intent-aware enforcement, audit trails, and accountable ownership.

NHIMG editorial — based on content published by WitnessAI: AI TRiSM is now an operating requirement for enterprises deploying AI at scale

By the numbers:

• 88% of enterprises now use AI in at least one business function.
• 69% of organizations suspect or have evidence that employees are using prohibited public GenAI tools.
• CrowdStrike’s 2026 Threat Report found attackers injecting malicious prompts into legitimate enterprise GenAI platforms to steal credentials across at least 90 organizations.

Questions worth separating out

Q: How should security teams govern employee AI use without blocking productivity?

A: Start with visibility into sanctioned and shadow AI use, then apply runtime policies that inspect intent and context rather than only keywords.

Q: Why do traditional DLP and CASB tools fall short for AI governance?

A: They were built around predictable data patterns and network flows, while AI interactions are conversational, contextual, and often initiated inside desktop apps or browser sessions.

Q: What do security teams get wrong about governing AI agents?

A: They often treat agents like another automation layer instead of governed non-human actors with their own access paths.

Practitioner guidance

• Build a cross-functional AI governance owner model Assign a single accountable executive and include security, legal, compliance, HR, and business leadership in the operating committee.
• Inventory sanctioned and shadow AI usage Map every AI app, model, agent, and conversation path across employee workflows so that policy decisions are based on actual usage, not assumed adoption.
• Extend identity governance to AI agents Treat agents as governed non-human actors with attribution, least privilege, and audit logging.

What's in the full article

WitnessAI's full article covers the operational detail this post intentionally leaves for the source:

• A phased 12 to 18 month rollout plan for moving from governance foundations to agent coverage and continuous oversight
• The vendor's practical examples of intent-based policy enforcement, including redaction, warnings, blocking, and routing
• Operational guidance on how WitnessAI classifies AI interactions across desktop apps, IDEs, browser sessions, and agent connections
• Specific statements about how the platform logs interactions and supports audit evidence for compliance teams

👉 Read WitnessAI's analysis of AI TRiSM for enterprise AI governance →

AI TRiSM and enterprise AI governance: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →