AI governance and compliance — AIF-C01
Master AI governance and compliance for AWS AIF-C01 (D5/T5.2): definitions, key distinctions, AWS compliance services, and the governance-vs-security trap.
WHAT IT IS
AI governance and compliance is the set of processes, policies, and oversight structures that determine who can take what action, upon what data, using what methods, and in what situations — applied specifically to AI systems — so that those systems operate in accordance with regulatory standards and organizational accountability requirements.
AWS describes the governance dimension of responsible AI as "incorporating best practices into the AI supply chain." Compliance, in the context of AI systems, refers to demonstrating that those best practices align with external regulatory standards such as ISO and SOC frameworks, as well as emerging algorithm accountability requirements.
Mental model
Think of governance as the rulebook and compliance as the audit trail that proves you followed it.
Governance answers: "Who decides what this AI system can do, and how are those decisions recorded and reviewed?"
Compliance answers: "Can we demonstrate, to an external standard or regulator, that those decisions were actually followed?"
The two are inseparable in practice — governance without compliance evidence is unverifiable, and compliance without governance structures has nothing to verify against.
When to use it
Candidates often conflate AI governance with data governance, or mistake compliance tools for security tools. The table below draws the boundaries the exam tests.
| Dimension | AI Governance | Data Governance |
|---|---|---|
| Primary concern | Oversight of AI system behavior, outputs, and decision accountability | Processes and policies that ensure data is in the proper condition to support business initiatives |
| Scope | The full AI supply chain — design, development, operation | Who can take what action upon what data, using what methods, in what situations |
| Regulatory hook | Algorithm accountability laws, ISO standards, SOC controls for AI | Data residency, retention, access control, data lifecycle policies |
| Example AWS tools | AWS Audit Manager, AWS Artifact, AWS CloudTrail | AWS Lake Formation, AWS Glue, AWS Config (data quality rules) |
| Governance structure focus | Review cadence, transparency standards, team training, governance frameworks (e.g., Generative AI Security Scoping Matrix) | Centralized, federated, or self-serve data ownership models |
Both are in scope for Domain 5. The exam may present a scenario and ask you to select the correct category of response — knowing which layer is being tested matters.
COMMON MISCONCEPTION
Governance is not the same as security, and compliance is not achieved by encryption alone.
A common misconception is that securing an AI system (encrypting data, setting IAM policies, blocking unauthorized access) is equivalent to governing it. Security controls protect data from unauthorized access. Governance controls ensure that authorized use of that data within an AI system is itself accountable, documented, and auditable.
AWS describes privacy and security as one responsible AI dimension ("appropriately obtaining, using, and protecting data") and governance as a separate dimension ("incorporating best practices into the AI supply chain"). These are distinct concerns.
Similarly, candidates sometimes assume that passing a SOC or ISO audit for a cloud environment automatically extends to the AI systems running in that environment. It does not. AI systems introduce distinct governance requirements — including transparency standards, algorithm accountability, and review processes — that go beyond infrastructure compliance.
The exam may surface this distinction by pairing a security-oriented answer (encryption, IAM) against a governance-oriented answer (audit trails, policy review cadence, AI Service Cards) for a scenario that is explicitly about accountability or regulatory reporting.
How it shows up on the exam
Task Statement 5.2 asks candidates to recognize governance and compliance regulations — not to implement them. (Implementing governance frameworks and implementing compliance protocols are both listed as out of scope for the target candidate in the exam guide.)
The cognitive target is identification and classification: given a scenario, can you identify which regulatory standard applies (ISO, SOC, algorithm accountability), which AWS service assists with that compliance need, or which data governance strategy addresses the described requirement?
Signal phrases in scenarios that point toward governance and compliance content include references to: audit, regulatory, accountability, transparency standards, review cadence, data residency, data retention, logging, monitoring, observation, team training requirements, or governance frameworks.
Candidates often get tripped up when a scenario describes an AI system that is technically secure but organizationally ungoverned — and then asks what is missing. The answer in that context points toward governance structures (policies, review processes, transparency documentation), not additional security controls.
AWS transparency tooling such as AI Service Cards — which provide standardized documentation on intended use cases, limitations, design choices, and performance metrics — represents the governance layer, not the security layer. Recognizing that distinction is the kind of judgment this task statement exercises.
Related concepts
Sources
Every claim on this page traces to the public exam blueprint and official documentation: