For SMEs that need a first controlled evidence baseline: AI system inventory, gap checklist, risk register, acceptable-use baseline, and a cross-framework controls matrix across ISO/IEC 42001, NIST AI RMF, NIST GenAI Profile, and Colorado AI Act evidence prompts.
ACT-1 is a baseline evidence pack. It should not be sold as a certification shortcut, legal opinion, audit outcome, or full AI governance operating model.
Choose ACT-2 if you need policies, board reporting, vendor procedures, FRIA starter artifacts, and agentic AI / MCP governance records.
ACT-1 supports documentation work. It does not replace qualified legal counsel, auditors, certification bodies, or sector-specific regulatory advisers.
ACT-1 is delivered as editable files, not as a hosted GRC workflow, automated evidence repository, or continuous monitoring platform.
ACT-1 works only when someone owns inventory, risk, gap tracking, and evidence updates after purchase.
ACT-1 is not a generic policy bundle. It is a starter evidence pack for teams that need a controlled AI inventory, framework mapping, gap analysis, risk register, and acceptable-use baseline before moving to a full implementation package.
ACT-1 is packaged as editable baseline evidence, not a static PDF. The public preview shows the type of fields and implementation records inside the starter pack without publishing the full workbook logic.
| Preview artifact | Sample fields buyers should expect | Primary use | Upgrade signal |
|---|---|---|---|
| AI System Inventory | System name, owner, business purpose, data categories, vendor, user group, risk route, evidence gap. | Establish one controlled register of AI use cases before policy or control mapping. | Move to ACT-2 when inventory records need board, vendor, FRIA, or agentic AI evidence links. |
| AI Risk Register | Risk event, impact, likelihood, control owner, mitigation action, residual risk, review date. | Convert AI risk discussion into an owner-managed record. | Move to ACT-2 when risk records need procedure files, escalation paths, and executive reporting. |
| Control Mapping Starter | Control objective, evidence artifact, owner, status, implementation note, framework reference. | Map implementation evidence across ISO 42001, NIST AI RMF, and adjacent governance needs. | Move to ACT-2 when mapping must support policies, vendor review, and agentic AI boundaries. |
| Gap Tracker | Gap, severity, owner, target date, decision needed, blocker, evidence retained. | Turn assessment results into a manageable action backlog. | Move to ACT-2 when the gap backlog requires formal rollout sequencing and board status reporting. |
| Acceptable Use Policy Starter | Allowed uses, restricted uses, data handling rule, approval trigger, escalation route. | Create a baseline internal AI use rule set. | Move to ACT-2 when policy coverage must expand into incident response, vendor diligence, and oversight procedures. |
Decision rule: choose ACT-1 when the immediate problem is baseline evidence. Choose ACT-2 when the problem is implementation depth, policy system, board reporting, vendor review, FRIA support, or agentic AI governance.
Compare ACT-1 and ACT-2An 11-module governance controls matrix plus an AI Acceptable Use Policy template. Delivered as editable implementation workbooks and templates.
Step-by-step workflow guide, terminology key (shall/should/must), tab descriptions with hyperlinks, and FAQ.
The master crosswalk. 120–150 rows mapping all four frameworks into 10 columns with evidence requirements, priority ratings, and implementation notes.
Pre-filtered view for certification-focused teams. All Clauses 4–10 and Annex A controls, sorted by ISO clause number.
Pre-filtered view sorted by GOVERN, MAP, MEASURE, and MANAGE. All 72 subcategories with ISO and Colorado cross-references.
Every deployer and developer obligation with C.R.S. section-level statutory citations. Affirmative defense evidence mapping.
Where ISO 42001, NIST AI RMF, and Colorado AI Act diverge. Conflict descriptions with recommended reconciliation approaches.
Register for cataloguing all AI systems. Pre-configured drop-downs for deployment status, risk classification, and Colorado high-risk determination.
Domain-by-domain compliance assessment. Drop-down severity ratings with conditional formatting. Summary dashboard with gap counts and bar chart.
Structured risk register with 20+ pre-loaded AI risks. 5×5 heat map. Likelihood, impact, risk score formulas, treatment plans, and residual risk tracking.
Single-page visual scorecard. Traffic-light by control domain, overall maturity score, compliance percentage. Auto-populates from Gap Analysis. Screenshot-ready for board reporting.
Complete list of primary sources with version and date. Full legal disclaimer. Every reference in the controls matrix is traceable to a verified source document.
2-page Word template with red placeholders for organization-specific customization. Covers scope, acceptable/prohibited uses, data handling, and oversight requirements.
Four frameworks reconciled into one controls matrix. Every reference verified against primary source documents.
| Framework | Source | Coverage |
|---|---|---|
| ISO/IEC 42001:2023 | Purchased standard PDF | Every clause (4.1–10.2) and Annex A control (A.2–A.10) |
| NIST AI RMF 1.0 | NIST AI 100-1 (Jan 2023) | All 72 subcategories across GOVERN, MAP, MEASURE, MANAGE |
| NIST AI 600-1 GenAI Profile | Published profile (Jul 2024) | 200+ actions mapped to corresponding RMF subcategories |
| Colorado AI Act (SB 24-205) | Enacted text as amended by SB 25B-004 | All developer and deployer obligations with C.R.S. citations |
Cross-framework reconciliation is expensive. ACT eliminates 80–120 hours of manual mapping.
CTOs, CISOs, DPOs, and compliance leads at technology-centric SMEs (10–250 employees) who need to assess AI governance posture across multiple frameworks without enterprise-scale budgets or 6-month external implementation engagements.
AI Controls Starter is the right starting point for organizations that need to understand their obligations, identify gaps, and build a remediation roadmap — but are not yet ready for full policy formalization and implementation documentation.
Growth path. Starter → AI Controls Professional. Professional buyers who need rollout support → Implementation Sprint.
Starter is for teams that need to stop running AI governance from scattered spreadsheets. It gives you the first operating layer: AI inventory, gap checklist, cross-framework controls matrix, risk register, and management dashboard.
Cross-framework control structure for ISO 42001, NIST AI RMF, NIST GenAI Profile, and Colorado AI Act alignment.
A structured workbook for cataloguing AI systems, ownership, risk status, and governance decisions.
A practical checklist to turn scattered governance assumptions into visible remediation actions.
A starting register for recording AI-specific risks, owners, treatment decisions, and residual exposure.
A management-facing view of progress, gaps, and implementation maturity.
An editable baseline policy for acceptable and prohibited AI use, data handling, and escalation.
Move78 ACT provides editable AI governance implementation evidence for SMEs and technical teams. Pick the route closest to your role, then decide whether ACT-1, ACT-2, or an implementation sprint fits the gap.
Build a credible AI governance baseline without hiring a full GRC team.
Turn scattered AI activity into evidence registers, policy artifacts, and owner-led workflows.
Map shadow AI, vendor risk, agentic workflows, MCP exposure, and OpenClaw governance.
Reuse structured client-delivery artifacts without rebuilding cross-framework evidence packs.
See how Move78 maps source frameworks into editable artifacts, review notes, and claim boundaries.
Review invoice, bank-transfer, delivery, support, refund, and licensing expectations before purchase.
AI Controls Starter includes an 11-module governance controls matrix, framework crosswalks for ISO 42001, NIST AI RMF, NIST AI 600-1 GenAI Profile, and the Colorado AI Act, plus an AI Acceptable Use Policy Lite template.
AI Controls Starter is designed for CTOs, CISOs, DPOs, and compliance leads at technology-centric SMEs that need a cross-framework view of their current AI governance posture without enterprise-level consulting costs.
AI Controls Starter covers ISO/IEC 42001:2023, NIST AI RMF 1.0, NIST AI 600-1 GenAI Profile, and the Colorado AI Act in one reconciled controls matrix.
Yes. AI Controls Starter includes an AI Acceptable Use Policy Lite template, but it does not include the full implementation policy and procedure set included in AI Controls Professional.
AI Controls Starter is the assessment and planning layer. AI Controls Professional builds on it with expanded implementation workbooks, audit-supporting policies and procedures, board reporting, Agentic AI governance, OpenClaw coverage, MCP governance, and rollout artifacts.
Yes. AI Controls Starter includes a Colorado Safe Harbor Crosswalk with section-level statutory citations and can be used to identify deployer and developer gaps before full implementation.
The initial assessment cycle typically takes around 8 to 12 hours, depending on how many AI systems, controls, and stakeholders need to be reviewed.
After completing AI Controls Starter, the next step is usually AI Controls Professional if the buyer needs full implementation documentation, operational templates, evidence tracking, and rollout support.
ACT-1 is for teams that need baseline evidence around inventory, risk, acceptable use, gaps, and starter control mapping. Review the public sample pack and free downloads before deciding whether the starter tier is enough.
Inspect selected public fields from ACT-1 and ACT-2 without receiving the full paid workbook.
Use the free inventory, acceptable-use, and starter artifacts to confirm whether your team needs a paid evidence pack.
Source and review note: This page was last reviewed on 6 May 2026 against the current Move78 public site baseline and relevant official or authoritative sources where laws, standards, frameworks, cybersecurity controls, product scope, pricing, or support policy are discussed. It provides operational implementation guidance and product information only; it is not legal advice, tax advice, audit assurance, certification assurance, conformity-assessment advice, buyer-approval assurance, or security assurance. Validate legal, regulatory, contractual, tax, audit, and security decisions with qualified professionals.