AI Governance Framework: Building Your Compliance Program

AI governance is no longer a discretionary policy layer that sits in a binder on a shelf. It is core enterprise infrastructure — as foundational as cybersecurity frameworks or financial controls. The regulatory landscape has made that unmistakably clear. The EU AI Act (Regulation 2024/1689) imposes binding obligations with fines up to EUR 35 million or 7 % of global turnover. The NIST AI Risk Management Framework provides the United States' most authoritative guidance on identifying, assessing, and mitigating AI risk. ISO/IEC 42001 offers a certifiable management-system standard purpose-built for AI. And the OECD AI Principles continue to shape soft-law expectations across 46 countries.

These frameworks are converging. Organisations that treat each one as a separate compliance exercise — building parallel checklists, spreadsheets, and working groups — will drown in overhead. The organisations that thrive will be those that build a single, unified AI governance framework and map each regulatory requirement into it. This guide shows you how to do exactly that: design the structure, define the roles, write the policies, tier your risk, report to the board, and keep the programme running as AI itself evolves.

• Governance ≠ compliance. Governance is the strategic infrastructure — policies, oversight bodies, culture — that enables compliance as an outcome.
• Build on three pillars: risk management, accountability, and transparency.
• Align your programme to the EU AI Act, NIST AI RMF, ISO 42001, and OECD AI Principles simultaneously; they overlap more than they diverge.
• Define a governance structure with clear roles: AI compliance officer, DPO coordination, CISO integration, and board-level oversight.
• Create an AI policy framework covering acceptable use, risk management, data governance, and incident response.
• Implement AI risk tiering that maps internal categories to the AI Act's risk levels.
• Maintain a living AI inventory — you cannot govern what you do not know exists.
• Report to the board with concrete KPIs: system counts by risk tier, compliance status, incidents, audit findings, training completion.
• Apply special governance controls for generative and agentic AI systems.
• Start with your current maturity level — lightweight governance for a three-person startup is still governance.

What AI governance means beyond compliance

The terms "governance" and "compliance" are routinely used interchangeably. That conflation is dangerous because it leads teams to optimise for checkbox-passing rather than decision-quality.

AI governance is the overarching system of principles, policies, processes, organisational structures, and cultural norms that direct, control, and continuously improve how an organisation builds, procures, deploys, and retires AI systems. Governance answers strategic questions: Which AI use cases align with our risk appetite? Who has authority to approve a new model deployment? What happens when a system produces an unfair outcome?

AI compliance is the specific activity of meeting defined legal or regulatory requirements — filing a conformity assessment under Article 43, maintaining technical documentation per Article 11, or logging deployer actions under Article 26. Compliance is an output of governance, not a substitute for it.

Why does this distinction matter practically? Because compliance without governance is fragile. If your only driver is "pass the audit," you will do the minimum. When the regulation changes — as the AI Act's implementing acts will through 2027 — your compliance posture breaks. Governance gives you the adaptive capacity to absorb regulatory change, integrate new AI use cases, and scale your programme as the organisation grows.

The strongest AI governance frameworks share four characteristics:

1. Executive sponsorship. The board or C-suite visibly owns the AI governance mandate.
2. Cross-functional reach. Legal, engineering, product, data science, risk, and business units all have defined governance responsibilities.
3. Lifecycle coverage. Governance applies from ideation through development, deployment, monitoring, and decommissioning.
4. Feedback loops. Audit findings, incident reports, and stakeholder input feed back into policy updates and risk reassessments.

If your current programme lacks any of these, the sections below will help you close the gap. For a practical starting checklist, see our EU AI Act compliance checklist for 2026.

The three pillars of AI governance

Every AI governance framework — whether framed by regulators, standards bodies, or internal policy teams — rests on three pillars. The terminology varies, but the substance is consistent.

Risk management

Risk management is the systematic, iterative process of identifying, assessing, mitigating, and monitoring risks associated with AI systems. It is the engine room of governance.

The EU AI Act enshrines this in Article 9, which requires providers of high-risk AI systems to establish and maintain a risk management system that operates throughout the AI system's entire lifecycle. NIST's AI RMF structures risk management into four functions — Map, Measure, Manage, Govern — each with subcategories and suggested actions. ISO 42001 requires organisations to conduct an AI risk assessment (Clause 6.1) and maintain a risk treatment plan.

Effective AI risk management goes beyond traditional enterprise risk. AI-specific risks include:

• Performance degradation from data drift or concept drift.
• Bias and fairness failures that violate fundamental rights (see our guide on AI bias testing and fairness under the AI Act).
• Security vulnerabilities such as adversarial attacks, model extraction, and data poisoning.
• Transparency failures where decisions cannot be explained to affected individuals.
• Dependency risks when models rely on third-party APIs or open-source components that change without notice.

Your risk management system should document each risk, assign a likelihood and severity score, define mitigations, and specify review cadences. The AI Act explicitly requires that residual risk be reduced to an acceptable level — a judgment that must be documented and defensible.

Accountability

Accountability answers the question: When something goes wrong — or when a decision must be made — who is responsible?

The AI Act distributes accountability across the value chain. Providers (Article 16) bear the primary burden for high-risk systems: conformity assessment, quality management, post-market monitoring, and incident reporting. Deployers (Article 26) must use systems according to instructions, assign human oversight, and — for public-sector and certain private-sector use cases — conduct fundamental rights impact assessments (FRIA). For a detailed breakdown of these obligations, see our guide on provider vs deployer obligations.

Inside the organisation, accountability means:

• Named individuals responsible for each high-risk AI system.
• Escalation paths for risk events, incidents, and ethical concerns.
• Decision authority matrices that specify who can approve deployment, modification, or retirement of an AI system.
• Documented sign-offs at key lifecycle gates (design review, pre-deployment testing, production release).

Without accountability, governance is aspirational. With it, governance becomes operational.

Transparency

Transparency is the pillar that connects governance to stakeholders — regulators, affected persons, customers, employees, and the public.

The AI Act's transparency obligations span multiple articles. Article 13 requires that high-risk AI systems be designed to enable interpretation of their outputs. Article 50 mandates that certain AI-generated content (including deepfakes) be labelled. Article 86 gives affected persons the right to an explanation of individual decisions.

Beyond regulatory mandates, transparency includes:

• Internal documentation — model cards, data sheets, decision logs — that gives your own teams the information they need to monitor and improve systems.
• Audit trails that allow internal and external auditors to verify compliance (Article 12 on automatic logging).
• Stakeholder communication — clear, plain-language explanations for customers, employees, and the public about how AI is used and how their rights are protected.

Transparency is also the foundation of trust. Organisations that proactively disclose how they govern AI — publishing governance policies, sharing audit summaries, participating in industry codes of conduct (Article 95) — build competitive advantage in markets where trust is scarce.

Aligning with major frameworks

One of the most common mistakes organisations make is treating each AI framework as a standalone compliance project. In practice, the four major frameworks overlap substantially. A well-designed governance programme can satisfy them simultaneously.

How they complement each other

The EU AI Act provides the binding "what" — specific obligations, timelines, and enforcement mechanisms. But it does not prescribe exactly how to build your internal management system. That is where the voluntary frameworks fill the gap.

NIST AI RMF offers the most detailed operational guidance for risk management. Its Map function helps you contextualise your AI use cases. Measure provides methodologies for quantifying risk. Manage defines risk treatment actions. Govern — the overarching function — addresses organisational culture, policies, and accountability structures. If you are building a risk management system to satisfy Article 9, NIST gives you the playbook.

ISO/IEC 42001 provides the management-system backbone. Its Plan-Do-Check-Act (PDCA) structure ensures continuous improvement. Achieving ISO 42001 certification demonstrates to regulators, customers, and partners that your governance programme meets an internationally recognised standard. It also aligns closely with ISO 27001 (information security) and ISO 27701 (privacy), enabling integrated management systems.

The OECD AI Principles — transparency, explainability, robustness, accountability, and human-centredness — provide the ethical north star. They do not create legal obligations, but they shape regulatory expectations globally and inform the AI Act's own recitals.

Practical alignment strategy: Build your governance programme on ISO 42001's management-system structure. Populate the risk management component with NIST AI RMF's four-function methodology. Map every control to the AI Act's specific articles. Use the OECD principles as your policy preamble and ethical compass.

Building your governance structure

Governance roles and responsibilities

AI governance is not a one-person job, but it does need a single point of coordination. The following roles form the governance backbone:

AI Compliance Officer / AI Ethics Lead. This is the central coordinating role. Responsibilities include maintaining the AI inventory, overseeing risk assessments, coordinating conformity assessments, managing regulatory relationships, and reporting to the board. In smaller organisations, this may be a fractional or part-time role. In larger enterprises, it is a full-time position — or a team.

Data Protection Officer (DPO). GDPR and the AI Act intersect heavily. AI systems processing personal data trigger both regimes. The DPO and AI compliance officer must coordinate on data protection impact assessments (DPIAs), legal bases for processing, data subject rights (especially the right to explanation), and data governance requirements under Article 10. For a deep dive into how these two regulations interact, see our AI Act vs GDPR comparison.

Chief Information Security Officer (CISO). AI security is a distinct discipline, but it must integrate with the broader security programme. The CISO's team should own adversarial robustness testing, model access controls, inference API security, and supply chain security for AI components. The AI Act's cybersecurity requirements (Article 15) map directly to the CISO's remit.

Board-Level AI Oversight Committee. The board cannot delegate away its governance responsibility. A dedicated AI oversight committee — or a standing agenda item within an existing risk committee — ensures that AI governance receives executive attention, funding, and strategic direction. This committee reviews high-risk deployments, approves the AI risk appetite statement, and receives quarterly governance reports.

AI System Owners. Each AI system should have a named business owner responsible for its lifecycle compliance. The system owner works with engineering, data science, and legal teams to ensure that governance requirements are met at every stage.

Engineering and Data Science Leads. Technical teams are responsible for implementing governance requirements: building audit logging, running bias tests, maintaining documentation, and responding to risk findings.

AI policy framework

Policies translate governance principles into actionable rules. At minimum, your framework should include:

Acceptable Use Policy. Defines which AI use cases the organisation will and will not pursue. Prohibited uses should align with the AI Act's Article 5 prohibited practices — social scoring, real-time biometric identification (absent authorised exceptions), and manipulation techniques. The policy should also address organisation-specific red lines based on your industry, values, and risk appetite.

AI Risk Management Policy. Establishes the methodology for identifying, assessing, and treating AI risks. Specifies risk scoring criteria, acceptable residual risk thresholds, review frequencies, and escalation triggers. Should reference Article 9 requirements and NIST AI RMF functions.

Data Governance Policy for AI. Covers training data quality, bias testing, data lineage, retention, and deletion. Addresses Article 10 requirements for training, validation, and testing datasets. Must coordinate with existing GDPR data governance policies.

Incident Response Policy. Defines what constitutes an AI incident, who is notified, what timelines apply, and how root cause analysis is conducted. Must incorporate the AI Act's serious incident reporting obligations under Article 73 (72 hours to report to market surveillance authorities for high-risk systems).

Human Oversight Policy. Specifies how Article 14's human oversight requirements are implemented. Defines human-in-the-loop, human-on-the-loop, and human-in-command roles for each high-risk system. Includes training requirements for human overseers.

Model Lifecycle Policy. Governs how models are versioned, tested, deployed, monitored, updated, and retired. Includes change management procedures — when a model is retrained or updated, what governance steps must repeat?

AI risk tiering

Not all AI systems require the same governance intensity. The AI Act establishes a four-tier risk classification: unacceptable (prohibited), high-risk, limited risk (transparency obligations), and minimal risk. Your internal risk tiering should map to this regulatory structure while adding granularity.

A practical approach is an AI Governance Exposure Index that scores each system across multiple dimensions:

Sum the scores. Systems scoring 6–10 receive standard governance (annual review, basic documentation). Systems scoring 11–16 receive enhanced governance (quarterly review, full documentation, bias testing). Systems scoring 17–24 receive intensive governance (continuous monitoring, board reporting, external audit).

For help classifying your specific systems, use our free AI risk classification tool or read the high-risk classification guide.

Quality management system (Article 17)

Article 17 is one of the AI Act's most operationally demanding provisions. It requires providers of high-risk AI systems to implement a quality management system (QMS) that ensures compliance throughout the AI system's lifecycle.

The QMS is not a standalone document — it is the operational layer of your governance framework. Article 17(1) specifies that the QMS must include:

• A strategy for regulatory compliance, including conformity assessment procedures and management of modifications.
• Techniques and procedures for design, development, and testing, including examination, test, and validation procedures before, during, and after development.
• Technical specifications, including standards to be applied.
• Systems and procedures for data management, covering data collection, analysis, labelling, storage, filtration, mining, aggregation, retention, and all data operations under Article 10.
• Risk management system per Article 9.
• Post-market monitoring per Article 72.
• Procedures for serious incident reporting per Article 73.
• Communication with competent authorities, notified bodies, customers, and other stakeholders.
• Systems and procedures for record keeping of all relevant documentation and information.
• Resource management, including supply chain measures.
• An accountability framework outlining management and personnel responsibilities.

For organisations already operating under ISO 9001 or ISO 13485 (medical devices), the QMS structure will be familiar. The AI-specific additions — data management, bias testing, continuous monitoring, and explainability — are where the effort concentrates.

Practical advice: Do not build the QMS in isolation. Integrate it with your existing quality or management systems. If you are pursuing ISO 42001 certification, the QMS requirement will be largely satisfied by the management system you build for certification. Document once, map twice.

AI inventory as the governance foundation

You cannot govern what you do not know exists. The AI systems inventory is the single most important governance artefact — the master register from which all other governance activities flow.

Every AI system your organisation develops, deploys, procures, or distributes should be catalogued with:

• System name and unique identifier.
• Provider and deployer classification (are you the provider, deployer, importer, or distributor?).
• Risk classification (prohibited, high-risk, limited, minimal).
• Internal risk tier from your Governance Exposure Index.
• Business owner and technical owner.
• Data types processed (personal, special category, public).
• Deployment status (development, staging, production, retired).
• Key dates (deployment date, last risk assessment, next review).
• Compliance status (conformity assessed, documentation complete, monitoring active).

Shadow AI is the governance programme's blind spot. SaaS tools with embedded AI features — CRM lead scoring, email drafting assistants, code completion tools, HR screening plug-ins — often bypass procurement and governance processes. A thorough inventory requires department-by-department surveys and technical discovery scans.

For a step-by-step guide to building your inventory, see our detailed walkthrough: How to build an AI systems inventory for the EU AI Act.

Board-level reporting

Boards that receive vague AI governance updates — "We are making progress" — cannot exercise meaningful oversight. Effective board reporting requires structured, quantitative metrics delivered on a regular cadence (quarterly at minimum).

Recommended KPIs for board reporting

Board reporting structure

A single-page AI Governance Dashboard should accompany each board meeting. Structure it as:

1. Executive summary — three sentences on overall governance health.
2. Risk heatmap — a visual matrix showing system counts by risk tier and compliance status.
3. Key movements — new systems deployed, systems reclassified, systems retired.
4. Incidents and near-misses — summary with root causes and corrective actions.
5. Regulatory horizon — upcoming deadlines, new implementing acts, enforcement actions in the sector.
6. Resource requests — budget, headcount, or tooling needs.

The board should be asked to approve the AI risk appetite statement annually and to acknowledge the quarterly governance report. Both actions create a documented governance trail that demonstrates board-level oversight to regulators.

Governance for generative and agentic AI

The governance frameworks described above were designed primarily with predictive and decision-making AI in mind. Generative AI (large language models, image generators, code synthesisers) and agentic AI (systems that autonomously plan and execute multi-step tasks) introduce governance challenges that traditional frameworks were not built to address.

Special governance challenges

Prompt injection and jailbreaking. Generative AI systems can be manipulated through carefully crafted inputs that override their instructions. Governance must mandate input validation, output filtering, and regular red-teaming of generative systems.

Hallucination and factual accuracy. LLMs generate plausible but incorrect information. For use cases where accuracy matters — legal advice, medical information, financial reporting — governance must require grounding mechanisms, citation verification, and human review of outputs.

Autonomous action. Agentic AI systems can execute real-world actions — placing orders, sending communications, modifying records — without per-action human approval. Governance must define action boundaries, require approval workflows for high-impact actions, and maintain kill switches.

Output monitoring. Unlike traditional AI where inputs and outputs are structured, generative AI produces free-form text, code, or media. Monitoring for harmful, biased, or non-compliant outputs requires automated content filtering and sampling-based human review.

Training data provenance. Generative models are often trained on scraped web data with uncertain licensing. Governance should require training data audits and, for models trained in-house, documentation of data sources, consent, and intellectual property clearance.

Model supply chain. Most organisations use third-party foundation models (via API or fine-tuning). Governance must address model provenance, version management, and the obligations that arise when you build on top of a general-purpose AI model. See our guide on GPAI model obligations.

Recommended guardrails

• Tier generative AI use cases by risk. Internal brainstorming assistance is minimal risk. Customer-facing medical advice is high risk. Apply proportionate controls.
• Implement output monitoring at scale. Use automated classifiers to flag toxic, biased, or policy-violating outputs, with human review of flagged items.
• Require human approval for agentic systems that take actions with financial, legal, or safety consequences.
• Maintain prompt libraries and version-control system prompts so that changes are traceable and auditable.
• Conduct adversarial testing (red-teaming) before deployment and on a recurring schedule.
• Establish a generative AI acceptable use policy that addresses employee use of third-party tools (ChatGPT, Copilot, Midjourney) and organisation-hosted systems.

Real-world governance scenarios

Scenario 1: Fintech building governance around 12 AI systems

Step 1: Inventory and classify. The AI compliance officer catalogues all 12 systems. Credit scoring, AML monitoring, identity verification, and HR screening are classified as high-risk under Annex III (creditworthiness, law enforcement support, employment). Fraud detection is classified as high-risk. Chatbot support and marketing personalisation are limited risk (transparency obligations). The remaining systems are minimal risk.

Step 2: Prioritise. Five high-risk systems require full Article 9, 11, 17, and 72 compliance. These become the governance programme's immediate focus.

Step 3: Assign roles. The Head of Legal is designated AI compliance officer. The existing DPO coordinates on data governance. The CTO owns technical compliance. An AI oversight committee — CEO, CTO, Head of Legal, CISO — meets monthly.

Step 4: Build the QMS. The company maps its existing ISO 27001 controls to AI Act requirements, extending them with AI-specific procedures for bias testing (Article 10), human oversight assignments, and technical documentation.

Step 5: Implement monitoring. Each high-risk system receives a monitoring dashboard tracking performance metrics, drift indicators, and fairness metrics. The post-market monitoring plan is documented and linked to the incident response policy.

Timeline: 9 months from programme launch to audit readiness.

Scenario 2: Healthcare company aligning MDR, AI Act, and ISO 42001

The challenge: Three regulatory regimes — MDR, AI Act, and ISO 42001 (pursued for market differentiation) — impose overlapping but distinct requirements. Quality management is required by all three, but each has different documentation expectations.

The solution: Integrated management system.

The company builds a single integrated QMS that satisfies:

• MDR Annex IX (quality management system for Class IIa+ devices).
• AI Act Article 17 (QMS for high-risk AI systems).
• ISO 42001 Clause 8 (operational planning and control for AI).

Shared elements — document control, internal audits, management review, corrective and preventive actions — are written once and cross-referenced. AI-specific elements — data governance procedures, bias validation protocols, and explainability requirements — are added as annexes.

Risk management follows ISO 14971 (the medical device risk standard) extended with AI-specific hazards: dataset bias, model degradation, adversarial robustness. The risk management system simultaneously satisfies Article 9 and NIST AI RMF's Measure function.

Clinical validation doubles as the AI Act's testing and validation requirement. The company documents clinical performance data alongside AI performance metrics (AUC, sensitivity, specificity, fairness across demographic groups).

Outcome: One integrated system, three regulatory regimes satisfied, one set of auditors, one set of documentation. The company achieves ISO 42001 certification within 12 months and uses it as evidence of conformity during the AI Act's conformity assessment process.

Scenario 3: Startup implementing lightweight governance with 3 people

The approach: Minimum viable governance.

• AI inventory: A single spreadsheet listing the one AI system, its risk classification (high-risk — the tool is used in legal contexts where outputs affect contract decisions), data types (commercial contract text, no special category personal data), and the responsible person (CTO).
• Risk assessment: A one-page document identifying key risks: hallucinated clause extraction, missed critical terms, bias toward English-language contracts. Each risk has a severity score and a mitigation (human review requirement, confidence thresholds, language-specific testing).
• Policies: Three concise policies — acceptable use (one page), data governance (one page), incident response (one page). Written by the CEO with legal review from an external advisor.
• Human oversight: The product enforces a human-in-the-loop design — extracted terms are presented as suggestions, not executed actions. Users must confirm before any contract action is taken.
• Documentation: The CTO maintains a model card and a data sheet in the repository. Technical documentation follows a simplified Annex IV template.
• Board reporting: N/A at this stage. The three founders review governance status in their weekly all-hands.

Key lesson: Governance scales with the organisation. A three-person startup does not need a 50-page governance manual. It needs the right structures in place — inventory, risk assessment, policies, human oversight, documentation — even if each is lightweight. As the company grows and adds more AI systems, the governance framework grows with it.

For additional guidance tailored to early-stage companies, see our EU AI Act compliance guide for startups and SMEs.

What is an AI governance framework?

An AI governance framework is a structured system of policies, roles, processes, and controls that directs how an organisation develops, procures, deploys, and monitors AI systems. It typically includes risk management procedures, accountability structures, transparency mechanisms, and compliance mappings to applicable regulations such as the EU AI Act. Unlike a compliance checklist, a governance framework is designed to be adaptive — evolving as regulations change, new AI systems are deployed, and organisational maturity increases.

Do I need AI governance if I only use third-party AI tools?

Yes. Under the EU AI Act, deployers of high-risk AI systems have independent obligations — including human oversight, risk assessment, data logging, and in some cases fundamental rights impact assessments. Even if you did not build the AI system, you are responsible for how it is used within your organisation. Your governance framework should cover procured and third-party AI systems alongside any you develop in-house. For more detail on where your obligations sit, see provider vs deployer obligations explained.

How does ISO 42001 relate to the EU AI Act?

ISO/IEC 42001 is a voluntary, certifiable management system standard for AI. It does not replace AI Act compliance, but achieving certification demonstrates that your organisation has implemented systematic AI governance. The AI Act (Article 40) allows the use of harmonised standards as a means of demonstrating conformity. While ISO 42001 is not yet a harmonised standard under the AI Act, it provides strong evidence of governance maturity that regulators and notified bodies will consider. Building your governance programme on ISO 42001 also aligns you with ISO 27001 and ISO 27701, enabling integrated audits.

How long does it take to build an AI governance programme?

Timelines vary by organisational size, number of AI systems, and existing maturity. A startup with one AI system can establish minimum viable governance in 4–8 weeks. A mid-size company with 10–20 AI systems typically needs 6–12 months to build a comprehensive programme. A large enterprise with hundreds of AI systems may require 12–18 months, including tooling procurement, cross-functional training, and integration with existing GRC (governance, risk, and compliance) platforms. The key is to start now — the AI Act's high-risk obligations take effect on 2 August 2026, and retroactive compliance is far more expensive than proactive governance.

What tools can help automate AI governance?

AI governance platforms can automate inventory management, risk assessment workflows, documentation generation, compliance tracking, and board reporting. Key capabilities to look for include AI system cataloguing, automated risk classification aligned with the AI Act, policy template libraries, audit trail management, and integration with your existing development and deployment pipelines. See our comparison of EU AI Act compliance software tools for a detailed evaluation — or try Legalithm's free AI Act assessment to see where your organisation stands today.

How do I get executive buy-in for AI governance?

Frame governance as risk reduction and competitive advantage, not just regulatory cost. Present the board with three data points: (1) the financial exposure — fines under the AI Act are up to EUR 35 million or 7 % of global turnover; (2) the reputational risk — AI incidents are front-page news; (3) the market opportunity — customers, especially in regulated industries, increasingly require evidence of AI governance from vendors. Pair this with a phased implementation plan that shows quick wins (inventory, risk classification) within the first 8 weeks before scaling to full programme maturity.

Where to start

If this guide feels overwhelming, narrow your focus. The single highest-value first step is building your AI systems inventory. You cannot assess risk, assign accountability, write policies, or report to the board without knowing what AI systems you have. Start there.

Next, classify each system using the AI Act risk classification framework. Then prioritise: focus your governance investment on the high-risk systems that demand the most rigorous controls. Build your policies, assign your roles, and establish your review cadences. Iterate quarterly.

AI governance is not a project with a finish line. It is a continuous management discipline — one that will define which organisations lead responsibly in the AI era and which are caught unprepared when regulators, customers, or the public come asking questions.

Use Legalithm's free AI Act compliance assessment to benchmark your starting position. From there, every step forward strengthens your governance foundation.