Governance is the part of the eval program a CTO has to defend to a board, a customer's procurement team, and (in two jurisdictions and counting) a regulator. The seven pages here cover the documents you are likely to be measured against: the EU AI Act, the NIST AI Risk Management Framework, the public scaling policies from Anthropic and OpenAI, and the internal artifacts (risk register, trust pages, board readouts) that translate the standards into what your engineers actually do on Mondays.
The opinionated frame: most regulation does not tell you how to evaluate; it tells you what you have to produce evidence for. Your eval program is the evidence machine. The cheatsheet pages collect the deadlines and obligations in tables so you can pin them above your desk. The artifact pages give you templates that practitioners have used in front of auditors and customers without having to redraft them from scratch.
Chapters:
- EU AI Act cheatsheet. The application timeline (GPAI obligations live Aug 2, 2025; full application Aug 2, 2026), the GPAI vs high-risk split, and the eval obligations under each.
- NIST AI RMF mapped to eval activities. Govern, Map, Measure, Manage as a cross-walk to the eval artifacts you already have or need to build.
- Anthropic Responsible Scaling Policy. The capability-threshold logic, the AI Safety Level scheme, and what to copy from it.
- OpenAI Preparedness Framework. The tracked categories, the production-readiness gates, and how it differs from Anthropic's RSP.
- Building an AI risk register. Columns, scoring scale, review cadence, and the mapping from register row to eval task.
- Customer trust artifacts. Model cards, system cards, public eval pages, and the SOC-style trust portal pattern.
- Board readout templates. What a 12-minute quarterly board update on AI risk actually looks like, with the three slides that hold up.