the smallest unit in the framework. not a control. not a layer. the thing inside a layer that does one specific job.
An atomic capability listed within a layer or shield section. Components are not independently governed; they are governed through the layer or shield they belong to. A component describes a capability that must exist (e.g., “model evaluation pipeline”), while a control describes the mechanism that manages risk within that capability.
Why It Matters
Without components, a layer is an abstraction. With components, it is a checklist. The difference matters because governance operates at the level of specificity. Telling an organisation it needs “AI Engineering governance” (L5) is directionally useful. Telling it that L5 requires model evaluation pipelines, training data versioning, experiment tracking, deployment gates, and rollback mechanisms is operationally useful. Components bridge the gap between architectural intent and implementation reality.
Components also enable maturity measurement. A layer cannot be “50% mature” without a denominator. Components provide that denominator. If L5 has twelve components and six are operational, the layer is at 50% component coverage. This granularity allows organisations to identify exactly where investment is needed, rather than making blanket assessments that obscure specific gaps.
The critical design decision is that components are not independently governed. Each component inherits its governance from its parent layer or shield. This prevents the framework from fracturing into hundreds of independently managed units, which would make governance more burdensome than the risks it addresses. The layer owner governs all components within that layer. The evidence requirements flow downward.
The Stress Test
Your organisation reports that L5 (AI Engineering) is at Maturity Level 3. An assessor asks which components within L5 are at Level 3. You discover that model evaluation is at Level 4 (strong, well-tested), training data versioning is at Level 1 (ad hoc), and experiment tracking does not exist. The layer-level assessment averaged across components and produced a number that obscured two critical gaps.
Maturity at the layer level without maturity at the component level is a governance illusion. The gaps live in the components.
In the Wild
Zillow’s algorithmic home-buying programme, Zillow Offers, used a machine learning model to estimate home values and make purchase offers. The model’s pricing component was functional. The retraining component — the mechanism to update the model as market conditions changed — was not. When the U.S. housing market shifted rapidly in 2021, the model continued making offers based on outdated patterns. Zillow lost $881 million, wrote down $569 million in inventory, and laid off 25% of its workforce.
The model worked. The retraining component did not exist. One missing component within L5 cost nearly a billion dollars.
The Facebook Papers revealed that Meta’s content moderation AI had strong evaluation components for English-language content but minimal or absent evaluation components for other languages. Internal documents showed that only 13% of content moderation resources were allocated to non-English content, despite non-English users constituting the majority of the platform. The component-level gap — evaluation pipelines that existed for one language but not others — contributed to documented harms in Ethiopia, Myanmar, and India.
The layer was nominally present. The components within it had coverage gaps that mapped directly to where harm occurred.
IBM Watson for Oncology provided cancer treatment recommendations to hospitals worldwide. An investigation by STAT News revealed that the system’s recommendation component was functional, but the clinical validation component was largely absent. Watson’s recommendations were based primarily on training by a small number of physicians at Memorial Sloan Kettering, not on comprehensive clinical trial data. The system lacked the component for validating recommendations against local clinical standards, patient populations, and available treatments. Multiple hospitals abandoned the system after discovering recommendations that contradicted established protocols.
The recommendation component worked. The validation component did not exist. In healthcare, that distinction is the difference between treatment and harm.
How to Govern It
Components make layers actionable. Without them, governance stays at the PowerPoint level.
Within the AI Control Index, components are governed through their parent structure:
- Component Inventory — Each layer and shield declares its components explicitly. The framework lists every component within every layer and shield, creating a complete inventory of required capabilities.
- Inherited Governance — Components do not have independent owners. The layer owner governs all components within that layer. This prevents governance fragmentation while maintaining granularity.
- Component-Level Maturity — While maturity is assessed at the layer level, the assessment must account for component coverage. A layer cannot claim Level 3 maturity if half its components are at Level 1.
- Evidence Mapping — Controls within a component must produce evidence. The evidence rolls up to the layer level but must be traceable to the specific component.
- Gap Identification — Components that do not exist or are not operational are classified as gaps. A gap at the component level is a specific, actionable finding, not an abstract deficiency.
When It's Relevant
Components become relevant the moment governance moves from policy to implementation. A board-level AI policy does not reference components. An engineering team implementing that policy must. Components bridge the abstraction gap between what the board declares (risk appetite, ethical principles) and what the engineering team builds (evaluation pipelines, monitoring systems, rollback mechanisms).
Component-level governance becomes critical when:
- Maturity assessments need to move beyond layer-level averages
- Audit findings require specific, actionable remediation
- Engineering teams need a checklist of required capabilities
- The organisation is building a roadmap for governance improvement
- Incident investigations need to identify the specific capability that failed or was absent
Related Terms
References
- [1] Parker, W. and Friedman, Z. (2021) ‘Zillow’s Home-Flipping Debacle Shows Perils of Relying on AI’, Bloomberg, 2 November. Available at: bloomberg.com.
- [2] Haugen, F. (2021) Facebook Papers. Disclosed to the U.S. Securities and Exchange Commission and the U.S. Congress.
- [3] Ross, C. and Swetlitz, I. (2018) ‘IBM’s Watson supercomputer recommended unsafe and incorrect cancer treatments, internal documents show’, STAT News, 25 July.
- [4] ISO/IEC 42001:2023. Information Technology — Artificial Intelligence — Management System. International Organization for Standardization.
- [5] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce.
- [6] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.
- [7] Amershi, S., Begel, A., Bird, C., DeLine, R., Gall, H., Kamar, E., Nagappan, N., Nushi, B. and Zimmermann, T. (2019) ‘Software Engineering for Machine Learning: A Case Study’, Proceedings of the 41st International Conference on Software Engineering (ICSE), pp. 291–300.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens