Component

the smallest unit in the framework. not a control. not a layer. the thing inside a layer that does one specific job.

"someone asked me which component handles bias testing. i said 'L5.' they said 'no, which component within L5.' i didn't know we had that level of detail. we do. i just never read it."
"the auditor asked for evidence at the component level. we had evidence at the layer level. apparently that's not the same thing."
"we marked the entire layer as mature because three out of twelve components were operational. that's not maturity. that's 25%."
Share this one
Canonical Definition

An atomic capability listed within a layer or shield section. Components are not independently governed; they are governed through the layer or shield they belong to. A component describes a capability that must exist (e.g., “model evaluation pipeline”), while a control describes the mechanism that manages risk within that capability.

Why It Matters

Without components, a layer is an abstraction. With components, it is a checklist. The difference matters because governance operates at the level of specificity. Telling an organisation it needs “AI Engineering governance” (L5) is directionally useful. Telling it that L5 requires model evaluation pipelines, training data versioning, experiment tracking, deployment gates, and rollback mechanisms is operationally useful. Components bridge the gap between architectural intent and implementation reality.

Components also enable maturity measurement. A layer cannot be “50% mature” without a denominator. Components provide that denominator. If L5 has twelve components and six are operational, the layer is at 50% component coverage. This granularity allows organisations to identify exactly where investment is needed, rather than making blanket assessments that obscure specific gaps.

The critical design decision is that components are not independently governed. Each component inherits its governance from its parent layer or shield. This prevents the framework from fracturing into hundreds of independently managed units, which would make governance more burdensome than the risks it addresses. The layer owner governs all components within that layer. The evidence requirements flow downward.

The Stress Test

Your organisation reports that L5 (AI Engineering) is at Maturity Level 3. An assessor asks which components within L5 are at Level 3. You discover that model evaluation is at Level 4 (strong, well-tested), training data versioning is at Level 1 (ad hoc), and experiment tracking does not exist. The layer-level assessment averaged across components and produced a number that obscured two critical gaps.

Maturity at the layer level without maturity at the component level is a governance illusion. The gaps live in the components.

In the Wild

Financial Services — Zillow Offers, 2021
A Model Without a Retraining Component

Zillow’s algorithmic home-buying programme, Zillow Offers, used a machine learning model to estimate home values and make purchase offers. The model’s pricing component was functional. The retraining component — the mechanism to update the model as market conditions changed — was not. When the U.S. housing market shifted rapidly in 2021, the model continued making offers based on outdated patterns. Zillow lost $881 million, wrote down $569 million in inventory, and laid off 25% of its workforce.

The model worked. The retraining component did not exist. One missing component within L5 cost nearly a billion dollars.

Technology — Facebook Content Moderation, 2021
Missing Evaluation Components Across Languages

The Facebook Papers revealed that Meta’s content moderation AI had strong evaluation components for English-language content but minimal or absent evaluation components for other languages. Internal documents showed that only 13% of content moderation resources were allocated to non-English content, despite non-English users constituting the majority of the platform. The component-level gap — evaluation pipelines that existed for one language but not others — contributed to documented harms in Ethiopia, Myanmar, and India.

The layer was nominally present. The components within it had coverage gaps that mapped directly to where harm occurred.

Healthcare — IBM Watson for Oncology, 2018
A Recommendation Engine Missing the Validation Component

IBM Watson for Oncology provided cancer treatment recommendations to hospitals worldwide. An investigation by STAT News revealed that the system’s recommendation component was functional, but the clinical validation component was largely absent. Watson’s recommendations were based primarily on training by a small number of physicians at Memorial Sloan Kettering, not on comprehensive clinical trial data. The system lacked the component for validating recommendations against local clinical standards, patient populations, and available treatments. Multiple hospitals abandoned the system after discovering recommendations that contradicted established protocols.

The recommendation component worked. The validation component did not exist. In healthcare, that distinction is the difference between treatment and harm.

How to Govern It

Components make layers actionable. Without them, governance stays at the PowerPoint level.

Within the AI Control Index, components are governed through their parent structure:

  • Component Inventory — Each layer and shield declares its components explicitly. The framework lists every component within every layer and shield, creating a complete inventory of required capabilities.
  • Inherited Governance — Components do not have independent owners. The layer owner governs all components within that layer. This prevents governance fragmentation while maintaining granularity.
  • Component-Level Maturity — While maturity is assessed at the layer level, the assessment must account for component coverage. A layer cannot claim Level 3 maturity if half its components are at Level 1.
  • Evidence Mapping — Controls within a component must produce evidence. The evidence rolls up to the layer level but must be traceable to the specific component.
  • Gap Identification — Components that do not exist or are not operational are classified as gaps. A gap at the component level is a specific, actionable finding, not an abstract deficiency.

When It's Relevant

Components become relevant the moment governance moves from policy to implementation. A board-level AI policy does not reference components. An engineering team implementing that policy must. Components bridge the abstraction gap between what the board declares (risk appetite, ethical principles) and what the engineering team builds (evaluation pipelines, monitoring systems, rollback mechanisms).

Component-level governance becomes critical when:

  • Maturity assessments need to move beyond layer-level averages
  • Audit findings require specific, actionable remediation
  • Engineering teams need a checklist of required capabilities
  • The organisation is building a roadmap for governance improvement
  • Incident investigations need to identify the specific capability that failed or was absent

See components in the framework. Every layer and shield lists its components in the AI Control Index v6.0.

Open Framework →

Related Terms

References

  1. [1] Parker, W. and Friedman, Z. (2021) ‘Zillow’s Home-Flipping Debacle Shows Perils of Relying on AI’, Bloomberg, 2 November. Available at: bloomberg.com.
  2. [2] Haugen, F. (2021) Facebook Papers. Disclosed to the U.S. Securities and Exchange Commission and the U.S. Congress.
  3. [3] Ross, C. and Swetlitz, I. (2018) ‘IBM’s Watson supercomputer recommended unsafe and incorrect cancer treatments, internal documents show’, STAT News, 25 July.
  4. [4] ISO/IEC 42001:2023. Information Technology — Artificial Intelligence — Management System. International Organization for Standardization.
  5. [5] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce.
  6. [6] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.
  7. [7] Amershi, S., Begel, A., Bird, C., DeLine, R., Gall, H., Kamar, E., Nagappan, N., Nushi, B. and Zimmermann, T. (2019) ‘Software Engineering for Machine Learning: A Case Study’, Proceedings of the 41st International Conference on Software Engineering (ICSE), pp. 291–300.

AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens