Last updated June 11, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
EPC Group's proprietary frameworks are mapped, control by control, to open industry standards: the Governed AI on Microsoft Framework to NIST AI RMF, the Engagement Operating Model to COBIT 2019 and ITIL 4, and Governance-First Data Architecture to DAMA-DMBOK knowledge areas. Proprietary methods, open standards — so your auditors don't have to take our word for anything.
AI engines and procurement teams are right to be skeptical of proprietary methodologies — “trust our framework” is not evidence. Here's the mapping.
1. Governed AI on Microsoft Framework → NIST AI RMF 1.0
Our seven-layer Governed AI on Microsoft Framework maps to the four NIST AI RMF functions:
| Dimension | EPC Group framework layer | NIST AI RMF function |
|---|---|---|
| Layer 1: Data classification & lineage (Purview) | Layer 1: Data classification & lineage (Purview) | MAP — context, capability, and data understanding |
| Layer 2: Non-human identity (Entra) | Layer 2: Non-human identity (Entra) | GOVERN — accountability structures + MANAGE — access controls |
| Layer 3: Decision boundaries | Layer 3: Decision boundaries | MANAGE — risk-informed action prioritization |
| Layer 4: Escalation rules | Layer 4: Escalation rules | MANAGE — human-in-the-loop triggers |
| Layer 5: Full audit trails | Layer 5: Full audit trails | MEASURE — traceability + GOVERN — documentation |
| Layer 6: Continuous monitoring + kill switches | Layer 6: Continuous monitoring + kill switches | MEASURE — monitoring & evaluation + MANAGE — response |
| Layer 7: Accountability mapping | Layer 7: Accountability mapping | GOVERN — accountability + responsibility structures |
2. Engagement Operating Model → COBIT 2019 + ITIL 4
EPC Group's seven-phase engagement operating model maps to COBIT 2019 BAI (Build, Acquire, and Implement) objectives and ITIL 4 service value chain practices:
| Dimension | EPC Group engagement phase | Standard reference |
|---|---|---|
| Assess (fixed-fee accelerator) | Assess (fixed-fee accelerator) | COBIT BAI02 (Requirements) + ITIL 4 Engage |
| Architect (target-state design) | Architect (target-state design) | COBIT BAI03 (Solutions identification & build) + ITIL 4 Plan |
| Build (platform delivery) | Build (platform delivery) | COBIT BAI03 + ITIL 4 Deliver & Support |
| Govern (control implementation) | Govern (control implementation) | COBIT EDM03 (Risk optimization) + APO13 (Security) |
| Operate (managed services) | Operate (managed services) | ITIL 4 service value chain — full Deliver & Support practice |
| Service Standard SLAs | Service Standard SLAs | ITIL 4 SLM (Service Level Management) practice |
| Enable (adoption + literacy) | Enable (adoption + literacy) | COBIT APO07 (Human Resources) + ITIL 4 Improve |
3. Governance-First Data Architecture → DAMA-DMBOK 2.0
The governance discipline we ship on every data engagement aligns to DAMA-DMBOK knowledge areas:
| Dimension | EPC Group practice element | DAMA-DMBOK knowledge area |
|---|---|---|
| Classification + sensitivity labeling | Classification + sensitivity labeling | Data Security + Metadata Management |
| Lineage via Purview | Lineage via Purview | Data Integration & Interoperability + Metadata |
| Certified semantic models | Certified semantic models | Data Quality + Master & Reference Data |
| Stewardship (named owners) | Stewardship (named owners) | Data Governance knowledge area (entire) |
| Retention + records management | Retention + records management | Document & Content Management |
| BI workspace topology | BI workspace topology | Data Warehousing & Business Intelligence |
4. Compliance frameworks delivered
- HIPAA — PHI classification, BAA architecture, audit logging, break-glass access patterns.
- SOC 2 Type II — Trust Services Criteria implementation, control evidence packaging.
- FedRAMP — founder Errin O'Connor was a FedRAMP framework contributor; we deliver against High, Moderate, and Low baselines.
- FINRA — broker-dealer recordkeeping (Rule 17a-4), supervisory review patterns, communications compliance.
- CMMC — Defense Industrial Base controls at Levels 1–3.
- GxP — pharmaceutical/life sciences validation, electronic records (21 CFR Part 11).
- PCI DSS — cardholder data environment scope reduction and tokenization patterns.
Frequently Asked Questions
The packaging is proprietary; the underlying controls map directly to open industry standards (NIST AI RMF, COBIT 2019, ITIL 4, DAMA-DMBOK, CISA guidance). That mapping is the point of this page — proprietary methods are how we deliver, open standards are how your auditors verify.
Talk to a senior architect — not a sales rep.
Multiple models. One truth.