Documentation hierarchy

Institutional strategy, AI principles, acceptable use, data classification, academic integrity guidance, procurement expectations, and privacy, security, and accessibility requirements. This layer also holds the consolidated AI risk registry — the portfolio-level roll-up of the per-deployment risk registers kept as supporting evidence. This is the broadest layer — it sets the posture everything else inherits.

The NIST AI Risk Management Framework is a voluntary framework for managing AI risks across products, services, and systems. Its four core functions — Govern, Map, Measure, and Manage — can be adapted into profiles for specific institutional contexts.

Layer 2 carries two kinds of profile, matching the two governance lanes: context profiles (teaching and learning, research, administration, student engagement) that govern how AI is used, and platform profiles for institution-managed platforms, cloud AI, or agentic systems that govern the shared service itself.

In higher education, those profiles can tailor governance expectations to settings such as teaching and learning, research and scholarship, administration and operations, student engagement, procurement, cloud AI adoption, or agentic AI.

Two paired institutional indexes. The service catalog records the services on offer — scope, audience, allowed data classes, and links to deeper documentation — and is the front door that tells the campus what exists. The use-case registry is its demand-side companion: the uses the community is approved for or has proposed, each mapped against the relevant context profile. A use case that hardens into a configured deployment graduates into its own service or system card.

User-facing documentation for specific services such as a managed AI platform, Claude, Microsoft 365 Copilot, Google Workspace for Education with Gemini, the Gemini app, NotebookLM, ChatGPT Edu, or enterprise AI features. Service cards explain what a tool is, for whom, and under what rules. For extensible platforms, the service card also sets out which categories of downstream tools and use cases are permitted, conditionally permitted, or out of scope.

Deployment-level documentation for configured institutional systems, including architecture, integrations, workflows, controls, and governance boundaries. System cards sit beneath service cards when a service is actually a configured institutional deployment. For platforms that offer several models, this is where the model catalog, routing logic, change management, and review cadence are recorded — so model selection is a documented governance decision, not just a configuration detail.

Documentation for underlying models or internal model summaries, including intended use, limits, evaluation context, and local deployment notes. In some cases vendor model cards are linked; in others, internal summaries capture local context.

Per-deployment risk registers, reviews, data-flow diagrams, evaluation reports, incident records, procurement due diligence, and other internal evidence. This is the narrowest, most sensitive layer — the assurance trail behind every governance decision, and the local evidence the consolidated AI risk registry at layer 1 rolls up.