Declarable integration of NIST AI risk management into AI-driven ISMS through policy-as-code

Despite growing AI integration into Information Security Management Systems (ISMS), organizations lack systematic methods to transform high-level AI governance frameworks into machine-executable security controls. Current standards like NIST AI Risk Management Framework (AI RMF) and ISO/IEC 27001:2022 provide principles but no actionable pathways for automated enforcement, creating compliance gaps and limiting trust in AI-driven systems. This study develops a unified framework for declarable cybersecurity risk assessment in AI-driven ISMS through Policy-as-Code integration. We introduce a novel four-criteria declarability schema to systematically evaluate which AI governance provisions can be automated, applying this to all 212 NIST AI RMF actions. Using mixed-methods analysis, we assessed extractability, classified actions by control logic (Preventive/Detective/Reactive), system layer (Model/Output/User), and Confidentiality-Integrity-Availability triad alignment, then conducted semantic crosswalk with ISO/IEC 27002:2022 operational domains. Results show 84.9% of AI governance actions are directly declarable for Policy-as-Code implementation, with Measure being the most automatable function (39.4%) and Detective controls dominating across functions (reaching 75% in Measure). Actions primarily target Model and Output layers (78% combined), with Integrity overwhelming other dimensions (75.6% overall). Crosswalk analysis reveals strong alignment with Governance (24.4%) and Threat Management (18.9%), but critical gaps in System Security (0%), Identity Management (1.1%), and Asset Management (1.7%). This research provides the first reproducible methodology for transforming AI governance frameworks into machine-actionable controls within existing ISMS architectures, enabling traceable, auditable, and standards-aligned security automation for AI systems.