The convergence of Artificial Intelligence (AI) and the Internet of Things (IoT) has enabled the IoT-as-a-Service (IoTaaS) paradigm, offering scalable, cloud-integrated solutions for industrial environments. However, the resulting attack surface includes AI-specific threats that current IoT security frameworks do not adequately address. This paper presents a five-layer, AI RMF-governed, zero-trust architecture for AI-enabled IoTaaS, targeting three high-impact OWASP IoT Top10 categories: sensor data poisoning (IoT04), firmware/model tampering (IoT05), and unsafe command injection (IoT02). The design combines topology-and ontology-aware validation, edge sandboxing, privacy-preserving gateways, and hardware-backed remote attestation, with all controls integrated into the AI RMF Govern-Map-Measure-Manage loop. Evaluation on a validated industrial IoT testbed achieved a Poison Detection Rate (PDR) of 94.6% and an Unsafe Command Suppression Rate (UCSR) of 91.3%, with a median added latency of 66 ms. These results demonstrate that layered AI-driven controls can substantially improve industrial IoT security without compromising real-time operational constraints, while providing governance-aligned risk visibility and a pathway for regulatory compliance.