AI · Cyber
AI Governance
AI governance is the discipline of deploying AI inside a regulated enterprise so that every model in production has a named owner, a documented purpose, a tested risk profile, and an audit trail a regulator can read. It is not a policy. It is an operating model — and it has to be built before the models proliferate, not after.
The boards I serve are not asking whether to use AI. They are asking who is accountable when the model is wrong, who saw it coming, and how we will explain it to the regulator the next morning. AI governance is the answer in operational form.
The frame
Governance as the condition for scale
Every enterprise I advise is past the question of whether to use AI. The question is now how to use it at scale without creating risk the board cannot price. AI governance is the operating layer that makes scale defensible — and, paradoxically, the thing that lets the enterprise move faster, because each new use case lands inside a known set of guardrails instead of triggering a new debate.
The frame I install is straightforward: every model is inventoried, every use case is classified by risk, every high-risk deployment passes through a human review gate, and every production model is monitored continuously. None of that is novel. What is novel is treating it as a single, board-visible operating model — aligned to NIST AI RMF and the EU AI Act — rather than a series of point decisions made by whichever team was loudest.
Components
What a credible AI governance posture looks like
These are the components I expect to be in place and evidenced before an enterprise puts a high-impact model in front of a customer, an employee decision, or a regulator.
- Model & use-case inventoryA canonical inventory of every model in production — internal, vendor, embedded — tied to use case, business owner, data classification, and risk tier. You cannot govern what you cannot list.
- Risk classification & approval gatesTiered review aligned to NIST AI RMF and the EU AI Act, with high-risk systems passing through a documented human review and an explicit go / no-go before deployment. Low-risk models move quickly; high-risk models slow down on purpose.
- Data lineage & training provenanceDocumented sources, licensing, consent, and retention for training data, fine-tuning data, and prompt pipelines. Auditable end-to-end so an external reviewer can reconstruct what the model learned from.
- Evaluation, bias & safety testingPre-deployment evaluations for accuracy, bias, hallucination, jailbreak resistance, and adversarial robustness — with continuous monitoring once the model is live. Drift is the rule, not the exception.
- Human oversight & explainabilityDefined human-in-the-loop checkpoints, override authority, and explainability artifacts proportional to the risk tier. A regulator should be able to see who decided what, and why, without a translation layer.
- Vendor & embedded-AI diligenceA diligence standard for third-party AI — including AI features quietly added to existing SaaS — with contractual obligations on data use, model changes, and incident notification.
- Incident response & disclosureAn AI incident response process distinct from cyber IR — covering misuse, harmful output, model failure, and prompt injection — feeding the same audit trail and disclosure framework as the rest of the enterprise.
Regulated environments
Deploying AI where the stakes are real
The interesting work is not in greenfield AI demos. It is in deploying AI inside regulated workflows — credit, healthcare, education, financial reporting, public-sector services — where there is already a duty of care and a regulator with a view.
- Sectoral mappingCrosswalking model use against the sector regime that already governs the underlying decision (FCRA, HIPAA, FERPA, ECOA, sectoral fair-use rules), so the AI control set extends the existing duty of care rather than replacing it.
- Decision auditabilityFor every consequential decision, a record of inputs, model version, human reviewer, and rationale — preserved long enough to satisfy the longest applicable retention requirement.
- Recourse & redressA defined path for a customer or employee to contest a model-influenced decision, with a human in the loop and a documented turnaround time. Regulators will measure this before they measure accuracy.
How it runs
The operating cadence
AI governance runs on the same cadence as cyber and audit on purpose: monthly at the working layer (model owners, evaluation reviews, incidents), quarterly at the technology and risk committees, and annually at the full board — with one integrated dashboard. New models enter through a single intake. Vendor AI is reviewed before contracts are signed, not after the procurement team has fallen in love. The dashboard the board sees translates technical posture (drift, evaluation deltas, incidents) into the language the audit, risk, and disclosure committees already speak.
Done this way, AI governance becomes the thing that makes AI adoption possible at the speed boards now expect — not the brake the engineering team works around.
If your enterprise is past pilots and into production AI — and the board is starting to ask questions your current operating model cannot cleanly answer — this is the room to be in.