Skip to main content

AI Governance Model

Purpose

This document describes how a company governs AI initiatives so that they deliver impact, do not create uncontrolled risk, and follow a clear path from idea to operation.

The AI governance model is embedded in the conveyor: checks of data, security, architecture, risks, and impact are performed not separately from the process, but at the stage gates of an initiative.

Core ideas

  • Governance starts at the idea stage. If security, data, and architecture are only brought in right before launch, the conveyor turns into a factory of late blockers.
  • Risk should shape the route. Simple automation and a model that drives customer-facing decisions require different levels of control.
  • Not everything is decided by a committee. Simple checks should be expressed as platform rules, while contested decisions should be escalated to accountable owners.
  • The decision trail matters as much as the decision itself. For an audit you need to understand who let an initiative move forward, on what basis, and with what risk.
  • Impact is part of governance. An initiative without a confirmed result should not be considered successful merely because the solution has been launched.

How it works

The AI governance model consists of five loops:

LoopWhat it controlsWhere it appears in the conveyor
Decisionswho moves an initiative forward and whystage gates, transition history, rejection reasons
Datasources, quality, access, confidentialityassessment, delivery, data owner sign-offs
AI risksresult quality, reliability, reproducibility, human in the loopdelivery, awaiting impact, support
Architectureintegrations, operation, fault tolerance, observabilitydelivery and launch
Impactbaseline metrics, calculation methodology, result confirmationassessment and awaiting impact

Related sections: decision framework, data governance, AI risks, architecture governance, value realization.

Initiative classes by level of control

Not all initiatives require the same weight of governance.

ClassExampleMinimum control
Low riskan internal knowledge-search assistant without sensitive dataowner, product, basic data and impact checks
Medium riskautomation of an internal process involving personal dataaccess check, security, architecture, support plan
High riska solution affecting customers, money, risk, compliance, or legally significant actionsextended sign-off, independent review, decision log, human in the loop

The level of control should be determined at the assessment stage and revisited before delivery.

Minimum checks by stage

New

Checked:

  • whether there is a clear business problem;
  • whether there is an initiator;
  • whether the expected impact can be articulated;
  • whether the idea is an obvious duplicate.

Assessment

Checked:

  • whether a suitable AI product has been chosen;
  • whether the data is available;
  • whether there are preliminary security constraints;
  • whether the owner of the future impact is clear;
  • whether an extended risk review is needed.

Delivery

Checked:

  • whether the product's requirements are met;
  • whether data and access have been agreed;
  • whether there is an architectural solution;
  • whether the operating mode is clear;
  • whether a human in the loop is defined, if the solution affects significant actions.

Awaiting impact

Checked:

  • whether the review date has arrived;
  • whether actual data is available;
  • whether the impact is confirmed;
  • whether new risks have emerged after launch.

Support

Checked:

  • who maintains the solution;
  • how quality is tracked;
  • when the solution is reviewed;
  • what the condition for stopping or rolling back is.

Connection to the platform

The platform supports the governance model through:

  • roles and access rights;
  • the business funnel and delivery tracks;
  • configurable transition rules;
  • mandatory fields;
  • checks for similar initiatives;
  • preliminary security review;
  • tasks and accountable owners;
  • analytics on risky initiatives;
  • an AI assistant that helps assemble the brief, estimate impact, prepare documents, and suggest the next move.

In a mature setup, the AI assistant must not bypass governance rules. If an agent creates an initiative, advances a stage, or selects a product, that action must be subject to the same rights, rules, and audit as a user's action.

What counts as good governance

Good AI governance:

  • accelerates strong initiatives;
  • stops weak ones early;
  • makes risks visible before delivery;
  • does not require excessive sign-offs for low risk;
  • records decision owners;
  • ties launch to measurable impact;
  • leaves a clear trail for audit.

Bad AI governance:

  • turns every initiative into a committee;
  • demands documents that have no effect on the decision;
  • blocks delivery at the last moment;
  • fails to distinguish low risk from high risk;
  • does not know which initiatives actually delivered impact.