1. Purpose
This policy defines who is responsible and accountable for AI governance activities at [Organization Name]. It establishes the governance bodies, individual roles, decision rights, and escalation paths so that every AI system has a named owner and every governance decision has a clear decision-maker.
2. Scope
This policy covers:
- All governance bodies involved in AI oversight (committees, councils, working groups).
- All individual roles with AI governance responsibilities.
- All AI systems regardless of risk classification.
- All stages of the AI lifecycle.
3. Governance bodies
Placeholder. Populate with your organization's language for 3. Governance bodies.
3.1 AI Governance Committee
The AI Governance Committee is the primary decision-making body for AI governance. It operates as a cross-functional steering committee with the following mandate:
Composition: Executive sponsor (Chair), Legal/Compliance lead, CISO or Security lead, Data Privacy Officer, Head of Engineering/Data Science, Head of Risk Management, Business Operations representative.
Quorum: Decisions require at least 5 members present, including the Chair or their delegate. Decisions are recorded in meeting minutes and stored in the governance portal.
Cadence: Monthly standing meeting, with ad-hoc sessions for urgent escalations.
- Approve or reject high-risk AI use cases.
- Set governance standards, risk thresholds, and policy direction.
- Resolve escalations and adjudicate disputes between teams.
- Review the organization's aggregate AI risk posture quarterly.
- Commission internal reviews or audits when warranted.
- Oversee shadow AI detection and remediation efforts.
3.2 AI Ethics Advisory Group (optional)
Organizations with significant AI deployment may establish an advisory group of internal and external experts to provide non-binding guidance on ethical considerations, emerging risks, and stakeholder concerns.
4. Individual roles
Placeholder. Populate with your organization's language for 4. Individual roles.
4.1 Executive Sponsor
- Chairs the AI Governance Committee.
- Owns the AI governance budget and strategic direction.
- Accountable to the board for AI risk posture.
- Approves the AI Governance Policy and material updates.
4.2 AI Governance Lead
- Coordinates day-to-day governance operations.
- Maintains the AI system inventory and compliance tracker.
- Prepares Committee meeting materials and tracks action items.
- Is the first point of escalation for AI concerns.
- Manages exception requests and tracks their expiration.
- Coordinates shadow AI detection and reporting.
4.3 Model Owner
Every AI system must have a named Model Owner who is accountable for:
Model Owners are typically senior engineers, data scientists, or product managers with direct knowledge of the system.
- The system's documentation (model card, data sheet, risk assessment).
- Passing lifecycle gate reviews before deployment.
- Ongoing monitoring and performance in production.
- Responding to incidents involving their system.
- Initiating revalidation when the system or its context changes.
- Initiating retirement when the system is no longer fit for purpose.
4.4 Data Owner / Data Steward
- Accountable for the quality, provenance, and compliance of data used in AI systems.
- Approves data access requests and ensures data use is consistent with consent and lawful basis.
- Documents data lineage and maintains data classification records.
- Reviews training data for bias, representativeness, and licensing compliance.
- Ensures data retention and deletion comply with organizational policy and regulations.
4.5 Legal and Compliance
- Reviews AI use cases for regulatory obligations.
- Advises on contractual terms with AI vendors.
- Monitors regulatory changes and communicates impact to the Committee.
- Participates in conformity assessments and fundamental rights impact assessments.
4.6 Information Security
- Conducts security reviews of AI systems and infrastructure.
- Manages AI-related threat detection and incident response.
- Reviews vendor security posture for third-party AI.
- Ensures AI supply chain security (models, libraries, dependencies).
4.7 All Employees
- Follow this policy and related AI procedures.
- Report unauthorized AI tool usage (shadow AI) to the AI Governance Lead.
- Complete required AI awareness training for their role.
- Escalate concerns about AI behavior through established channels.
5. RACI matrix
The following RACI matrix defines accountability for key AI governance activities. R = Responsible (does the work), A = Accountable (final decision), C = Consulted (input required), I = Informed (kept updated).
| Activity | Exec Sponsor | AI Gov Lead | Model Owner | Data Owner | Legal | Security |
|---|---|---|---|---|---|---|
| AI strategy and policy approval | A | R | I | I | C | C |
| Risk classification | I | C | R | C | C | C |
| High-risk use case approval | A | R | C | C | C | C |
| Data sourcing and quality review | I | I | C | A/R | C | I |
| Model validation and testing | I | I | A/R | C | I | C |
| Deployment approval | I | A | R | I | C | C |
| Production monitoring | I | I | A/R | I | I | I |
| Incident response | I | C | A/R | C | C | R |
| Regulatory compliance review | I | R | C | C | A | C |
| Vendor risk assessment | I | C | C | C | C | A/R |
| Shadow AI detection and reporting | I | A/R | I | I | C | R |
| AI inventory maintenance | I | A/R | C | C | I | I |
| AI training and awareness | I | A/R | C | C | C | C |
This matrix is reviewed quarterly and updated when organizational changes occur.
6. Training requirements by role
| Role | Required training | Frequency |
|---|---|---|
| Executive Sponsor | AI governance overview, regulatory environment, risk appetite | Annually |
| AI Governance Lead | Full governance framework, regulatory deep-dive, tool proficiency | Annually + on regulatory change |
| Model Owner | Lifecycle management, risk assessment, monitoring, incident response | Annually + on system change |
| Data Owner | Data governance, bias detection, privacy requirements, data quality | Annually |
| Legal / Compliance | AI regulations, framework updates, conformity assessment | Annually + on regulatory change |
| Security | AI threat environment, supply chain security, adversarial testing | Annually |
| All employees | AI awareness, acceptable use, shadow AI reporting | On hire + annually |
7. Succession and delegation
- Each governance role must have a named delegate who can act in the primary's absence.
- Delegates must be documented in the governance portal with effective dates.
- Role vacancies exceeding 30 days require the AI Governance Lead to escalate to the Executive Sponsor for interim arrangements.
- Handover notes must be documented when primary responsibility transfers.
8. Escalation paths
- Operational issues (model performance, drift): Model Owner → AI Governance Lead.
- Data quality concerns: Any team → Data Owner → AI Governance Lead.
- Risk and compliance concerns: Any employee → AI Governance Lead → Legal/Compliance → AI Governance Committee.
- Security incidents: Any employee → Security team → AI Governance Lead → Executive Sponsor.
- Shadow AI reports: Any employee → AI Governance Lead → Security (for assessment) → AI Governance Committee (if systemic).
- Ethical concerns: Any employee → AI Governance Lead → AI Governance Committee.
- Policy exceptions: Requestor → AI Governance Lead → AI Governance Committee (for high-risk).
9. Measuring effectiveness
The AI Governance Committee tracks the following metrics to assess whether governance roles and processes are working:
- Percentage of AI systems with an assigned Model Owner and up-to-date documentation.
- Average time from use case intake to deployment approval.
- Number of governance escalations and their resolution time.
- Shadow AI detection rate and remediation rate.
- Training completion rates by role.
- Audit findings related to role gaps or accountability failures.
10. Regulatory alignment
- EU AI Act: Article 4a (AI literacy), Article 9 (risk management responsibilities), Article 26 (deployer obligations).
- ISO/IEC 42001: Clause 5.3 (Organizational roles, responsibilities, and authorities).
- NIST AI RMF: GOVERN function (GV-1: governance structures, GV-2: roles and responsibilities).
11. Review
This policy is reviewed quarterly in alignment with AI Governance Committee meetings, or sooner when triggered by organizational restructuring, material role changes, or audit findings.
Document control
| Field | Value |
|---|---|
| Policy owner | [AI Governance Lead] |
| Approved by | [AI Governance Committee] |
| Effective date | [Date] |
| Next review date | [Date + 3 months] |
| Version | 1.0 |
| Classification | Internal |