2.3 · Internal AI Governance Frameworks

The Architecture of an AI Governance Programme

13 minCourse 02

An AI governance programme is not a document. It is a set of connected processes, structures, and tools that together ensure AI systems are identified, assessed, approved, monitored, and retired appropriately. Here is the architecture.

Component 1: The AI Register

The AI Register is the foundation of your governance programme. It is a living inventory of every AI system your organisation uses, owns, or has deployed — with the key attributes needed to govern each one.

  • System name and description
  • Vendor/developer (in-house or third-party)
  • Business owner and technical owner
  • Data inputs — what personal or sensitive data it processes
  • Outputs and their use — what decisions or actions the outputs influence
  • EU AI Act classification tier
  • GDPR status — legal basis, DPIA conducted, Article 22 applicability
  • Risk rating and last review date

Component 2: The AI Approval Process

Before any new AI system is deployed, it must pass through a defined approval process. This process should include:

  • Use-case evaluation — Is AI the right solution? What are the alternatives?
  • Risk classification — EU AI Act tier, GDPR obligations, ethical risk assessment
  • Technical review — Security assessment, data provenance, bias testing
  • Legal review — Regulatory compliance, contractual obligations, IP considerations
  • Business sign-off — Accountable executive approves deployment
  • Register entry — System added to AI Register before go-live

Component 3: The AI Policy

The AI Policy should be built after the register and approval process are designed — not before. It should cover: what AI use is permitted and prohibited, who has authority to approve AI deployments, what standards apply to high-risk systems, how incidents are reported, and how the programme is reviewed.

Component 4: Monitoring & Review

Every AI system on your register should have a defined review cadence. High-risk systems: quarterly. Medium-risk: bi-annual. Low-risk: annual. Reviews should check for performance drift, regulatory changes, new risks, and whether human oversight remains effective.

Component 5: Governance Ownership

Define a clear ownership structure:

  • AI Governance Lead — overall accountability for the programme (often the CTO, CDO, or a dedicated AI Ethics/Governance role)
  • Business Owners — one per system, accountable for outcomes
  • Technical Owners — one per system, accountable for performance and security
  • AI Review Committee — cross-functional group that approves new deployments and reviews high-risk systems
Start Small, Scale It

You don't need to build all five components at once. Start with the AI Register — a simple spreadsheet will do. Add the approval process next. The policy and committee structure can follow once you know what you're actually governing.

What This Looks Like in Practice

A mature AI governance programme means that when a business unit proposes deploying a new AI tool, a defined process kicks in automatically — not because someone remembered, but because it's the required path. The system goes on a register, gets classified, gets reviewed, and gets approved or rejected with a documented rationale. That's governance.