Finding the right AI governance for your organisation

Governance frameworks should fit organisational reality rather than seeking to replicate what others are doing

AI governance is commonly mischaracterised as belonging to ethics, security, privacy, legal compliance and IT. The genuine scope and structure are more nuanced and require close integration across all these areas and more.

Equally important to remember is that no universal framework exists; organisations must develop governance approaches that reflect their unique operational values, strategy, industry and risk environment.

The success of effective governance further hinges on the understanding and integration of the governance loop - the continuous cycle of assessment, implementation, monitoring, and adaptation that responds to technological and regulatory changes. Simply put, governance is not a one-time exercise. Organisations must continuously monitor approved tools, adapt to regulatory changes and strategic priorities, and improve the process based on what works and doesn't work.

In developing our AI Governance structure at Unit 4, I identified three steps:

Step 1: AI Governance Framework

Define the components of the AI Governance Framework. They typically include legal, contract and regulatory review, Intellectual Property rights, licensing, data protection, security, IT, product liability and ethical considerations.

However, each organisation may have principles which are based on the company’s values and strategy it may wish to add. For example, AI sovereignty or sustainability considerations. A helpful starting point is to base the governance framework on existing legal requirements. The EU AI Act, for instance, provides a comprehensive regulatory structure that can support governance design. By building upon these established principles, organisations can then develop comprehensive, company-wide AI policies that address their specific operational context while ensuring regulatory compliance.

It is important to stress that defining what is - and just as importantly - what isn’t within the remit of the AI Governance Framework (and the role of each stakeholder) is key. Is approval of the business case for each AI use case included within the scope or should it sit somewhere else? There is no right or wrong answer. An AI tool that satisfies every governance criterion may remain inappropriate for the organisation due to other overriding factors.

Step 2: Embedding governance in operations

A good place to start to maximise success and reduce risk is to implement a simple gap analysis to identify organisational maturity for AI – both in the organisation as a whole and for each team individually. For example, your IT team may need to ensure the architecture is AI ready with the correct access permissions defined.

Your legal department may need to prepare by developing specific AI contractual provisions (with the AI supplier and/or the end customer). Don’t assume that just because there is seemingly a huge demand for AI, the organisation is ready to safely deploy. Steady, careful and focused use of AI is better than too many tools that are not used correctly or effectively.

As you proceed to operationalise the governance framework, don't reinvent the wheel - build on what you already have by adding AI-specific checks. If your IT team already runs approval processes for other tools with input from security and privacy, use that same framework as your starting point for the AI tool assessment.

Next, establish AI policy compliance oversight mechanisms - whether through appointed reviewers or a dedicated AI governance board - to address AI-specific considerations including bias mitigation, ethical compliance, and algorithmic transparency. Clear role definitions and responsibility matrices are essential for effective implementation. Additionally, as mentioned above, monitoring use of the AI tool and repeating the diligence on a regular basis for new functionality is essential.

Organisations should also ensure access to legal expertise - whether internal counsel or external advisors - to monitor evolving regulatory requirements and assess their applicability to AI governance frameworks.

Step 3: Upskilling workforce and ensuring ROI

This isn’t just simple IT training. Identify skills gaps and align training to the AI use cases or day jobs. Senior executives and business unit heads do not typically have the time or expertise to drive operational transformation. Unless someone can hold their hand and guide them on setting up the right key performance indicators (KPIs), they will not necessarily be able to maintain sustainable oversight of adoption of AI.

Each department, supported by IT or designated departmental AI champions, should catalogue their responsibilities and tasks to assess where AI can enhance outputs or introduce efficiencies. The key here is to focus on a limited number of initiatives but ensure those selected have a clear return on investment (ROI). This discovery form can then serve as an effective scorecard for tracking implementation success. This approach will also transform AI from an intimidating technological disruption into a practical solution for existing operational challenges.

Additionally, gaining access to an AI tool should be viewed by staff as an investment in them and a sign of trust. The flip side of this trust is accountability—mandatory compliance and governance training should be required for access. This training should cover responsible AI use and policy requirements, including identifying bias, safe use practices, data privacy, and human-AI interactions.

Finally, it is worth remembering that humans are creatures of habit. Overcoming resistance to AI implementation necessitates a strategic approach with a focus on three key areas: communication, collaboration, and gradual change. Training and upskilling should be regular, relevant and varied.

In conclusion, AI governance implementation challenges are universal. No organisation has perfected their approach, and the overwhelming array of available tools - each with distinct strengths and weaknesses - complicates decision-making. The ever-changing regulations and advancement of these tools also present challenges. Organisations should therefore focus on setting up governance frameworks that fit their specific organisational reality rather than seeking to replicate what others are doing. Getting the right building blocks in place, simplifying the structure, and then slowly and agilely introducing the different layers will help avoid many issues in the future. Ultimately, effective implementation requires a careful balancing of strategic vision with operational practicalities to ensure robust change management throughout the process.

Michelle Eisenberg is General Counsel at Unit4