Skip to content
Chapter 06 · 10 min

Governance & compliance

Governance sounds like the thing that slows you down. Done right, it's the opposite: it's what lets you adopt AI quickly and defensibly, because you've decided in advance how. This chapter is the practical governance a decision-maker needs — enough structure to be safe, not so much that nothing ships.

The four pillars of AI governanceFour columns — policy, controls, evidence, and review — standing on a base of clear ownership. Governance rests on someone being accountable.policywho decidescontrolswhat we doevidenceaudit trailreviewkeep paceclear ownership — accountable by name

Governance is the seatbelt, not the speed limit. It's what lets you go fast without it being reckless.

Governance is just deciding in advance

Strip away the jargon and governance is a set of decisions made once, on purpose, so they don't have to be improvised under pressure: who's allowed to use AI for what, what data can and can't go into it, who approves a new AI use, and who's accountable when something goes wrong. Without these, every team invents its own answer, and you find out about the bad ones from an incident.

The four pillars of AI governanceFour columns — policy, controls, evidence, and review — standing on a base of clear ownership. Governance rests on someone being accountable.policywho decidescontrolswhat we doevidenceaudit trailreviewkeep paceclear ownership — accountable by name
Four pillars — policy (who decides), controls (what we do), evidence (the audit trail), review (keeping pace) — on a base of clear ownership.

The frameworks you'll hear named

You don't need to implement these yourself, but you should recognise them, because your customers, auditors, and counsel will raise them:

  • NIST AI Risk Management Framework — a voluntary US framework for managing AI risk across its lifecycle. The most common North American reference point.
  • EU AI Act — risk-tiered regulation; matters if you operate in or sell into the EU, with the heaviest obligations on high-risk uses.
  • SOC 2 — not AI-specific, but the trust report North American enterprise buyers expect; your AI features fall under its scope.
  • Privacy law — CCPA/CPRA (California), PIPEDA (Canada), and sector rules (HIPAA, GLBA) all still apply to data routed through AI.

Right-sizing governance

The failure mode at both extremes is real. Too little governance and you get shadow AI — teams pasting customer data into random tools, no one accountable, an incident waiting to happen. Too much and you get a review board that takes three months to approve a meeting summariser, so people route around it and you're back to shadow AI with extra steps.

The right amount scales with the stakes. A low-risk internal use of non-sensitive data needs a light touch — a clear policy and a quick check. A customer-facing system making decisions about people, on regulated data, needs the full apparatus. Match the process to the risk, and most uses should be fast.

Governance as enabler

The reframe that makes this worth doing: good governance lets you say yes faster. When the rules are clear — this data is fine, that data isn't; this risk level is self-serve, that one needs review — teams can move without asking permission for everything, and you can adopt AI broadly while sleeping at night. The companies that scale AI well aren't the ones with no governance; they're the ones whose governance makes the safe path the easy path.

In one line each

  • Governance is deciding in advance who can use AI for what, with which data, approved by whom, accountable to whom.
  • Recognise the frameworks — NIST AI RMF, EU AI Act, SOC 2, CCPA/PIPEDA — as a shared language, not a substitute for real controls.
  • Right-size it: light touch for low-risk internal uses, full apparatus for high-stakes customer-facing ones. Most uses should be fast.
  • Good governance is an enabler — it makes the safe path the easy path, letting you adopt AI broadly and defensibly.

Where to go next