Module 05 · Tier 7 — Organizational Strategy

AI Governance & Risk Frameworks

How to make decisions about AI deployment systematically — before incidents force you to make them reactively.

15 min Tier 7 — Organizational Strategy

Why This Matters

Every organisation deploying AI will eventually face a governance moment: an AI system produces a harmful output, a data use decision requires board-level attention, a regulatory question demands a clear internal position. The organisations that navigate these moments well are the ones that built their governance framework before the moment arrived. The ones that navigate them poorly are the ones making governance decisions reactively, under pressure, without a principled framework to fall back on.

AI governance is the set of decisions, structures, and processes that determine how AI is developed, deployed, and monitored in an organisation. It answers: Who has authority to approve AI initiatives? What must be reviewed before deployment? What are the non-negotiable guardrails? How are incidents handled? Who is accountable when something goes wrong?

Governance is not compliance — it's broader. Compliance is about meeting external requirements. Governance is about making good decisions consistently, including in situations that regulations don't yet address.

AI risks cluster into four categories, each requiring different governance responses:

Full access is for AIQ members

Unlock all 56 lessons, the certificate pathway, and the SociA|~ community.

56 lessons across all three course tracks
AIQ certification on completion
SociA|~ Society community access

Unlock full access →

The Concept

What AI Governance Actually Means

The Risk Taxonomy for AI

AI risks cluster into four categories, each requiring different governance responses:

Output Risk

AI systems produce incorrect, biased, or harmful outputs. Risk is proportional to: how consequential are the decisions informed by this output, and how much human review is in the loop? A content recommendation system with millions of users and no human review carries higher output risk than a draft-generation tool where every output is reviewed before use.

Data Risk

AI systems use, store, or expose data in ways that violate privacy, contractual, or regulatory requirements. This includes training data issues (consent, representativeness), inference risks (the system's outputs reveal private information about individuals), and third-party data sharing when using external AI providers.

Dependency Risk

Critical organisational processes become dependent on AI systems that can fail, change their behaviour (model updates), or have their access revoked (vendor changes). Single points of failure in AI-dependent workflows are a governance concern that most organisations underweight.

Accountability Risk

When an AI system causes harm, who is responsible? If there is no clear accountability structure, organisations face both ethical and legal exposure. The accountability question must be answered before deployment, not after an incident.

Governance Structure Options

Three governance models that work at different organisational scales:

Centralised review board: All AI initiatives above a materiality threshold require approval from a cross-functional board (legal, risk, technology, business). Works well for high-risk deployments in regulated industries. Risk: creates bottlenecks that slow innovation.

Tiered governance: Low-risk AI use (e.g., using AI assistants for internal document drafting) is approved at manager level. Medium-risk (customer-facing AI with moderate autonomy) requires department head approval plus risk review. High-risk (consequential automated decisions) requires board-level review. Balances speed with oversight.

Distributed governance with standards: Publish clear organisational AI principles and risk standards; empower teams to make deployment decisions within those standards; conduct post-hoc audits. Works when organisational trust is high and the risk of individual deployments is contained.

The Five Non-Negotiables

Regardless of governance model, five things should be non-negotiable across every AI deployment:

Human accountability is clearly assigned — a named person, not "the team"
Data use is explicitly reviewed and approved against privacy policy and applicable law
A shut-down path exists and is documented — how to turn this off quickly if needed
An incident response plan is in place before deployment, not after
Regular output review is scheduled — not assumed to be "fine"

The governance audit template

A pre-deployment governance checklist for any AI system with material organisational impact:

Use and accountability:

What decisions will this system inform or make?
Who is the named accountable owner?
What is the human review layer, if any?

Data:

What data does this system use? Has it been reviewed against data privacy policy?
Does this system share data with a third-party AI provider? Under what terms?
Is there a data retention and deletion policy for AI-generated outputs?

Risk:

What are the three most likely failure modes of this system?
What is the maximum harm if the system produces a significantly wrong output?
Is there a shut-down procedure documented and tested?

Monitoring:

Who reviews outputs and at what frequency?
What triggers an incident review?
When is the first scheduled governance review?

Hands-On Exercise

Design your AI governance framework

ClaudeAny AI assistant

Assess your organisation's current AI governance: 1. Which of the three governance models (centralised, tiered, distributed) best fits your organisation's culture and risk profile? 2. What is the materiality threshold — at what scale or risk level does an AI initiative require formal review? 3. For each of the four risk categories (output, data, dependency, accountability): what is your current governance mechanism, if any? 4. Which of the five non-negotiables are not currently ensured across all your AI deployments? Draft a one-page governance framework for your organisation that specifies: who approves what, at what threshold, with what required documentation.

Start with where the governance is currently absent — usually dependency risk and the shut-down path. A minimal framework consistently applied is better than a comprehensive framework that exists only in a document.

Active Recall

Before moving on — close this lesson and answer these from memory. Then come back and check. Testing yourself (not re-reading) is how this sticks.

1 What are the four AI risk categories? Give one example of each type of risk and the governance response it requires.

2 What are the five non-negotiables that should apply to every AI deployment regardless of governance model?

Reflection

What is the highest-risk AI deployment currently active in your organisation? Apply the four-category risk taxonomy to it. Which risks are well-governed and which are not?

Key Takeaway

AI governance answers who has authority, what requires review, and who is accountable when things go wrong — before incidents force those answers reactively. The four risk categories (output, data, dependency, accountability) require different governance responses. Five things are non-negotiable in every deployment: named accountability, data review, shut-down path, incident response plan, and scheduled output review.