How to build an AI governance programme
- Build a programme in steps: inventory, ownership, risk-based classification, controls, documentation, continuity.
- Make governance proportionate to risk so it stays sustainable, and ensure oversight and controls genuinely operate.
- Build evidence as a by-product of governing, and run the programme continuously, not as an annual exercise.
- Map specific frameworks and laws onto the foundation, and keep each system's records coherent so the programme scales.
- Current as of June 2026. This is general information, not legal advice.
Step 1: Inventory your AI
Start by finding and listing every AI system across the organisation, including third-party tools and embedded features. For each, capture its purpose, owner, data, and where it is used. This inventory is the foundation; you cannot govern what you have not identified, and most organisations discover they have more AI than they thought.
Step 2: Establish governance and ownership
Set up the governance structure: who owns the programme overall, what your AI policy and principles are, and how accountability works. Then assign a named owner to each AI system. This is where governance gains authority. Decide where the programme sits, whether in a dedicated AI governance function, risk, legal, or compliance, with enough mandate to require changes.
Step 3: Classify and govern by risk
Assess each system's risk, paying closest attention to those that affect people's rights, money, or safety, and to any uses that regulations treat as high-risk or prohibited. Apply controls proportionate to risk: rigorous governance for high-risk systems, light-touch for low-risk ones. This proportionality keeps the programme sustainable.
Step 4: Apply controls and oversight
For each system, implement the controls its risk warrants: risk management, data governance, transparency, human oversight, monitoring, and security. Ensure human oversight is genuine where AI affects people. The controls should be real and operating, not just documented.
Step 5: Document and evidence
Maintain the documentation and evidence that demonstrate your governance: classifications, risk assessments, control operation, oversight, and decisions. This is what lets you answer a board, regulator, or customer. Build the evidence as a by-product of governing, not as a separate scramble before an audit or a deal.
Step 6: Make it continuous
Turn the above into an operating model that runs continuously. Establish how new AI systems enter the programme, how changes are detected and reviewed, how systems are monitored, and how incidents are captured. Connect it to regulatory change, so that when a law shifts, the affected systems are flagged. This is what keeps the programme alive rather than letting it go stale.
Step 7: Map frameworks and laws onto it
Finally, map the specific frameworks and laws you need, the EU AI Act, NIST AI RMF, ISO 42001, relevant US state laws, onto the governance foundation you have built. Because they share so much underlying substance, a strong programme satisfies much of each, and meeting a new requirement becomes mapping rather than rebuilding.
The thing that makes it work
The difference between a programme that works and one that decays is coherence: keeping each system's ownership, classification, controls, and evidence connected and current in one place. When these scatter, the programme fragments and loses its defensibility. Build for coherence from the start, and the programme scales with your AI rather than collapsing under it.
Key terms
- AI inventory
- A complete list of AI systems, including third-party and embedded ones.
- Operating model
- How the governance programme runs continuously, not as a one-off project.
- Risk-based controls
- Controls applied in proportion to each system's risk.
- Coherence
- Keeping each system's records connected so the programme scales.