Key facts
- A workable baseline typically takes 60–90 days; maturity builds over 12 months or more.
- Governance starts with visibility — an AI inventory comes before anything else.
- An accountable owner (often an executive) is essential, supported by a cross-functional group.
- Reference frameworks: EU AI Act, ISO 42001, NIST AI RMF and OECD AI Principles.
- Use the free operating model canvas to design how governance runs day to day.
Outcome summary
A working AI governance framework that covers every AI system you develop, buy or use, with clear ownership, proportionate controls and evidence you can show a regulator, buyer or board.
Prerequisites
An accountable owner willing to sponsor the work, and a cross-functional group spanning legal, risk, security and the business. You do not need a large team to start — proportionate governance works for small organisations too.
The steps
Step 1: Set principles. A short statement of how your organisation wants to use AI responsibly.
Step 2: Build the inventory. List every AI system in use, bought or built. See how to build an AI inventory.
Step 3: Classify risk. Tag each system against the EU AI Act's risk tiers or an equivalent internal scale.
Step 4: Assign roles. A RACI for the key governance activities — inventory upkeep, classification, exceptions, incidents.
Step 5: Write policies. Start with an acceptable-use policy; add specialised policies as needed.
Step 6: Put controls in place. Approval workflows, monitoring and training proportionate to risk.
Step 7: Review regularly. Quarterly review of the inventory, risk register and control adherence.
Common mistakes
Starting with policy documents before you have visibility of your actual AI use, building governance too heavy for the organisation's size, and treating it as a one-off project rather than an ongoing operating rhythm.
Frequently asked questions
What does an AI governance framework include?
Principles, an inventory, risk classification, roles and accountability, policies, controls, monitoring and review.
What's the first thing to do in AI governance?
Create an inventory of where AI is used — governance starts with visibility.
How long does it take to set up AI governance?
A workable baseline in 60 to 90 days; maturity builds over 12 months or more.
Do small companies need AI governance?
Yes — proportionate governance, even a lightweight inventory, policy and risk process, materially reduces exposure.
What frameworks support AI governance?
The EU AI Act, ISO 42001, NIST AI RMF and OECD AI Principles are the common reference points.
Related pages
Sources
Last updated 19 June 2026.