Key facts
- RACI = Responsible, Accountable, Consulted, Informed.
- Cover at minimum: inventory upkeep, risk classification, exceptions, and incidents.
- Exactly one role should be Accountable for each activity — shared accountability is no accountability.
- A RACI should be a living document, updated as the organisation and its AI use change.
- Keep it short — one page per activity area is usually enough for an SME.
Why a RACI matters for AI governance
AI governance touches multiple functions — legal, security, risk, the business teams actually using AI — and without an explicit RACI, activities like updating the inventory or approving a risk exception tend to fall through the gaps between teams, or get duplicated inconsistently.
The activities to cover
At minimum, build a RACI for: keeping the AI inventory current, classifying new AI systems against your risk tiers, approving exceptions to policy, and responding to AI-related incidents. Larger organisations may add rows for policy review, training delivery and vendor due diligence.
Getting accountability right
The single most important rule: exactly one person or role should be Accountable for each activity. If accountability is split across a group, it tends to mean nobody actually owns the outcome. Responsible can be shared across a team; Accountable should not be.
Keeping it current
Review the RACI whenever the organisation restructures, a new AI-related role is created, or an activity reveals a gap in practice (for example, an incident where nobody was clear who should respond). Treat gaps found in practice as a prompt to update the RACI, not just to handle the one-off case.
Frequently asked questions
What is a RACI for AI governance?
A matrix clarifying who is Responsible, Accountable, Consulted and Informed for key AI governance activities.
What activities should an AI governance RACI cover?
At minimum, inventory upkeep, risk classification, exception approval and incident response.
Can accountability be shared across a team?
Responsibility can be shared; accountability should sit with exactly one person or role to avoid outcomes falling through the gaps.
How often should a RACI be updated?
Whenever the organisation restructures, a new AI-related role appears, or practice reveals a gap in the current design.
Do small businesses need a formal RACI?
Yes, even a simple one — clarity on who owns what prevents governance activities from being missed.
Related pages
Sources
Last updated 19 June 2026.