AI governance is not a policy PDF in a drawer. It is clear ownership for how workflows change, what data they touch, and who answers when something goes wrong.
RACI (typical mid-size team)
| Activity | Executive sponsor | Process owner | IT | Legal / compliance | Ops lead |
|---|---|---|---|---|---|
| Approve new customer-facing workflow | A | R | C | C | C |
| Maintain context / policy packs | I | C | R | A | C |
| Integrations and secrets | I | C | A/R | C | I |
| Eval set and release gate | I | A | R | C | C |
| Incident review | I | C | R | A | R |
R = responsible, A = accountable, C = consulted, I = informed
Minimum viable governance
- One executive sponsor for AI operating priorities—not every tool decision.
- Process owner per workflow who can say no to scope creep.
- IT owns integrations, logging, and access; not business wording of prompts alone.
- Legal owns policy context and prohibited uses—not daily prompt tweaks.
Anti-patterns
- “Everyone owns AI” → no one owns incidents.
- IT writes all prompts without process owners → misaligned outcomes.
- Legal only engaged after a breach → governance as cleanup.