EC-301a · Module 2

Demonstrating Governance

4 min read

Boards want to know that AI is governed. Who owns the decisions the AI influences? Who reviews the outputs? What happens when the AI produces something wrong? How do humans intervene? The governance slide answers these questions before the board asks them. It is not overhead. It is the slide that removes blockers.

Governance for AI at the board level has four components. Decision authority: who is authorized to approve changes to the AI system, expand its scope, or discontinue it. This should map to an existing role in the organization — the CISO, the CTO, a newly designated AI governance officer. Output review: what is the process for validating AI outputs before they affect customers, operations, or financial records. Override mechanism: how do humans intervene when the AI produces an unacceptable output, and what is the escalation path. Audit trail: how are AI decisions logged, retained, and made reviewable — by whom, on what schedule, for what retention period.

If any of these four components is missing, the governance slide is incomplete. A board that sees an incomplete governance framework will fill in the gaps with the most conservative interpretation possible.

  1. 1. Name the AI Governance Owner Assign a specific role — not a committee, not 'management' — as the governance owner. This person is accountable to the board for the AI initiative's compliance and performance. The board needs a name and a title, not a collective noun.
  2. 2. Define the Output Review Protocol State what percentage of AI outputs are reviewed, by whom, on what schedule. "All customer-facing outputs reviewed by a licensed representative before delivery" is a protocol. "Outputs are reviewed periodically" is not. Be specific enough that the board can hold management accountable to it.
  3. 3. Document the Override Mechanism Describe the specific steps for suspending or overriding the AI system. Who can initiate a suspension? What triggers automatic suspension? How quickly can the system be taken offline? Boards want to know that humans can always intervene.
  4. 4. State the Audit Commitment Commit to a specific audit frequency and reporting mechanism. "Quarterly AI governance reports to the Risk Committee" is a commitment. Include who conducts the audit (internal, external, or both) and where the findings are reported.