Governance

What is AI governance?

AI governance is the system of decision rights, inventories, and controls that decides what an organisation's AI may do on purpose — and how that changes when AI starts acting.

Take the assessment See the maturity curve

AI governance is the organisational machinery that answers four questions about every AI system you run: who approved it, what is it allowed to do, who is accountable when it misbehaves, and how would you prove all of that to someone outside the room. The definition matters because the word gets used for two thinner things — a written policy nobody operates, or a procurement checklist — and neither survives contact with a real incident. Governance that works is a running system: decision rights with names attached, an inventory that stays current, and controls that produce evidence as a side effect of operating.

The discipline grew up around models that produce content, so its classic concerns are data, bias, transparency, and acceptable use, organised by frameworks like NIST's AI Risk Management Framework and ISO/IEC 42001 and sharpened by regulation such as the EU's AI Act. That layer remains necessary. What it did not anticipate is software that *acts* — agentic AI holding credentials, calling tools, and writing to systems of record. An acting system needs governance borrowed from operations, not just ethics: identity, change management, autonomy levels, runtime enforcement. The practical translation of all of it into steps is the governing agentic AI guide; the framework selection problem has its own walkthrough.

Why the inventory carries the whole structure

Every governance question above silently assumes you know what AI you run — which is why maintaining an AI inventory is not bookkeeping but the load-bearing wall of responsible governance. The inventory is what turns "we govern AI" from an aspiration into a checkable claim: each entry names an owner, a purpose, the systems touched, and the controls attached, and each governance decision lands on an entry rather than into the air. Organisations discover the dependency in reverse, during an audit or an incident, when the first question is "how many of these do you have?" and the honest answer is a shrug. Building the inventory is deliberately the first guide on this site; everything else attaches to it.

Governance and its neighbours

Two boundaries keep the concept sharp. Governance is not security: security bounds what an attacker can make your AI do; governance decides what the organisation lets it do on purpose — each is unfinished without the other, and owning one does not discharge the other. And governance is not the framework document: NIST, ISO, and their kin organise the work and prove it to outsiders, but the work itself is decision rights, inventory, tiers, and enforcement. A certified management system wrapped around an ungoverned agent estate is paperwork with an incident inside.

Where to go from here

If agents are entering your organisation, start where governance becomes concrete: inventory what runs, then stand up the decision rights and autonomy tiers. If a framework or regulator is forcing the timetable, choose the framework for the job you actually have. And to locate your organisation on the wider readiness journey — governance lands hardest at the transition into production — the maturity curve and its assessment will show you which conversation you should be having first. And if the question is simply which laws and standards apply to us, the AI Governance Index maps every major regulation, framework and standard by country — from the EU AI Act to NIST and ISO/IEC 42001 — and is refreshed monthly.

For the applied work in more depth: the explainer pages on conducting a governance audit, building a governance strategy, lifecycle governance, and governance in healthcare cover specific domains and techniques.

Common questions

Frequently asked questions

What is AI governance?

AI governance is the organisational machinery that answers four questions about every AI system you run: who approved it, what it is allowed to do, who is accountable when it misbehaves, and how you would prove all of that to an outsider. It is a running system of decision rights, a current inventory, and controls that produce evidence — not a policy document.

What is the difference between AI governance and AI security?

Governance decides what the organisation lets its AI do on purpose; security bounds what an attacker can make it do anyway. Each is unfinished without the other, and owning one does not discharge the other.

Why is an AI inventory important for governance?

Every governance question assumes you know what AI you run. The inventory turns "we govern AI" into a checkable claim: each entry names an owner, a purpose, the systems touched, and the controls attached, and every governance decision lands on an entry rather than into the air.

How does agentic AI change AI governance?

Classic AI governance grew up around models that produce content, so it focuses on data, bias, transparency, and acceptable use. Software that acts needs governance borrowed from operations too — identity, change management, autonomy levels, and runtime enforcement.

Which AI governance frameworks should we use?

Frameworks like NIST's AI Risk Management Framework and ISO/IEC 42001 organise the work and prove it to outsiders, but they are not the work itself. Choose one for the job you actually have rather than collecting the famous ones, and expect to supplement them where agents are concerned.

Explore the other pillars

Is your organisation ready for AI agents?

Take the assessment →