AI Governance & Compliance
How organizations decide who can use AI, for what, and who answers when it goes wrong.
What you'll learn
- Explain what AI governance is and why it exists
- Recognize the EU AI Act risk tiers in plain terms
- Know where audit trails and AI ownership fit in
If “responsible AI” is the set of values, AI governance is the plumbing that makes those values happen on a Tuesday afternoon when someone wants to plug a new chatbot into the customer database. Governance is just the system of rules, roles, and approvals an organization uses to decide which AI gets used, for what, by whom, and with what guardrails. It sounds bureaucratic, and done badly it is. Done well, it’s mostly invisible: low-risk stuff moves fast, risky stuff gets a second look, and when something breaks there’s a clear answer to “who owns this?”
What governance actually is
At its core, governance is three things working together. First, policies: written rules about what’s allowed — which tools are approved, what data may go into them, what always needs a human check. Second, approval processes: a route for getting a new tool or use case reviewed before it goes live, so decisions aren’t made one panicked afternoon by whoever found a cool app. Third, ownership: named people who are accountable for AI risk, rather than a vague sense that “IT probably has it covered.” The most common failure isn’t a dramatic one — it’s shadow AI, where well-meaning employees quietly use unapproved tools because the official path is too slow. Good governance fixes that by making the approved path the easy path.
The riskier the use, the more scrutiny it earns before and after it ships.
The rules everyone is starting to follow
You’ll hear three names a lot, so here’s what they actually mean. The EU AI Act is the first big law specifically for AI, and its central idea is wonderfully simple: regulate by risk tier. Some uses are unacceptable and banned outright (like social scoring of citizens). Some are high-risk — AI used in hiring, lending, medical devices, or critical infrastructure — and carry strict obligations around testing, documentation, and human oversight. Some are limited-risk and mainly need transparency, like telling people they’re talking to a bot. The rest is minimal-risk and largely left alone. Even if your company isn’t in Europe, this tiered thinking is becoming the global default for how to weigh AI use.
The NIST AI Risk Management Framework (from the US standards body) is not a law but a practical playbook: a voluntary structure for identifying, measuring, and reducing AI risk, organized around four functions — govern, map, measure, and manage. ISO/IEC 42001 is an international standard for running an AI management system, the kind of thing a company can be formally certified against to prove it takes AI governance seriously. In plain terms: the EU AI Act tells you what you must do, while NIST and ISO 42001 give you respected ways to show you’re doing it well.
Audit trails and who owns the risk
Two ideas hold the whole thing together. An audit trail is simply a record of what the AI did and who approved it — which version, on what data, reviewed by whom, with what outcome. When a regulator, a customer, or your own boss asks “how did this decision get made?”, the audit trail is the answer. And every meaningful AI use needs an owner: a specific person or role accountable for its behavior, not a committee that meets quarterly. Ownership is what turns governance from a document into something that actually protects people.
Rule of thumb: before deploying AI, ask “what risk tier is this, who owns it, and what record will we have if someone asks how it works?” If you can answer all three, you’re governing. If you can’t, you’re guessing.
Spot it: governance in practice
Read each situation and decide for yourself, then tap a card to flip it and check your answer.
Sort the governance actions
Drag each action into the bucket that describes when it matters most — or tap an item, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Checking whether an approved tool already exists → Before deployment — routing through the approved path prevents shadow AI before it starts.
- Logging which model version processed each batch → While running — version logging is part of the ongoing audit trail that answers "how was this decided?"
- Assigning a named owner accountable for the tool → Before deployment — ownership must be established before the tool goes live, not after something breaks.
- Routing edge cases to a human reviewer → While running — human-in-the-loop oversight happens at decision time, not during initial setup.
- Determining the EU AI Act risk tier → Before deployment — the risk tier determines what controls are required before the tool can be used.
- Maintaining a record of who approved each output → While running — approval records are built continuously as the tool operates, forming the audit trail.
Tip: drag with a mouse, or tap an item then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
You don’t have to memorize the law to be useful here — you just need to route things correctly. When a new AI idea appears, ask: “Is there an approved tool for this, or do we need a review?” “What risk tier does this fall into — could it affect someone’s job, money, or rights?” “Who’s the owner if this goes live?” “What record will we keep of what it did?” And when a colleague is about to use an unapproved tool, the kind nudge is “let’s check if that one’s been approved for this kind of data.” These questions keep the team fast and out of trouble at the same time, which is exactly what good governance is for.
Quick check
1. The core idea of the EU AI Act is to…
2. An "audit trail" for AI is…
3. "Shadow AI" refers to…