Unit 4 of 4
6.4 — AI Governance Structures
Effective AI governance requires clear accountability structures, from board-level oversight to operational teams. The three lines of defense model provides a proven framework.
Three Lines of Defense Model for AI
3rd Line — Internal Audit
Independent assurance and objective evaluation
2nd Line — Risk & Compliance
Oversee, challenge, and monitor first line
1st Line — Operations
AI development and operations teams own and manage risks
Essential AI Governance Artifacts
| Artifact | Purpose | Review Frequency |
|---|---|---|
| AI Policy | Sets organizational principles and boundaries for AI use | Annually |
| AI Risk Appetite Statement | Defines acceptable risk levels for AI systems | Annually |
| AI System Register/Inventory | Catalogs all AI systems with risk classifications | Continuously updated |
| Model Risk Management Framework | Governs model development, validation, and monitoring | Annually |
| Data Governance Framework | Ensures data quality, provenance, and privacy compliance | Annually |
| Incident Response Plan | Procedures for AI-specific failures and incidents | Annually + after incidents |
| Responsible AI Principles | Ethical guidelines for AI development and deployment | Biennially |
AI Governance Reporting Structure
Board / Risk Committee
Ultimate oversight
↓
Chief AI Officer
Strategic AI leadership
↓
AI Ethics Committee
Cross-functional review
↓
AI Risk Team
Operational risk management
⚠SHADOW AI
Shadow AI — unauthorized use of AI tools by employees (e.g., uploading confidential data to ChatGPT) — is an emerging governance challenge. Governance must address the full AI supply chain: in-house models, fine-tuned models, third-party APIs, open-source components, training data, and shadow AI.
Key Points
Board-level AI oversight is essential
Three lines of defense: operations, risk/compliance, internal audit
Essential artifacts: AI policy, risk appetite, system register
Full supply chain governance including shadow AI
Annual review and update cycle