AI Governance Framework: How to Align with the EU AI Act, NIST AI RMF, and State AI Laws

Artificial intelligence is already inside your business.

It may not be approved. It may not be documented. It may not be reviewed by legal, privacy, security, compliance, HR, or procurement. It may not be listed in your vendor inventory. It may not appear in your privacy notice. It may not be covered by your data retention schedule. It may not be subject to your security review. It may not have a human oversight process. It may not have an audit trail.

But it is almost certainly there.

Employees are using generative AI to draft emails, summarize calls, write job descriptions, analyze contracts, classify support tickets, generate marketing content, review resumes, score leads, create code, summarize medical or financial information, and make recommendations that influence real decisions.

Vendors are embedding AI into software your company already uses. CRM tools, HR platforms, applicant tracking systems, customer support tools, call center software, analytics products, marketing automation platforms, fraud detection tools, cybersecurity systems, productivity suites, website chatbots, and data enrichment platforms are adding AI features faster than most companies can review them.

That creates a serious compliance problem.

Most organizations do not have one AI system. They have a hidden AI ecosystem. Some tools are customer-facing. Some are employee-facing. Some process personal data. Some process sensitive data. Some influence hiring, lending, insurance, education, healthcare, legal, housing, pricing, advertising, or eligibility decisions. Some generate content. Some classify people. Some profile users. Some make recommendations that a human accepts without question.

This is where AI governance becomes unavoidable.

AI governance is the operating system your company uses to identify, approve, classify, monitor, document, and control artificial intelligence. It is the difference between using AI in a defensible way and hoping nobody asks how your AI tools actually work.

A modern AI governance framework needs to align with the EU AI Act, the NIST AI Risk Management Framework, and applicable U.S. state AI, privacy, employment, consumer protection, and automated decision-making laws.

The old approach was simple: let teams buy software, ask security to approve the vendor, update the privacy policy once a year, and hope legal gets involved only if something breaks.

That approach does not work for AI.

AI introduces risk at the model level, data level, vendor level, output level, decision level, user-interface level, and evidence level. A company can violate privacy law, employment law, consumer protection law, discrimination law, contract obligations, sector-specific rules, and AI-specific statutes without ever “building” its own AI model.

The risk is not just that an AI system makes a bad decision.

The bigger risk is that the company cannot prove what happened.

Who approved the system? What data was used? Was personal data entered into the tool? Was sensitive data used? Did the vendor train on customer data? Was the system used to influence a consequential decision? Was a person told AI was involved? Was human review meaningful? Was the AI output logged? Was the model changed? Was the vendor documentation collected? Was a risk assessment completed? Was the system mapped to the EU AI Act? Was the system mapped to state automated decision-making laws? Was the system reviewed under NIST AI RMF?

If the answer is “we would have to check with the team,” the company does not have AI governance. It has AI exposure.

What Is AI Governance?

AI governance is the set of policies, workflows, technical controls, records, roles, and monitoring systems used to manage artificial intelligence across an organization.

It covers how AI is selected, approved, deployed, used, monitored, documented, and retired. It applies to internally built AI, third-party AI tools, embedded AI features, generative AI platforms, automated decision-making systems, chatbots, copilots, recommendation engines, scoring models, biometric systems, fraud tools, HR tools, marketing tools, and data analytics systems.

A strong AI governance program should answer the core questions regulators, auditors, enterprise customers, plaintiffs, insurers, and boards are starting to ask:

• What AI systems do you use?
• Why do you use them?
• Who owns them?
• What data do they process?
• Do they process personal data?
• Do they process sensitive data?
• Do they affect individuals?
• Do they make or influence decisions?
• Are they customer-facing?
• Are they employee-facing?
• Are they used in hiring, lending, insurance, healthcare, education, housing, legal services, pricing, fraud, advertising, or eligibility?
• Do they trigger transparency obligations?
• Do they trigger opt-out rights?
• Do they trigger human review rights?
• Do they create discrimination risk?
• Do they create privacy risk?
• Do they create security risk?
• Do they create consumer deception risk?
• Do they create contractual risk?
• Do they create EU AI Act risk?
• Do they create U.S. state law risk?
• Do they create litigation risk?
• Do they create reputational risk?

AI governance is not just an AI policy. An AI policy is only one piece of the framework.

A real AI governance program includes an AI inventory, AI risk classification, AI acceptable use rules, AI vendor management, AI impact assessments, AI legal mapping, AI privacy review, AI security review, AI data governance, AI disclosure controls, AI human oversight procedures, AI logging and audit trails, AI incident response, AI monitoring, AI training, and AI documentation.

AI governance exists because AI risk is dynamic. A privacy policy can sit on a website. An AI system changes through prompts, models, data inputs, outputs, integrations, employee behavior, vendor updates, and product releases.

That makes AI governance more like continuous compliance than static documentation.

Why AI Governance Is Now a Board-Level Compliance Issue

AI used to be treated as a product feature. Now it is a legal exposure point.

Companies are adopting AI faster than their compliance infrastructure can support. That creates a gap between what the business is doing and what legal, privacy, security, and compliance can prove.

That gap is dangerous.

AI governance is becoming a board-level issue for five reasons.

First, regulators are moving from theory to enforcement. The EU AI Act is now on a dated implementation path. U.S. states are passing AI-specific and automated decision-making laws. Existing privacy, consumer protection, employment, civil rights, healthcare, financial services, education, insurance, and unfair trade practice laws are being applied to AI.

Second, AI systems can affect people in ways that trigger legal rights. Hiring, promotion, termination, lending, underwriting, pricing, healthcare triage, education access, housing eligibility, fraud classification, account suspension, targeted advertising, and customer service prioritization can all create regulatory and litigation risk when automated systems are involved.

Third, AI vendors are not enough of a shield. A company that deploys a vendor’s AI system may still be responsible for how the system is used, what data is entered, what disclosures are provided, how decisions are reviewed, and whether the system causes unlawful discrimination or consumer harm.

Fourth, enterprise customers are starting to ask AI governance questions in procurement. Security questionnaires are expanding into AI questionnaires. Privacy reviews are asking whether customer data is used to train models. Vendor due diligence now includes model documentation, AI use restrictions, data retention, output monitoring, and human oversight.

Fifth, the litigation risk is obvious. If a company cannot explain an AI-assisted denial, rejection, classification, recommendation, or adverse outcome, plaintiffs will frame the company as reckless. The worst place to build an AI governance record is after a lawsuit, regulator inquiry, customer dispute, or breach.

Companies should assume that every significant AI system will eventually be questioned.

The question is whether the answer will be supported by evidence.

The AI Governance Problem: Shadow AI Is Already Inside the Business

The scariest AI risk is not always the AI tool your company officially approved.

It is the AI tool nobody approved.

Shadow AI happens when employees, teams, contractors, agencies, or vendors use AI without centralized approval or governance. It can happen innocently. A salesperson uses a public AI tool to summarize customer notes. A recruiter uses AI to rank resumes. A marketing team uses an AI lead-scoring tool. A support team uses AI-generated responses. A developer uses AI to write code. A manager uses AI to summarize performance reviews. An agency uses AI to create audience segments. A vendor turns on an AI feature inside software you already use.

Nobody thinks they are creating a compliance problem.

But they are.

Shadow AI can expose confidential data, personal data, trade secrets, source code, health information, financial information, employee records, customer data, privileged communications, contracts, strategy documents, and sensitive business information.

It can also create hidden automated decision-making. A person may technically make the final decision, but the AI output may shape the outcome so heavily that the human becomes a rubber stamp. That creates risk under AI laws, employment laws, privacy laws, anti-discrimination laws, and consumer protection laws.

The problem gets worse when there is no record.

• No intake form.
• No approval.
• No vendor review.
• No privacy assessment.
• No security review.
• No risk classification.
• No disclosure.
• No human oversight plan.
• No audit trail.
• No retention policy.
• No incident process.
• No proof.

That is the compliance nightmare.

The company may be using AI in ways that affect consumers, applicants, employees, patients, students, insureds, borrowers, users, or customers — and nobody can show what happened.

AI governance software exists to solve this problem at scale.

A spreadsheet may work for ten AI tools. It does not work for a company with hundreds of SaaS vendors, thousands of employees, changing AI features, multiple jurisdictions, customer-facing use cases, state privacy obligations, and EU exposure.

AI Governance Software vs. AI Governance Consulting

AI governance cannot be handled with consulting alone.

Consulting can help a company understand obligations, configure workflows, classify systems, design policies, and build a defensible program. But consulting is not the system of record.

The problem with AI governance is that it is ongoing. New tools are adopted. Vendors update products. Employees use new systems. Laws change. Risk classifications change. High-impact use cases appear. Models drift. Disclosures need updates. Consumer rights requests may come in. Regulators ask for evidence. Customers ask for documentation.

That requires software.

AI compliance software should be the operational backbone for AI governance. It should maintain the AI inventory, collect AI intake forms, classify risk, trigger impact assessments, route approvals, map obligations, store vendor documentation, maintain audit trails, support disclosure management, track human review controls, monitor periodic reviews, and generate evidence.

Consulting should complement the software, not replace it.

The strongest model is software-first, with practical compliance support built around implementation. The software creates the system of record. Consulting helps configure the program, interpret risk, accelerate deployment, and support teams that do not have internal privacy, legal, or AI governance headcount.

That distinction matters.

A PDF policy does not prove AI governance. A one-time assessment does not prove AI governance. A legal memo does not prove AI governance.

An AI governance platform that tracks systems, decisions, controls, reviews, policies, approvals, notices, vendor records, and monitoring creates the evidence trail a company needs.

How AI Governance Complements Privacy Compliance

AI governance should stand on its own, but it should not be isolated from the rest of the privacy compliance program.

AI governance complements vendor management, DSAR workflows, cookie and privacy monitoring, privacy policies, data governance, and consent management because AI often touches the same data, users, vendors, and legal rights.

A company using AI should connect AI governance to data governance for mapping data inputs, retention, purpose limitation, sensitive data, and data minimization.

It should connect AI governance to privacy notices and policies for explaining profiling, automated decision-making, AI disclosures, and consumer rights.

It should connect AI governance to DSAR workflows and the DSR Portal for access, correction, deletion, opt-out, and human review requests tied to personal data and automated processing.

It should connect AI governance to a cookie consent manager and broader consent management processes where AI use depends on user authorization or privacy-law opt-out choices.

It should also connect AI governance to cookie governance and a cookie transparency page because trackers, pixels, tags, and data collection pipelines may feed AI models, adtech platforms, personalization tools, or lead-scoring systems.

The point is simple: AI governance is not a replacement for privacy compliance. It is the next layer on top of privacy compliance.

If a company does not know what personal data it collects, where that data goes, what vendors process it, what rights apply, what notices are live, and what trackers are firing, it will struggle to govern AI responsibly.

The Legal Framework for AI Governance

An AI governance framework should be built around three major legal and operational anchors:

• The EU AI Act
• NIST AI RMF
• Applicable U.S. state AI, privacy, employment, consumer protection, and automated decision-making laws

These frameworks do not all work the same way. The EU AI Act is a formal legal regime. NIST AI RMF is a voluntary risk-management framework that can become contractually, regulatorily, or defensively important. State laws are a patchwork of AI-specific statutes, automated decision-making rules, profiling rights, bias audit requirements, employment AI requirements, consumer disclosure rules, and existing enforcement authority.

A company should not try to build three separate AI governance programs.

It should build one operational AI governance framework that can map to all three.

EU AI Act: The Risk-Based AI Compliance Model

The EU AI Act is the world’s most important AI-specific legal framework. It matters even for companies outside Europe if their AI systems are placed on the EU market, used in the EU, or produce outputs used in the EU.

The EU AI Act uses a risk-based approach.

At a high level, AI systems can fall into categories such as:

• Prohibited AI practices
• High-risk AI systems
• Transparency-risk AI systems
• General-purpose AI models
• Minimal-risk or lower-risk systems

The practical governance lesson is that companies need to classify AI systems by risk and maintain evidence for that classification.

The EU AI Act is not just about building AI models. It can apply to different actors in the AI value chain, including providers, deployers, importers, distributors, product manufacturers, and other parties depending on their role.

That distinction matters.

A company that develops an AI product may have provider obligations. A company that uses a third-party AI tool may have deployer obligations. A company that rebrands, substantially modifies, integrates, or places an AI system into another product may take on more responsibility than it realizes.

An AI governance framework aligned to the EU AI Act should include:

• AI system identification
• Role classification
• Risk classification
• Prohibited-use screening
• High-risk AI assessment
• Data governance review
• Technical documentation review
• Logging and recordkeeping
• Transparency review
• Human oversight planning
• Accuracy, robustness, and cybersecurity review
• Post-deployment monitoring
• Incident escalation
• Vendor documentation management
• General-purpose AI model review where applicable
• AI literacy and employee training

The AI Act makes one thing clear: AI governance must be documented.

It is not enough to say a system is low-risk. The company should be able to show why.

It is not enough to say a person reviews AI outputs. The company should be able to show what meaningful human oversight looks like.

It is not enough to say the vendor handles compliance. The company should be able to show what the vendor provided, what the company reviewed, what role the company plays, and what obligations apply.

For companies operating in or serving Europe, AI governance should start with an EU AI Act applicability assessment for every AI system in the inventory.

NIST AI RMF: The Operational Backbone for AI Risk Management

The NIST AI Risk Management Framework is not a single law, but it is one of the most important AI governance frameworks for U.S. companies.

NIST AI RMF gives companies a practical structure for managing AI risks across the AI lifecycle. It is especially useful because AI law is fragmented. One state may focus on automated decision-making. Another may focus on employment. Another may focus on consumer disclosure. Another may regulate profiling through privacy law. NIST gives companies a common risk-management language that can support all of these requirements.

The NIST AI RMF is commonly organized around four core functions:

• Govern
• Map
• Measure
• Manage

A strong AI governance program should use these functions as the backbone for operational controls.

Govern

The Govern function is about accountability. It asks whether the company has the structures, policies, roles, responsibilities, and culture needed to manage AI risk.

In practice, this means an AI governance committee, an AI policy, defined AI owners, executive oversight, legal, privacy, security, and compliance involvement, documented risk appetite, approval workflows, escalation procedures, training, and records.

Without governance, AI risk becomes everybody’s problem and nobody’s responsibility.

Map

The Map function is about understanding context.

An AI system cannot be evaluated in the abstract. The risk depends on how it is used, who is affected, what data is used, what decisions are influenced, what harm could occur, and what legal requirements apply.

Mapping should include system purpose, affected individuals, data inputs, data sources, data quality, decision impact, human involvement, vendor role, legal context, business context, potential harms, and stakeholder impact.

A chatbot used for general website support is different from a chatbot used to provide healthcare triage. A summarization tool used internally is different from a resume-ranking tool used to screen job applicants. A marketing personalization tool is different from a credit underwriting model.

The risk is in the use case.

Measure

The Measure function is about testing and evaluation.

Companies should evaluate AI systems for accuracy, reliability, bias, discrimination, robustness, security, privacy, explainability, transparency, data quality, performance drift, output quality, human oversight effectiveness, and failure modes.

Measurement is what separates real AI governance from paper compliance.

If a system influences high-impact decisions and the company has never tested for bias, accuracy, or output quality, the governance program is weak.

Manage

The Manage function is about acting on risk.

Once risks are identified and measured, the company must decide what to do. Some risks can be mitigated. Some require additional controls. Some require disclosure. Some require human review. Some require vendor changes. Some require the system to be rejected.

Risk management should include control selection, risk acceptance, risk mitigation, remediation plans, monitoring, incident response, periodic review, vendor follow-up, documentation, and executive reporting.

NIST AI RMF gives companies a practical way to show that AI governance is not just a policy. It is a risk-management process.

U.S. State AI Laws and Automated Decision-Making Requirements

The United States does not have one comprehensive federal AI law. Instead, companies face a patchwork of state AI laws, privacy laws, employment laws, consumer protection laws, biometric laws, insurance regulations, and attorney general enforcement.

That patchwork is exactly why companies need a single AI governance framework.

Trying to manually track every AI law in a spreadsheet is not a strategy. The better approach is to build a governance program that can identify use cases, classify risk, map jurisdictions, and apply the right controls based on the system’s function and impact.

Important state-law themes include automated decision-making, profiling, consumer opt-out rights, human review, appeal rights, employment AI notices, bias audits, algorithmic discrimination, generative AI disclosures, chatbot disclosures, biometric restrictions, synthetic media rules, consumer deception, health, financial, insurance, and education sector restrictions.

Colorado AI and Automated Decision-Making

Colorado has been one of the most important U.S. states for AI governance. Its AI and automated decision-making framework focuses on systems used to materially influence consequential decisions.

Consequential decisions generally raise concern when they involve areas like employment, education, housing, financial services, healthcare, insurance, or other important opportunities and access rights.

The practical governance lesson is that companies need to know when AI materially influences a decision that affects a person.

That includes systems that score applicants, rank candidates, recommend promotions, classify insurance risk, recommend loan approval, flag fraud, prioritize healthcare services, make education access recommendations, determine eligibility, influence housing decisions, or assess consumer risk.

The risk is not limited to fully automated decisions. A system can materially influence a consequential decision even if a human clicks the final button.

A governance framework should therefore document whether AI is used in a consequential decision, whether the system materially influences the decision, what data is used, whether personal data is accurate, whether the person can correct inaccurate data, whether the system creates discrimination risk, whether disclosures are required, whether records must be retained, whether impact assessments are needed, and whether a human review process exists.

Texas Responsible Artificial Intelligence Governance Act

Texas has moved into AI regulation through the Texas Responsible Artificial Intelligence Governance Act, commonly referred to as TRAIGA.

For companies, the practical message is that AI systems can create state enforcement risk when they are developed or deployed in ways that violate prohibited practices, constitutional rights, anti-discrimination principles, or consumer protection expectations.

Texas is especially important because it shows how state AI laws can combine business obligations, government AI requirements, enforcement authority, civil penalties, and regulatory sandbox concepts.

A governance framework should treat Texas as a signal that state attorneys general will not wait for federal AI legislation.

Companies should document AI systems used in Texas, AI systems affecting Texas residents, potential prohibited uses, discrimination risk, biometric or sensitive data issues, consumer deception risk, vendor documentation, NIST AI RMF alignment, and remediation processes.

California ADMT Rules and Privacy Risk Assessments

California’s privacy regime is central to AI governance because automated decision-making technology often depends on personal information.

California’s ADMT rules focus on the use of automated decision-making technology in significant decisions and related consumer rights. These obligations sit alongside broader CCPA and CPRA privacy obligations, risk assessments, cybersecurity audits for certain businesses, and consumer rights.

For AI governance, California raises several practical issues:

• Does the AI system process personal information?
• Does the AI system replace or substantially replace human decision-making?
• Does the system affect significant decisions?
• Do consumers need notice?
• Do consumers have opt-out rights?
• Do consumers have access rights related to ADMT?
• Does the business need a risk assessment?
• Does the privacy notice need updating?
• Are consumer rights workflows prepared?

A company that treats AI governance separately from privacy compliance will likely miss California risk.

AI governance software should therefore connect AI inventory, data mapping, consumer rights, privacy notices, risk assessments, and audit evidence.

NYC Local Law 144 and Automated Employment Decision Tools

New York City’s Local Law 144 is one of the best-known U.S. AI employment laws.

It focuses on automated employment decision tools used in hiring and promotion. Employers and employment agencies using covered tools must generally deal with bias audit and notice requirements.

The practical lesson is broader than New York City.

AI in employment is one of the highest-risk areas of AI governance.

Employers should identify whether AI is used for resume screening, candidate ranking, interview analysis, video interview scoring, job matching, promotion recommendations, performance evaluation, workforce analytics, termination risk scoring, productivity scoring, compensation analysis, or scheduling decisions.

A company may think it is not using AI in hiring because it does not have a custom model. But its applicant tracking system, HR platform, recruiting plugin, assessment vendor, video interview tool, or outsourced recruiting partner may already be using automated decision-making.

That is why AI governance must include vendor discovery and embedded AI review.

Illinois AI Employment Requirements

Illinois has AI employment requirements that matter for employers, HR teams, and vendors selling into the employment ecosystem.

Illinois’ Artificial Intelligence Video Interview Act created disclosure and procedural requirements around AI analysis of applicant video interviews. Illinois has also amended its Human Rights Act to address artificial intelligence in employment decisions, including generative AI.

The practical lesson is simple: AI in employment is not a casual use case.

Employers should not allow teams to use AI in recruiting, screening, interviewing, promotion, discipline, performance management, or termination without governance review.

An employment AI governance review should ask whether AI is used to influence an employment decision, whether generative AI is used in the employment process, whether the system uses protected-class proxies, whether the system uses location, zip code, school, language, video, voice, facial, or behavioral data, whether the system creates disparate impact risk, whether the vendor has provided documentation, whether notice has been given, whether human review is meaningful, whether decisions are documented, and whether the employer can explain the basis for an adverse decision.

Utah AI Disclosure Rules

Utah’s AI law is important because it highlights another theme: disclosure when consumers interact with generative AI or regulated AI services.

The legal details may vary by sector and context, but the governance issue is consistent.

If a person is interacting with AI, they may need to know.

That matters for chatbots, customer support, mental health tools, professional services, regulated occupations, consumer service interactions, AI-generated advice, AI-generated recommendations, and AI-generated content.

A governance framework should include rules for when AI disclosures are required and where those disclosures appear.

Weak disclosure buried in a privacy policy is not enough for many use cases. The disclosure should be visible at the point of interaction.

State Privacy Laws and Profiling

State privacy laws add another layer to AI governance.

Many comprehensive state privacy laws include rights related to profiling, automated decision-making, targeted advertising, sale of personal data, sensitive data, consumer rights, privacy notices, data protection assessments, and opt-out mechanisms.

This matters because AI systems often rely on profiling.

Profiling can include analyzing or predicting a person’s preferences, behavior, reliability, location, movements, economic situation, health, interests, performance at work, or eligibility for services.

AI governance should determine whether an AI system involves profiling and whether the profiling produces legal or similarly significant effects.

Examples include loan decisions, insurance decisions, employment decisions, housing decisions, education access, healthcare access, personalized pricing, fraud decisions, account restrictions, eligibility decisions, targeted advertising, and high-impact personalization.

A company should connect profiling review to privacy notice language, opt-out workflows, DSAR workflows, data mapping, vendor management, and impact assessments.

The Core Components of an AI Governance Framework

A defensible AI governance framework should include the following core components.

AI Governance Charter

The AI governance charter defines the purpose, scope, authority, and ownership of the AI governance program.

It should explain why the company has an AI governance program, what AI systems are in scope, which departments are covered, who owns the program, who approves AI systems, who can reject AI systems, who monitors AI risk, how often the program is reviewed, how issues are escalated, and how records are retained.

The charter should make clear that AI governance applies to both internal and third-party AI systems. It should also apply to AI embedded inside existing vendor tools.

Without a charter, AI governance often becomes informal. Informal governance fails when the company grows, receives a customer questionnaire, faces a regulator, or has an incident.

AI Inventory

The AI inventory is the foundation of the entire program.

A company cannot govern AI systems it cannot identify.

The AI inventory should include:

• AI system name
• Vendor name
• Internal owner
• Department
• Business purpose
• User group
• Whether the system is internally built or vendor-provided
• Whether the system is embedded in existing software
• Type of AI
• Whether it uses generative AI
• Whether it uses personal data
• Whether it uses sensitive data
• Whether it uses employee data
• Whether it uses customer data
• Whether it uses applicant data
• Whether it uses patient data
• Whether it uses student data
• Whether it uses financial data
• Whether the vendor trains on customer data
• Whether outputs affect decisions
• Whether the system is customer-facing
• Whether the system is employee-facing
• Whether the system is used in a consequential decision
• Whether the system is used in the EU
• Whether the system affects EU individuals
• Whether the system affects U.S. residents
• Applicable jurisdictions
• Risk classification
• Approval status
• Review date
• Contract owner
• Vendor documentation
• Impact assessment status
• Disclosure status
• Human oversight status
• Logging status
• Monitoring cadence

The inventory should not be a passive database. It should trigger workflows.

A new AI system should trigger intake. A high-impact use case should trigger an impact assessment. A customer-facing chatbot should trigger disclosure review. A hiring tool should trigger employment AI review. A vendor using customer data for training should trigger contract review. A system affecting EU users should trigger EU AI Act classification. A system involving personal information should trigger privacy review.

AI Intake Workflow

The AI intake workflow is how new AI systems enter the governance process.

No company should allow departments to adopt AI systems without intake.

The intake form should ask:

• What tool is being used?
• Who owns it?
• Who requested it?
• What business problem does it solve?
• Is it a vendor product or internal system?
• Is it already in use?
• Is it a pilot?
• Will personal data be entered?
• Will sensitive data be entered?
• Will customer data be entered?
• Will employee or applicant data be entered?
• Will the system be used in production?
• Will it be customer-facing?
• Will it influence decisions?
• Will it generate content?
• Will it make recommendations?
• Will it connect to other systems?
• Will it take automated action?
• Will the vendor train on company data?
• Will the vendor retain prompts or outputs?
• Are EU users affected?
• Are California users affected?
• Are Colorado users affected?
• Are Texas users affected?
• Are employees or applicants affected?
• Is a disclosure needed?
• Is human review needed?
• Is legal review needed?
• Is security review needed?
• Is privacy review needed?
• Is procurement review needed?

The intake workflow should route AI systems to the right reviewers based on risk.

Low-risk internal productivity tools may receive a lighter review. High-impact systems should receive deeper review. Prohibited or unsafe use cases should be blocked.

AI Risk Classification

Risk classification determines what controls apply.

A practical risk model may include minimal-risk AI, limited-risk AI, moderate-risk AI, high-impact AI, high-risk AI, and prohibited AI.

Minimal-Risk AI

Minimal-risk AI may include internal drafting, brainstorming, formatting, summarization, translation, or administrative support that does not involve confidential data, personal data, sensitive data, customer-facing outputs, or consequential decisions.

Even minimal-risk AI still needs rules. Employees should know what data they cannot enter and when human review is required.

Limited-Risk AI

Limited-risk AI may include customer-facing chatbots, AI-generated content, support routing, recommendation tools, or personalization features where transparency and monitoring are important but the system does not make significant decisions.

Controls may include disclosures, accuracy monitoring, escalation paths, prompt restrictions, and output review.

Moderate-Risk AI

Moderate-risk AI may include tools that process personal data, support operational decisions, influence customer experience, or generate content at scale.

Controls may include privacy review, vendor review, risk assessment, access controls, logging, and periodic review.

High-Impact AI

High-impact AI includes systems that make, recommend, or materially influence decisions affecting employment, credit, lending, housing, insurance, healthcare, education, legal services, government benefits, access to essential services, pricing, fraud, safety, or individual rights.

Controls should include impact assessments, legal review, privacy review, security review, vendor documentation, human oversight, bias testing, notice, appeal or review procedures, logging, and ongoing monitoring.

High-Risk AI

High-risk AI should be defined in a way that maps to legal frameworks like the EU AI Act and relevant state laws.

This may include certain AI systems in regulated products, biometric systems, employment tools, education tools, credit systems, insurance systems, healthcare systems, law enforcement tools, and other sensitive categories.

Controls should be rigorous and documented.

Prohibited AI

Prohibited AI should include uses that are banned by law, violate company policy, create unacceptable safety or rights risks, or cannot be controlled.

Examples may include manipulative systems designed to exploit users, unlawful discrimination, certain biometric categorization or emotion recognition use cases, social scoring, unsafe predictive policing use cases, non-consensual intimate image generation, fraud or impersonation, unauthorized surveillance, use of AI to bypass legal rights, use of AI to deceive consumers, and use of AI on sensitive data without approval.

The risk classification should be documented and reviewed periodically.

AI Impact Assessments

AI impact assessments are one of the most important controls in AI governance.

An AI impact assessment should be required for systems that use personal data, use sensitive data, affect consumers, affect employees, affect applicants, affect patients, affect students, affect borrowers, affect insureds, affect tenants, affect vulnerable individuals, make or influence consequential decisions, create legal or similarly significant effects, use biometric data, use profiling, use automated decision-making, generate content at scale, provide advice or recommendations in regulated areas, use customer data for model training, connect to production systems, or take automated action.

The assessment should document:

• System purpose
• Intended use
• Actual use
• Business owner
• Vendor owner
• Technical owner
• Legal owner
• Affected individuals
• Data categories
• Data sources
• Sensitive data
• Training data
• Input data
• Output data
• Retention
• Vendor data use
• Jurisdictions
• Legal obligations
• EU AI Act classification
• NIST AI RMF mapping
• State law mapping
• Privacy risks
• Security risks
• Bias risks
• Discrimination risks
• Accuracy risks
• Explainability risks
• Consumer deception risks
• Human oversight
• Disclosure requirements
• Opt-out rights
• Appeal rights
• Testing performed
• Monitoring plan
• Incident process
• Residual risk
• Approval decision
• Review date

AI impact assessments should not be one-time documents. They should be updated when the use case changes, the vendor changes, the model changes, the data changes, the jurisdiction changes, the system becomes customer-facing, the system starts affecting decisions, the system starts using sensitive data, the law changes, there is a complaint, there is an incident, or there is evidence of bias or harm.

AI Vendor Management

Most companies will use third-party AI vendors. That means AI governance must include vendor governance.

Vendor review should not stop at SOC 2, ISO 27001, uptime, and privacy policy review. AI vendors require AI-specific questions.

The company should ask:

• Does the vendor use AI?
• What type of AI is used?
• Is the AI proprietary, open-source, or third-party?
• Does the vendor use general-purpose AI models?
• Does the vendor use customer data to train or improve models?
• Can customers opt out of training?
• Are prompts stored?
• Are outputs stored?
• How long are logs retained?
• Where is data processed?
• Who are the subprocessors?
• Does the system process personal data?
• Does it process sensitive data?
• Does it process employee, applicant, patient, student, financial, or customer data?
• Does it make or influence decisions?
• Has the system been tested for bias?
• Has the system been tested for accuracy?
• Has the system been tested for robustness?
• Has the system been tested for security?
• Does the vendor provide model documentation?
• Does the vendor provide intended-use documentation?
• Does the vendor identify prohibited uses?
• Does the vendor disclose limitations?
• Does the vendor provide audit logs?
• Does the vendor notify customers of material model changes?
• Does the vendor support deletion?
• Does the vendor support data subject rights?
• Does the vendor provide indemnity?
• Does the contract prohibit unauthorized training?
• Does the vendor support regulatory inquiries?
• Does the vendor support impact assessments?
• Does the vendor support human oversight?

Vendor contracts should address data use restrictions, no training without permission, confidentiality, security controls, subprocessors, data retention, prompt and output handling, audit rights, AI law compliance, model change notices, documentation obligations, incident notification, customer cooperation, regulatory cooperation, indemnity, termination, and deletion.

AI vendors should be reviewed more closely when their systems affect people, process personal data, or influence decisions.

Data Governance for AI

AI governance depends on data governance.

If a company does not understand its data, it cannot understand its AI risk.

AI data governance should address what data is used, where the data comes from, whether the data is accurate, whether the data is complete, whether the data is representative, whether the data is current, whether the data is lawfully collected, whether the data is used for the disclosed purpose, whether sensitive data is used, whether children’s data is used, whether employee data is used, whether customer data is used, whether patient data is used, whether financial data is used, whether biometric data is used, whether location data is used, whether protected-class proxies are used, whether data is used for training, whether data is used for fine-tuning, whether data is retained, whether data can be deleted, and whether data subject rights apply.

AI data governance should be especially strict where AI systems use personal data to make inferences about people.

An inference can become a compliance problem even if the raw data seems harmless. Zip code, school, employment history, browsing behavior, purchase history, location, device data, language, response time, and social signals can all become proxies for sensitive characteristics or protected classes.

The more consequential the decision, the more important data governance becomes.

Human Oversight

Human oversight is one of the most misunderstood AI governance controls.

Many companies say “a human is involved” when what they really mean is “a human accepts the AI recommendation.”

That is not meaningful oversight.

Meaningful human oversight requires a trained reviewer, authority to override the AI, access to relevant information, understanding of system limitations, clear review standards, time to review, documentation, escalation options, and protection against automation bias.

A person who blindly accepts an AI output does not reduce risk. In some cases, that person creates a false sense of compliance.

For high-impact AI, the governance framework should define who reviews AI outputs, when review happens, what triggers review, what information the reviewer receives, what factors the reviewer considers, when the reviewer must override the system, how overrides are documented, how disagreements are handled, how appeals are handled, how reviewer training is maintained, and how review quality is monitored.

Human oversight is most important where AI affects employment, credit, insurance, healthcare, housing, education, legal services, access to essential services, fraud classification, safety, or individual rights.

Transparency and AI Disclosures

AI governance must include transparency rules.

People may need to know when they are interacting with AI, when AI is generating content, when AI is materially influencing a decision, or when automated decision-making affects their rights.

Disclosure obligations can come from the EU AI Act, state AI laws, privacy laws, employment laws, consumer protection laws, sector-specific rules, contract requirements, and company policy.

AI disclosures may be needed for chatbots, virtual assistants, customer support agents, AI-generated content, synthetic media, employment tools, applicant screening, consumer profiling, automated decision-making, healthcare triage, financial recommendations, insurance classification, educational assessment, legal service tools, and professional services.

AI disclosure should be specific and visible.

Weak disclosure:

“We may use technology to improve our services.”

Stronger disclosure:

“You are interacting with an AI assistant. The assistant may generate automated responses based on the information you provide. Do not submit sensitive personal information unless requested through an approved secure process.”

For consequential decisions, disclosure may need to explain that AI or automated decision-making is used, the role of the AI system, the categories of data used, the purpose of the system, the potential consequences, the right to opt out where applicable, the right to access information where applicable, the right to correction where applicable, the right to human review where applicable, and the right to appeal where applicable.

AI governance software should help manage and document disclosures by use case, jurisdiction, system, and user group.

Logging and Audit Trails

AI governance without audit trails is fragile.

If a regulator, customer, plaintiff, auditor, or board member asks what happened, the company needs records.

AI audit trails should capture system version, model version where available, vendor version where available, prompt or input where appropriate, output, timestamp, user, decision owner, human reviewer, override decision, disclosure provided, policy version, risk classification, approval status, impact assessment version, vendor documentation version, monitoring results, and incident records.

Audit trails are especially important for high-impact systems.

The company should be able to reconstruct what AI system was used, what version was active, what data was entered, what output was generated, who reviewed it, what decision was made, what notice was provided, what policy was in effect, what controls existed, and what records were retained.

The inability to reconstruct an AI-assisted decision will become a major litigation and regulatory weakness.

AI Monitoring

AI governance does not end at deployment.

AI systems change. Vendors update models. Employees change prompts. Business teams expand use cases. Outputs drift. Data quality changes. Complaints appear. New laws pass. New disclosure obligations emerge. A system that was low-risk at launch can become high-risk later.

Monitoring should include output quality review, accuracy testing, bias testing, complaint tracking, appeal tracking, human override tracking, vendor update review, model change review, data drift review, security monitoring, privacy monitoring, disclosure monitoring, policy compliance review, regulatory update review, and risk reassessment.

Monitoring cadence should be based on risk.

Low-risk internal tools may be reviewed annually. Customer-facing AI may need quarterly review. High-impact AI may need ongoing monitoring, annual assessments, event-based reviews, and documented control testing.

AI Incident Response

AI incidents should be part of the company’s incident response plan.

AI incidents may include discriminatory output, incorrect denial, incorrect eligibility decision, harmful recommendation, privacy leak, sensitive data exposure, unauthorized use of customer data, prompt injection attack, AI hallucination used in production, chatbot providing prohibited advice, AI-generated fraud, impersonation, deepfake issue, vendor model failure, unexpected automated action, security vulnerability, regulatory complaint, consumer complaint, or employee complaint.

AI incident response should define how incidents are reported, who investigates, who owns legal review, who owns privacy review, who owns security review, who owns vendor escalation, how severity is determined, when the system is paused, when outputs are corrected, when users are notified, when regulators are notified, when customers are notified, how logs are preserved, how root cause is documented, how remediation is tracked, and how recurrence is prevented.

Companies should not wait for an AI incident to create an AI incident process.

AI Training and AI Literacy

AI governance requires employee training.

Training should be practical, not academic.

Employees should know which AI tools are approved, which AI tools are prohibited, what data cannot be entered into AI tools, when legal review is required, when privacy review is required, when security review is required, when human review is required, when AI output can be used, when AI output cannot be used, how to disclose AI use, how to report AI incidents, how to identify hallucinations, how to avoid automation bias, how to protect confidential information, how to handle customer data, how to handle employee data, and how to handle sensitive data.

Different teams need different training.

HR needs employment AI training. Marketing needs AI content, profiling, advertising, and disclosure training. Sales needs customer data and AI note-taking rules. Engineering needs secure AI development and code-generation rules. Support needs chatbot escalation and sensitive data rules. Legal needs contract, disclosure, and evidence rules. Executives need governance, accountability, and risk reporting.

AI literacy should be treated as a compliance control.

AI Governance by Industry

AI governance should be consistent across the company, but the risk profile changes by industry.

AI Governance for SaaS Companies

SaaS companies face AI risk from both product development and internal operations.

A SaaS company may use AI for product features, customer support, sales enablement, lead scoring, customer success insights, churn prediction, security monitoring, engineering copilots, documentation generation, marketing content, contract review, and usage analytics.

SaaS companies also face customer pressure. Enterprise customers increasingly ask whether customer data is used for AI training, whether AI features can be disabled, whether AI outputs are logged, whether vendors are reviewed, whether subprocessors use AI, and whether the company can support AI-related privacy rights.

SaaS companies should build AI feature inventories, customer data training restrictions, AI product documentation, AI subprocessor review, AI security review, AI customer disclosures, AI contract language, model change management, enterprise AI questionnaire responses, AI incident response, and AI audit evidence.

For SaaS companies, AI governance is not just compliance. It is sales enablement. A company that can answer AI governance questions clearly will move faster through enterprise procurement.

AI Governance for Healthcare

Healthcare AI is high-risk because it can involve sensitive health data, patient outcomes, clinical workflows, insurance claims, scheduling, triage, diagnosis support, treatment recommendations, billing, eligibility, and patient communications.

Healthcare companies may use AI for patient intake, appointment scheduling, clinical documentation, triage, claims review, risk scoring, care recommendations, medical coding, provider matching, patient engagement, marketing, call center support, and fraud detection.

Healthcare AI governance should address HIPAA and health privacy obligations, sensitive data controls, patient consent, clinical oversight, human review, accuracy testing, bias testing, safety risks, vendor BAAs where required, training data restrictions, patient disclosures, incident response, audit trails, and medical device or regulated product issues where applicable.

A healthcare AI error can create more than a privacy issue. It can create patient safety, discrimination, reimbursement, malpractice, and regulator exposure.

AI Governance for Financial Services, Lending, and Insurance

Financial services and insurance companies face major AI governance exposure because AI can influence access to money, credit, insurance, pricing, fraud decisions, eligibility, underwriting, claims, and risk classification.

AI may be used for credit scoring, loan underwriting, insurance underwriting, claims processing, fraud detection, account monitoring, customer support, financial recommendations, collections prioritization, risk segmentation, and marketing eligibility.

AI governance in these sectors should address fair lending, unfair discrimination, adverse action explanations, consumer reporting issues, model risk management, data accuracy, protected-class proxies, third-party vendor models, explainability, appeal rights, human review, recordkeeping, and regulator examination.

AI systems that classify financial or insurance risk can create serious exposure when the company cannot explain the decision or prove the system was tested.

AI Governance for Employers and HR Teams

Employment is one of the most dangerous AI use cases.

Employers may use AI for resume screening, candidate ranking, interview analysis, video interview scoring, job description drafting, applicant matching, promotion recommendations, performance reviews, workforce analytics, productivity monitoring, compensation analysis, scheduling, and termination risk scoring.

AI in employment can trigger discrimination, notice, bias audit, privacy, employee surveillance, labor, and consumer reporting issues.

An HR AI governance program should include an employment AI inventory, applicant notice review, bias audit review, vendor documentation, human review standards, protected-class proxy review, job-relatedness review, data retention rules, appeal process, adverse decision documentation, state-law mapping, recruiter training, and a prohibition on unapproved AI screening tools.

Employers should assume that “we only use the tool to assist” will not be enough if the AI output materially influences hiring, promotion, discipline, or termination.

AI Governance for Education

Education AI can affect students, parents, teachers, admissions, assessment, accessibility, discipline, academic integrity, and student support.

AI may be used for admissions support, student scoring, academic assessment, proctoring, tutoring, learning recommendations, student risk alerts, discipline flags, accessibility tools, student communications, and counseling support.

Education AI governance should address student privacy, children’s data, FERPA where applicable, bias, accessibility, transparency, human review, teacher oversight, parental rights, vendor contracts, data retention, safety, and student impact.

AI tools in education can create long-term consequences. A flawed classification or recommendation can affect a student’s opportunity, discipline record, academic placement, or support access.

AI Governance for Law Firms and Professional Services

Law firms, accounting firms, consultants, and professional service providers face AI risks involving confidentiality, privilege, accuracy, client data, professional responsibility, and reliance.

Professional service firms may use AI for contract review, legal research, memo drafting, client communications, discovery review, due diligence, document summarization, tax analysis, financial modeling, research, marketing, and client intake.

The risks include client confidentiality, privilege waiver, incorrect output, unauthorized practice concerns, professional negligence, data retention, vendor training on client data, court disclosure requirements, and client consent.

Professional firms should have strict rules for approved AI tools, client data entry, confidential information, human review, citation checking, output verification, client disclosure, vendor contracts, matter-level restrictions, and audit trails.

AI should assist professionals, not replace professional judgment.

AI Governance for Marketing, Agencies, and Adtech

Marketing teams are adopting AI aggressively. That makes them a major AI governance risk area.

AI may be used for audience segmentation, lookalike modeling, lead scoring, personalization, ad targeting, content generation, email campaigns, website chatbots, conversion optimization, social media analysis, influencer selection, and customer journey prediction.

Marketing AI often overlaps with privacy law because it uses tracking, profiling, cookies, pixels, device data, behavioral data, and third-party data.

Marketing AI governance should address consent, opt-out rights, targeted advertising, profiling, sensitive data, data broker data, pixel governance, cookie governance, consumer disclosures, AI-generated content, deceptive marketing, dark patterns, vendor data sharing, and lead generation compliance.

A marketing AI system can create legal exposure even when nobody calls it “AI.” A lead-scoring model, personalization platform, or adtech audience engine may still involve profiling and automated inferences.

AI Governance for Ecommerce and Retail

Retail and ecommerce companies use AI across the customer lifecycle.

AI may be used for personalized recommendations, dynamic pricing, fraud detection, customer support, inventory forecasting, product descriptions, search ranking, loyalty programs, returns analysis, customer segmentation, and advertising.

Retail AI governance should address consumer transparency, pricing fairness, discrimination risk, targeted advertising, sensitive data, children’s data, chatbot disclosures, fraud false positives, account suspension, return denial, and vendor data sharing.

Retail companies should pay close attention to AI systems that change prices, restrict accounts, deny returns, classify fraud, or personalize offers based on inferred characteristics.

AI Governance for Data Brokers and Lead Generation Companies

Data brokers and lead generation companies face heightened AI governance risk because they collect, enrich, infer, sell, share, license, and activate personal data.

AI may be used for identity resolution, data enrichment, consumer scoring, lead scoring, audience building, lookalike modeling, intent prediction, eligibility prediction, marketing segmentation, data quality scoring, and risk classification.

Governance should address data source legality, consent, opt-out rights, data broker registration, sensitive data, consumer rights, profiling, automated decision-making, downstream use restrictions, vendor and customer contracts, purpose limitation, data accuracy, inference documentation, and data broker compliance.

Data brokers should be especially careful when AI-generated inferences are sold or used for consequential decisions.

AI Governance for Government Contractors and Critical Infrastructure

Government contractors and critical infrastructure providers may face additional expectations around security, transparency, reliability, procurement, human oversight, and public impact.

AI may be used for cybersecurity, public services, infrastructure monitoring, resource allocation, identity verification, fraud detection, logistics, safety systems, emergency response, and predictive maintenance.

Governance should address security, reliability, human oversight, public-sector procurement terms, auditability, explainability, incident response, model updates, vendor controls, critical system dependencies, and public impact.

For critical infrastructure, AI failure can be operational, legal, and safety-critical.

What AI Compliance Software Should Include

AI governance software should not be a checklist tool with a few AI questions bolted onto a privacy platform.

A serious AI compliance platform should include:

• AI inventory
• AI intake workflow
• AI risk classification
• EU AI Act mapping
• NIST AI RMF mapping
• State AI law mapping
• State privacy law profiling mapping
• AI impact assessments
• Vendor AI due diligence
• AI contract control tracking
• AI disclosure management
• Human oversight documentation
• AI policy management
• AI acceptable use controls
• AI training records
• AI logging and evidence repository
• Periodic review workflows
• Incident response workflows
• Consumer rights integration
• Employee rights integration
• Audit reporting
• Executive dashboards
• Regulatory update tracking

AI Inventory Module

The software should maintain a live inventory of AI systems across the business.

It should allow teams to track system name, owner, vendor, purpose, data categories, affected individuals, risk classification, approval status, and review cadence.

AI Intake and Approval Workflow

The software should let employees submit new AI tools for review and automatically route them to legal, privacy, security, compliance, HR, procurement, or product teams depending on risk.

AI Risk Scoring

The software should classify AI systems based on data sensitivity, decision impact, user group, jurisdiction, automation level, human oversight, vendor risk, and legal obligations.

Legal Mapping

The software should map AI systems to applicable laws and frameworks, including the EU AI Act, NIST AI RMF, California ADMT rules, Colorado ADMT requirements, Texas AI requirements, NYC Local Law 144, Illinois employment AI, Utah disclosure obligations, and state privacy profiling rights.

AI Impact Assessments

The software should generate and maintain AI impact assessments for high-impact systems. These assessments should be versioned, reviewable, approvable, and exportable.

Vendor AI Review

The software should collect vendor documentation, AI usage details, model training practices, subprocessor information, data retention terms, security controls, bias testing information, and contract obligations.

Disclosure Management

The software should help determine when disclosures are needed and track which notices apply to which systems, users, jurisdictions, and use cases.

Human Oversight Tracking

The software should document who reviews AI outputs, what standards apply, how overrides are handled, and how human review is evidenced.

Audit Trail and Evidence

The software should preserve records showing what system was approved, what controls applied, what policy version was in effect, what assessment was completed, what notice was provided, and what monitoring occurred.

Monitoring and Review

The software should remind teams when systems need periodic review, when vendor documentation expires, when laws change, or when systems need reassessment.

AI Incident Response

The software should support AI incident reporting, triage, investigation, remediation, and evidence preservation.

AI compliance software should make AI governance operational. The company should not have to reconstruct governance from emails, spreadsheets, Slack messages, procurement tickets, and legal memos.

AI Governance Evidence: What You Need to Prove

The ultimate test of AI governance is evidence.

A company should be able to prove that it knows what AI systems it uses, classified those systems by risk, mapped applicable laws, reviewed vendors, assessed high-impact systems, documented data use, implemented human oversight, provided disclosures, maintained logs, trained employees, monitored systems, responded to incidents, and updated the program as laws changed.

If the company cannot prove it, it should not assume it happened.

AI governance is not about looking responsible. It is about being able to produce records under pressure.

The AI Governance Roadmap

Companies can build AI governance in phases.

Phase One: Discover AI

Start by identifying AI systems already in use.

This includes approved tools, shadow AI, vendor AI, embedded AI, internal models, generative AI, chatbots, analytics tools, HR tools, marketing tools, and customer-facing systems.

Deliverables should include an AI inventory, shadow AI survey, vendor AI review, department interviews, and initial risk map.

Phase Two: Set Governance

Create the governance structure.

Deliverables should include an AI governance charter, AI governance committee, AI acceptable use policy, AI intake workflow, risk classification standard, approval process, and training plan.

Phase Three: Classify Risk

Classify each system.

Deliverables should include risk ratings, EU AI Act classification, NIST AI RMF mapping, state-law applicability mapping, high-impact system list, and prohibited-use review.

Phase Four: Assess High-Risk Systems

Conduct deeper review for higher-risk systems.

Deliverables should include AI impact assessments, privacy reviews, security reviews, vendor reviews, human oversight plans, disclosure requirements, and testing records.

Phase Five: Implement Controls

Put controls into operation.

Deliverables should include notices, opt-out workflows, human review procedures, audit logs, vendor contract updates, data restrictions, monitoring plans, and incident response updates.

Phase Six: Monitor Continuously

Govern AI over time.

Deliverables should include periodic reviews, vendor update tracking, legal update tracking, complaint review, bias and accuracy monitoring, incident reports, executive reporting, and an evidence repository.

Common AI Governance Mistakes

Companies often make the same mistakes when starting AI governance.

Mistake One: Treating AI Governance as a Policy Exercise

A policy is necessary, but it is not enough.

A company needs workflows, inventory, assessments, controls, monitoring, and evidence.

Mistake Two: Ignoring Embedded AI

Many AI systems are hidden inside existing software. Companies need to review AI features inside vendor tools they already use.

Mistake Three: Assuming Vendor Compliance Covers Everything

Vendors may provide documentation, but the company deploying the system still needs to govern its own use.

Mistake Four: Treating Human Review as a Magic Shield

Human review only helps if it is meaningful, trained, documented, and capable of overriding the AI system.

Mistake Five: Forgetting State Privacy Laws

AI governance is not just AI-specific law. Privacy laws can regulate profiling, automated decision-making, consumer rights, notices, opt-outs, and assessments.

Mistake Six: Not Keeping Evidence

If there is no record, the company will struggle to prove compliance.

Mistake Seven: Letting Marketing and HR Use AI Without Review

Marketing and HR are two of the fastest-moving and highest-risk AI adoption areas. They need governance early.

Mistake Eight: Waiting for Federal AI Law

Companies waiting for one federal AI law are missing the point. State laws, EU law, privacy laws, employment laws, consumer protection laws, and sector-specific rules already create risk.

AI Governance Questions Every Company Should Answer

A company serious about AI governance should be able to answer the following questions.

AI Inventory Questions

• What AI systems are currently used?
• Which systems are approved?
• Which systems are unapproved?
• Which systems are vendor-provided?
• Which systems are internally built?
• Which systems are embedded in existing software?
• Which systems use generative AI?
• Which systems use personal data?
• Which systems use sensitive data?
• Which systems are customer-facing?
• Which systems are employee-facing?
• Which systems affect applicants?
• Which systems affect consumers?
• Which systems affect patients?
• Which systems affect students?
• Which systems affect borrowers or insureds?
• Which systems influence decisions?
• Which systems operate in the EU?
• Which systems affect U.S. residents?

Legal Questions

• Does the EU AI Act apply?
• Is the company a provider, deployer, importer, distributor, or other covered actor?
• Is the system prohibited?
• Is the system high-risk?
• Does the system trigger transparency obligations?
• Does the system involve general-purpose AI?
• Does a state AI law apply?
• Does a state privacy law apply?
• Does an employment AI law apply?
• Does a bias audit requirement apply?
• Does a chatbot disclosure requirement apply?
• Does profiling create opt-out rights?
• Does automated decision-making create access, correction, appeal, or human review rights?

Data Questions

• What data is used?
• Where does the data come from?
• Is the data personal information?
• Is the data sensitive?
• Is the data accurate?
• Is the data representative?
• Is the data retained?
• Is data used for training?
• Can customers opt out of training?
• Can the data be deleted?
• Can the data be corrected?
• Does the vendor store prompts?
• Does the vendor store outputs?
• Does the vendor use subprocessors?

Vendor Questions

• Does the vendor use AI?
• What model or system does the vendor use?
• Does the vendor train on customer data?
• Can training be disabled?
• Does the vendor provide documentation?
• Does the vendor support audit logs?
• Does the vendor notify customers of model changes?
• Does the vendor test for bias?
• Does the vendor test for accuracy?
• Does the vendor test for security?
• Does the vendor support deletion?
• Does the vendor support regulatory inquiries?
• Does the vendor contractually agree to AI compliance obligations?

Human Oversight Questions

• Is human review required?
• Who performs the review?
• Is the reviewer trained?
• Can the reviewer override the output?
• Is the review documented?
• Is the review meaningful?
• Can affected individuals request human review?
• Can affected individuals appeal?
• Are overrides tracked?

Disclosure Questions

• Are users told when they interact with AI?
• Are applicants told when AI is used?
• Are consumers told when AI influences a decision?
• Are privacy notices updated?
• Are AI disclosures visible?
• Are opt-out rights explained?
• Are human review rights explained?
• Are synthetic media disclosures required?

Monitoring Questions

• How often is the system reviewed?
• Who monitors the output?
• How are complaints tracked?
• How are model changes reviewed?
• How are vendor changes reviewed?
• How is accuracy monitored?
• How is bias monitored?
• How are incidents escalated?
• How are laws tracked?

Evidence Questions

• Can the company produce its AI inventory?
• Can it produce the impact assessment?
• Can it produce vendor documentation?
• Can it produce approval records?
• Can it produce disclosure records?
• Can it produce human review records?
• Can it produce monitoring records?
• Can it produce incident records?
• Can it show what policy was in effect at the time of a decision?
• Can it show what system version was used?
• Can it show what changed over time?

Final Takeaway

AI governance is no longer optional.

The companies with the greatest risk are not necessarily the ones building the most advanced AI. They are the ones using AI without a system of control.

A company can create AI risk through a chatbot, an HR platform, a lead-scoring tool, a recruiting plugin, a marketing automation system, an insurance workflow, a fraud model, a customer support assistant, a productivity tool, or an employee pasting sensitive information into an unapproved AI platform.

The compliance issue is not whether AI is useful.

The compliance issue is whether the company can govern it.

A defensible AI governance framework should identify AI systems, classify risk, map legal obligations, review vendors, control data, document human oversight, provide disclosures, monitor outputs, respond to incidents, and maintain evidence.

The EU AI Act, NIST AI RMF, and state AI laws are all pointing in the same direction: companies need operational AI governance, not AI theater.

A written policy is not enough.

A spreadsheet is not enough.

A vendor questionnaire is not enough.

A legal memo is not enough.

The companies that win with AI will be the ones that can adopt it quickly while proving they understand the risks, control the systems, respect user rights, monitor outcomes, and keep the records needed when someone asks the hard questions.

AI governance is the new compliance layer.

The only question is whether your company builds it before the problem surfaces — or after.