How enterprises should organise AI governance across the board, executive teams, risk, security, privacy, legal, audit, engineering, and business owners.
Executive summary
- AI governance cannot sit inside one team because AI risk cuts across technology, security, privacy, legal, compliance, operations, audit, and business ownership.
- The operating model should clarify who approves AI use, who owns risk, who accepts exceptions, who monitors controls, and who reports to the board.
- Committees are useful only when connected to decision rights, evidence, policy lifecycle management, and incident escalation.
- A good operating model lets innovation proceed while making accountability visible.
What an AI governance operating model is
An AI governance operating model is the practical arrangement of roles, committees, decision rights, policies, evidence flows, escalation paths, and assurance activities that make AI governance work across an enterprise. It converts high-level principles into repeatable decisions. Without an operating model, organisations often have good intent but weak execution: policies are published, committees are formed, and risk statements are approved, yet teams still cannot tell who may approve a use case, who accepts exceptions, or who can stop unsafe AI activity.
The operating model is different from the AI policy. The policy defines expectations. The operating model defines how those expectations are applied. It answers who receives an AI request, who classifies it, who must review it, who makes the decision, what evidence is created, how exceptions are handled, and how the use case is monitored after launch. It also defines how issues move upward when risk owners, business owners, and delivery teams disagree. Those mechanics are where governance succeeds or fails.
This is why ISO/IEC 42001, published in December 2023 as the first international management-system standard for artificial intelligence, is relevant to operating-model design. It treats AI governance as a management system that must be established, implemented, maintained, and improved. NIST’s Govern function, one of the four core functions of the NIST AI Risk Management Framework 1.0 released in January 2023 alongside Map, Measure, and Manage, similarly emphasises organisational policies, processes, roles, responsibilities, and accountability. For enterprise leaders, the implication is clear: AI governance is not a one-time review. It is an operating model that must function every week as teams adopt models, vendors, AI-enabled SaaS tools, and agents.
The AI governance operating cycle
An operating model is not a committee chart. It is the repeatable cycle that moves AI use from request to approval, control, monitoring, assurance, and improvement.
Why one-team ownership fails
AI governance cannot sit entirely inside one team because AI risk cuts across too many obligations. Engineering understands system design, but may not own privacy law, conduct risk, audit evidence, procurement obligations, or board reporting. Risk teams understand appetite and control design, but may not see how models, prompts, retrieval systems, and tool permissions work. Legal can interpret obligations, but may not know which workflows are technically enforceable. Security can protect systems, but may not own customer outcomes. Business teams understand purpose, but may underestimate operational and compliance exposure.
A common failure pattern is assigning AI governance to an innovation office because that group is closest to the new technology. Innovation teams can be excellent accelerators, but they rarely have authority to accept enterprise risk. Another failure pattern is assigning AI governance entirely to risk or compliance, creating a process that is careful but disconnected from implementation reality. The operating model must join these perspectives. It should let technical facts reach risk decision-makers and let risk decisions become implemented controls.
The useful mental model is shared accountability with explicit decision rights. Shared accountability does not mean everyone is vaguely responsible. It means each function owns a defined part of the control system. Business owns purpose and outcome. Technology owns implementation and lifecycle control. Security owns security requirements. Privacy owns data-use obligations. Legal and compliance own legal and regulatory interpretation. Risk owns appetite and residual-risk governance. Internal audit owns independent testing. The operating model makes these responsibilities visible.
Board and executive accountabilities
The board should not manage individual AI deployments, but it should set expectations for AI risk appetite, receive reporting on material AI exposure, and challenge management on control effectiveness. Board reporting should identify high-impact use cases, incidents, open exceptions, overdue reviews, unresolved remediation, third-party AI exposure, and maturity against target. If reporting focuses only on adoption, productivity, or innovation, the board is being asked to celebrate AI without governing the risk it creates.
Executive leadership turns board appetite into funded capability. The CEO, COO, CIO, CTO, CISO, CRO, general counsel, privacy leader, and business executives may all have roles depending on the enterprise. The operating model should make sponsorship explicit. Who funds the control environment? Who resolves conflicts between adoption and risk? Who decides when a business unit cannot proceed? Who owns cross-enterprise AI inventory? Who is accountable for board reporting? Those questions should not be answered for the first time during an incident.
Executives also need to protect the organisation from fragmented governance. Large enterprises often create separate AI review processes in security, legal, procurement, architecture, compliance, and data governance. Each may be reasonable alone, but together they can confuse delivery teams and slow down legitimate adoption. The executive sponsor should ensure the operating model creates one governed path with coordinated review. The goal is not fewer controls. The goal is fewer blind spots, fewer duplicate reviews, and clearer authority.
The AI governance council
Many enterprises need an AI governance council, but the council must have a charter. A council without decision rights becomes an update meeting. A useful council approves high-risk use cases, reviews material exceptions, owns policy lifecycle, prioritises remediation, escalates unresolved conflicts, and monitors evidence that controls are operating. It should have standing representation from business, technology, risk, security, privacy, legal, compliance, procurement, data governance, and internal audit or assurance observers where appropriate.
The council should not review every low-risk AI use case. That would make governance slow and encourage teams to bypass the process. Instead, the council should define risk tiers and delegate approval rights. Low-risk uses can be approved through standard guardrails. Medium-risk uses can route through functional review. High-risk uses should come to the council or a delegated high-risk committee. Prohibited uses should be clear enough that teams do not waste time trying to negotiate around them.
A strong council also owns the exception process. AI programs need exceptions because business realities are messy: a vendor cannot yet provide a control, a legacy workflow needs transition time, or a pilot needs temporary limits while evidence is gathered. Exceptions should be time-bounded, owned, justified, and linked to compensating controls. The council should see exceptions that are material, repeated, expired, or outside appetite. Otherwise temporary workarounds become permanent governance debt.
Decision rights by risk tier
Decision rights are the heart of the operating model. They define who can approve, reject, escalate, pause, or accept risk for each type of AI use. A risk-tiered structure is usually the clearest approach. Low-risk internal productivity use may be approved by a team owner if it uses approved tools and avoids restricted data. Medium-risk use may require review by security, privacy, and the relevant business owner. High-risk use may require formal approval by the governance council, executive sponsor, or risk committee. Prohibited use should require redesign, not negotiation.
Decision rights should cover the entire lifecycle. Who approves a pilot? Who approves production? Who approves a vendor? Who approves access to sensitive data? Who approves tool permissions for an agent? Who accepts residual risk after a control gap is identified? Who may suspend a system after an incident? Who can approve a material change? If the operating model answers only the launch decision, it leaves teams without guidance when the system evolves.
The decision record should explain the conditions of approval. Approved does not mean unrestricted. A use case may be approved only for certain users, data classes, models, geographies, customers, or workflow stages. It may require human review, monitoring, logging, or periodic reassessment. It may have an expiry date or pilot boundary. These conditions should be machine-readable or at least operationally trackable where possible. Otherwise approval becomes a static document disconnected from how the system is used.
Who decides what
The operating model should make authority explicit so teams know who approves, who implements, who accepts residual risk, and who independently tests the system.
Intake and classification
A usable operating model starts with intake. Teams need a clear way to register AI use and request review. The intake should collect enough context to classify risk without becoming an essay. Useful fields include business purpose, owner, users, data classes, model or vendor, connected systems, expected output, whether external parties are affected, degree of autonomy, tool permissions, and whether the use case is experimental or production. The intake should also capture whether the AI capability is custom-built, purchased, embedded in SaaS, or used through public tools.
Classification should be repeatable. If two similar use cases are classified differently because reviewers have different preferences, teams will lose trust in the process. The operating model should define objective classification factors: data sensitivity, customer or citizen impact, safety relevance, financial materiality, legal or regulatory exposure, operational criticality, autonomy, reversibility, and third-party dependency. Reviewers can still apply judgement, but the judgement should be anchored in documented criteria.
Intake should produce routing. A low-risk use case should move quickly to approved-tool guidance and baseline evidence. A high-risk use case should route to deeper review. A use case involving sensitive data should trigger privacy review. A vendor use case should trigger third-party risk. An autonomous agent should trigger tool-permission review. Routing is where the operating model becomes real for teams. The best operating models feel practical because the next step is obvious.
Policy lifecycle and standards
The operating model should define the lifecycle for AI policy and standards: draft, review, approval, publication, implementation, monitoring, exception, periodic review, and retirement. Policies should have owners and version history. Standards should be specific enough to test. A general statement that AI must be used responsibly is not enough. Teams need standards for acceptable use, restricted use, prohibited use, data handling, human oversight, third-party AI, agent permissions, evidence retention, incident reporting, and change management.
Policy ownership matters because AI policy touches many domains. Security may own requirements for identity, access, logging, and containment. Privacy may own personal information handling. Legal may own contractual and regulatory interpretation. Procurement may own vendor clauses. Risk may own classification and appetite. Business owners may own customer or operational impact. The AI governance council should coordinate these policies so they do not conflict or leave gaps. Without coordination, teams face a stack of partial rules that no one can interpret end to end.
Policies should be reviewed against actual usage. If teams repeatedly request exceptions for the same rule, the rule may be unclear, unrealistic, or pointing to a missing enterprise capability. If incidents reveal a control gap, the standard should change. If a vendor feature introduces new autonomy, the policy should address it. If a regulation changes, the operating model should route policy review to the right owner. Policy lifecycle is continuous improvement, not document hygiene.
Evidence flows and management reporting
An AI governance operating model should define evidence flows as carefully as decision flows. Every approval, exception, control requirement, incident, and review should produce evidence that can be retrieved later. Evidence is necessary for internal audit, regulatory response, board reporting, customer assurance, and incident investigation. The operating model should define where evidence is stored, who can access it, how long it is retained, what integrity requirements apply, and how it maps to policies and frameworks.
Management reporting should focus on exposure and control effectiveness. Useful measures include number of AI use cases by risk tier, high-risk use cases in production, unapproved AI discovered, open exceptions, expired exceptions, incidents, overdue reassessments, vendor AI exposure, evidence completeness, and remediation progress. Adoption metrics can be useful, but they should not crowd out risk metrics. A dashboard showing rapid AI adoption without control status is not governance reporting.
Board reporting should be shorter and sharper. Directors need to know whether AI use is inside appetite, where material exposure exists, whether controls are operating, and what management is doing about gaps. The operating model should define how management-level evidence rolls up into board-level insight. This prevents board reports from becoming anecdotal. It also lets executives defend investment in AI governance because the reporting shows what risk the capability is reducing.
Escalation and conflict resolution
AI governance creates real trade-offs. A business team may want to launch quickly. Security may require stronger logging. Privacy may object to a data flow. Legal may need vendor terms changed. Risk may believe the residual exposure is outside appetite. Engineering may say the requested control is not technically feasible in the current design. The operating model should expect these conflicts and define how they are resolved. Otherwise disagreements disappear into informal meetings and unresolved risk.
Escalation should be risk-based. Low-level conflicts can be resolved by functional owners. Material conflicts should go to the AI governance council or executive sponsor. Risks outside appetite should escalate to the enterprise risk committee or equivalent executive forum. The escalation record should include the issue, options considered, decision, conditions, owner, due date, and residual risk. Escalation is not a failure of governance. It is evidence that governance is working and that material trade-offs are visible.
The model should also define stop authority. Who can pause a use case after an incident? Who can disable an AI vendor feature? Who can revoke agent tool access? Who can require reassessment after a material change? Stop authority is especially important for autonomous or high-volume systems where a weak control can scale quickly. If no one has clear authority to stop AI activity, the organisation has not finished designing the operating model.
Third-party AI and procurement
Procurement is one of the strongest operating-model control points because many AI capabilities are purchased, embedded, or bundled into existing platforms. Vendor review should start before a contract is signed or a feature is enabled. The operating model should define when procurement must involve security, privacy, legal, risk, and the AI governance council. It should also define the minimum information required from vendors: AI functionality, model providers, data handling, training use, subcontractors, logging, incident notification, change management, and evidence export.
Contracts should reflect the governance model. If the enterprise needs audit evidence, incident notification, data-use restrictions, feature disablement rights, model-change notice, or subcontractor transparency, those rights should be in procurement requirements and contracts. A vendor promise in a sales deck is not a control. For high-risk use, the operating model should require evidence that the vendor can support the enterprise’s obligations over the life of the system.
Vendor AI should also be monitored after purchase. A SaaS feature can change from assistive to more autonomous. A vendor can add a new model provider. Data processing terms can change. A product can introduce summarisation, recommendation, or agent capabilities. The operating model should route material vendor changes back through review. This is how procurement becomes an ongoing governance function rather than a one-time gate.
Conclusion: Helixar perspective
Helixar’s view is that operating models should make decision rights and controls executable at the point of AI activity. An operating model can define who approves high-risk use, when human review is required, and what evidence must be retained, but teams still need infrastructure that can observe AI activity and apply those requirements consistently. This research frames a cross-provider control layer as one way to evaluate policy in the flow of work rather than only in governance forums.
This research also emphasizes the evidence flow that an operating model needs. Governance councils, risk teams, compliance teams, and internal audit need records of approvals, exceptions, policy decisions, escalations, and control outcomes. This research focuses on producing structured, reviewable evidence that can support management reporting and assurance. This matters because operating models fail when evidence is manually assembled after the fact. A governed operating model should produce evidence as a by-product of normal AI use.
Finally, Helixar supports reducing friction. A good operating model should not block every AI request by default. It should support proportionate governance responses: observe, alert, require approval, block, contain, or route for review depending on risk. That lets enterprises adopt AI while applying proportionate control. Business teams get a clearer path to approval, and governance teams get the visibility and evidence they need to govern responsibly.
The practical value is coordination. Legal, risk, security, privacy, procurement, and business owners can work from the same control record instead of reconciling separate spreadsheets and meeting notes. That does not replace professional judgement, but it gives each function a clearer factual basis for its decision.
This is especially useful when the operating model spans several jurisdictions or business units. Local teams can keep their own legal and regulatory interpretation, while the enterprise still maintains a common record of classification, approval, exception, policy decision, and review status. That common record makes executive reporting more consistent without flattening local obligations into a single generic rule, and it helps leaders see where local variation is intentional rather than accidental drift. It also gives new teams a clearer starting point.
This operating model turns on mechanics that are hard to enforce through committees alone: risk-tiered decision rights, approval conditions that bind a use case to specific users, data classes, models, and geographies, stop authority over autonomous agents, and evidence flows that survive audit. Helixar is the control plane that makes those mechanics executable, enforcing the operating model’s policy at the moment of every AI or agent action and across every model provider, verifying user and agent identity and context before it evaluates the action against policy. It maps each risk tier to a graduated response of observe, alert, require approval, block, or contain, so low-risk internal use proceeds under standard guardrails while a high-risk or out-of-appetite action is stopped, fail-closed by default, giving the operating model the stop authority it demands. Every approval, exception, and block lands in a tamper-evident, independently verifiable evidence trail that councils, risk teams, and internal audit can review without reconstructing it after the fact. Because ISO/IEC 42001 frames this operating model, Helixar’s SOC 2 and ISO 27001 evidence packs are available today, with ISO 42001 evidence packs mapped and delivered at implementation.
Assurance and internal audit
Internal audit should remain independent of the operating model while still being involved early enough to understand how controls will be tested. Audit does not own AI governance, but it can assess whether governance is designed appropriately and operating effectively. It can test whether use cases are inventoried, owners are assigned, risk tiers are applied consistently, approvals are documented, exceptions are managed, evidence is retained, and monitoring occurs. The operating model should make those tests possible.
Assurance should cover both design effectiveness and operating effectiveness. A policy may be well designed but poorly implemented. A control may exist but not apply to all relevant systems. A committee may approve decisions but fail to track remediation. A vendor review may occur at procurement but not after model changes. Internal audit can identify these gaps and help leadership understand whether the operating model is real or merely documented.
The operating model should also define management self-assurance. Teams should not wait for audit to discover basic gaps. Control owners should periodically attest to the status of controls, evidence completeness, exceptions, incidents, and remediation. Internal audit can then test the reliability of management’s assurance process. This creates a healthier governance system: management owns control operation, and audit tests it independently.
Resourcing and change management
An operating model that is not resourced will not operate. Enterprises often approve AI governance charters without funding the people, tooling, training, and evidence pipelines required to make them real. The governance council may be asked to review high-risk use cases while members still have full-time responsibilities elsewhere. Security and privacy teams may receive more reviews without additional capacity. Engineering teams may be asked to implement logging, approval, and monitoring without platform support. Under-resourcing turns governance into delay, and delay turns into avoidance.
Resourcing should follow risk exposure. If the enterprise has only low-risk internal productivity use, a lightweight governance team may be appropriate. If it is deploying AI into customer decisions, regulated workflows, autonomous operations, or sensitive-data processing, the operating model needs stronger program management, platform capability, assurance support, and executive attention. The operating model should include a funded backlog of controls and remediation, not merely a list of policy expectations. Otherwise every team is left to solve the same governance problem locally.
Change management is equally important. Staff need to know which AI tools are approved, what data may be used, how to request review, how to report an incident, and what happens when a use case is rejected or conditioned. Business owners need training on accountability and residual-risk acceptance. Technical teams need reference patterns for logging, access control, human approval, and evidence retention. Governance succeeds when the governed path is understandable, supported, and faster than improvisation.
Operating cadence turns resourcing into habit. The council may meet monthly, high-risk exception owners may review weekly, control owners may attest quarterly, and executives may review material exposure at every risk committee. The exact cadence depends on risk and scale, but it should be explicit. If governance activity happens only when someone remembers to call a meeting, the model will not keep up with AI adoption.
Implementation roadmap
The first implementation phase is clarity. Establish the charter, scope, risk tiers, roles, decision rights, and intake process. Identify the executive sponsor and governance council. Define what counts as AI, which uses are in scope, which uses are prohibited, and which approvals are required for each risk tier. At this stage, the goal is not perfection. The goal is to replace ambiguity with a usable path.
The second phase is integration. Connect the AI intake to security review, privacy review, procurement, architecture, legal, compliance, enterprise risk, incident response, and internal audit. Create evidence requirements and reporting. Define exception management. Train business and technical teams on how to use the process. Remove duplicate review paths where possible. The operating model should feel like one coordinated route rather than a maze of separate gates.
The third phase is operationalisation and improvement. Add tooling for inventory, policy enforcement, evidence capture, and reporting. Monitor approval cycle time, exception volume, incidents, overdue reviews, and evidence completeness. Test the model through audit and tabletop exercises. Update policies based on incidents and usage. The operating model should become easier to use and harder to bypass over time. That is the sign that governance is becoming part of normal enterprise operations.
Common failure patterns
The first failure pattern is unclear authority. A committee exists, but no one knows whether it approves, advises, escalates, or merely receives updates. The second is excessive centralisation. Every AI use case is routed to the same senior group, causing delays and workarounds. The third is excessive delegation. Business units approve AI use without enough security, privacy, legal, or risk review. The operating model should avoid both extremes by using risk-tiered decision rights.
The fourth failure pattern is evidence afterthought. Decisions are made in meetings, but records are incomplete. Approval conditions are not tracked. Exceptions do not expire. Monitoring is manual. Audit cannot test the record. The fifth is disconnected procurement. Vendors enable AI features without review or contract rights. The sixth is stale governance. The operating model is designed once, then fails to adapt as AI capabilities and regulations change.
These failures are not unusual, and they are fixable. The enterprise should treat the operating model as a product: observe how teams use it, identify friction, remove duplication, strengthen weak controls, and measure outcomes. A good operating model is not the most elaborate one. It is the one that teams actually use, that decision-makers trust, and that auditors can test.
Leadership questions
Executives should test the operating model with direct questions. Who approves high-risk AI use? Who can accept an exception? Who owns the AI inventory? Which teams must review vendor AI? Which use cases are outside appetite? Who can pause an AI system? What evidence shows approval conditions were met? How long do reviews take? Which teams are bypassing the process? What unresolved issues need executive decision?
Risk and compliance leaders should ask whether the operating model produces reliable evidence. Are classifications consistent? Are approvals tied to conditions? Are controls implemented? Are exceptions time-bounded? Are incidents linked to remediation? Are vendors monitored after contract signature? Are high-risk use cases reassessed after material change? Can internal audit test the process without reconstructing it manually?
Business leaders should ask whether the model enables responsible adoption. Do teams know how to request approval? Are low-risk uses moving quickly? Are high-risk uses receiving the right scrutiny? Are review comments specific and actionable? Are governance requirements clear before teams build? A mature operating model creates confidence because it shows teams how to proceed, not only what they are forbidden to do.
Enterprise checklist
- Create an AI governance charter with authority, scope, and escalation paths.
- Assign decision rights for low, medium, high, and prohibited AI use cases.
- Define policy owners and review cadence.
- Create a formal exception process with expiry dates and compensating controls.
- Connect AI governance reporting to risk, compliance, security, and audit reporting.
- Give internal audit enough evidence to test design and operating effectiveness.
Frequently asked questions
What is an AI governance operating model?
Who should sit on an AI governance council?
Should every AI use case go to the AI governance council?
What evidence should the operating model produce?
How does ISO/IEC 42001 relate to an AI operating model?
How does Helixar help operate AI governance?
References
- NIST AI Risk Management Framework
- NIST AI RMF Core
- ISO/IEC 42001:2023, Artificial intelligence management system
- Regulation (EU) 2024/1689, Artificial Intelligence Act
- OECD Recommendation of the Council on Artificial Intelligence
- Australia's AI Ethics Principles
- AICPA SOC Suite of Services
- Helixar research: Enterprise AI Governance Explained