Building an Enterprise AI Governance Model: Securing Data, Automation and Agentic AI
Introduction
Artificial intelligence adoption is no longer limited to isolated experiments, chatbots or data-science projects.
Employees are using generative AI to write documents, analyse information and generate code. Business applications are embedding AI into everyday processes. Development teams are connecting large language models to organisational data, while agentic AI systems are beginning to search records, call APIs, operate software and execute multistep workflows.
These technologies can improve productivity, customer service, software delivery and decision-making. They can also expose confidential information, make incorrect decisions at scale, bypass established controls and give autonomous systems more authority than the organisation intended.
The challenge is not simply whether an organisation should permit AI.
The challenge is:
How can an organisation adopt AI at scale while retaining control over its data, decisions, systems and accountability?
An effective AI governance model must operate across the entire technology and business stack:
- Organisational strategy and policy.
- Data collection, classification and retention.
- AI models and external providers.
- Applications, prompts and retrieval systems.
- Process automation and business controls.
- User identity and access management.
- Agent identities, tools and permissions.
- Infrastructure and software supply chains.
- Monitoring, incident response and continual improvement.
AI governance should not be created as a separate bureaucracy disconnected from existing technology management. It should extend enterprise architecture, data governance, cybersecurity, privacy, risk management, procurement and internal assurance into the AI lifecycle.
ISO/IEC 42001 defines an AI management system covering leadership, AI policy, risk management, data governance, lifecycle controls, transparency, monitoring and continual improvement. NIST’s AI Risk Management Framework organises AI risk management around four functions: Govern, Map, Measure and Manage. Together, these provide a useful foundation for an enterprise AI governance model.
What Is AI Governance?
AI governance is the system through which an organisation directs, controls and remains accountable for the development, procurement and use of artificial intelligence.
It includes the policies, roles, decision rights, technical controls, assurance activities and evidence needed to answer questions such as:
- Which AI systems are being used?
- What business purpose does each system serve?
- What data can it access?
- What decisions can it influence?
- What actions can it perform?
- Who owns the outcome?
- How was the system evaluated?
- What happens when it produces an incorrect or harmful result?
- How can its access be suspended?
- How can the organisation prove that appropriate controls were applied?
Governance is therefore not the same as compliance.
Compliance asks whether minimum legal or regulatory requirements have been met. Governance determines whether the organisation is making informed, accountable and risk-appropriate decisions throughout the AI system’s lifecycle.
A mature governance model supports innovation by creating a clear path from an AI idea to an approved production service. Without that path, employees and project teams tend to either avoid AI completely or adopt it outside approved channels. Neither outcome is especially sophisticated.
The Three Components of an Enterprise AI Governance Model
A practical AI governance model consists of three connected systems.
1. Organisational governance
This establishes accountability, policy, risk appetite, investment priorities and decision rights.
It answers:
- Who can approve AI use?
- Which uses are prohibited?
- Which risks require executive acceptance?
- Who owns AI-related incidents?
- How does AI support the organisation’s strategy?
- How are legal, ethical and stakeholder impacts considered?
2. AI lifecycle assurance
This governs how AI systems are proposed, assessed, designed, tested, deployed, changed and retired.
It provides repeatable assurance gates rather than relying on informal conversations between a project manager and whichever security architect had the misfortune to be available that afternoon.
3. Runtime control
This governs what an AI system can access and do while it is operating.
Runtime controls include:
- Identity and authorisation.
- Tool restrictions.
- Data-loss prevention.
- Transaction limits.
- Human approval requirements.
- Logging and monitoring.
- Emergency suspension.
- Rollback and recovery.
This third component becomes especially important for agentic AI. An AI assistant that produces a poor paragraph creates limited harm. An AI agent that can modify customer records, execute code or approve a payment creates an entirely different risk profile.
Core Principles for Responsible Enterprise AI
Every organisation should define its own AI principles, but an effective set usually includes the following.
Accountability
Every AI system must have a named business owner who remains accountable for its purpose, operation and outcomes.
The model provider, development team or software vendor may be responsible for part of the system, but the organisation deploying the AI cannot outsource accountability for how it is used.
The OECD AI Principles similarly emphasise accountability throughout the AI lifecycle, alongside transparency, fairness, privacy, robustness, security and safety.
Risk proportionality
Controls should be based on the potential impact of the AI system.
A writing assistant that helps employees improve grammar should not require the same assurance as an AI system that recommends whether a customer receives credit, employment, healthcare or access to a public service.
Purpose limitation
AI systems should use data only for clearly defined, approved purposes.
Access to information does not automatically imply permission to use that information for model training, prompt processing, evaluation, profiling or an unrelated business process.
Privacy and security by design
Privacy, security and data protection requirements should be incorporated before development begins, rather than attached after deployment as decorative compliance.
The NIST Privacy Framework is intended to help organisations identify and manage privacy risks while developing innovative products and services.
Least privilege
Users, applications and agents should receive only the minimum data and system access required to perform an approved task.
Human authority
Humans should retain meaningful control over high-impact, irreversible or legally significant actions.
Human oversight must be more than showing someone a result after the decision has already been executed.
Transparency and traceability
The organisation should be able to identify when AI is being used, what information influenced an outcome and what actions the system performed.
Safety and reversibility
AI systems should fail safely. Actions should be limited, reviewable and reversible wherever practical.
Continuous assurance
Approval should not be treated as permanent. Models, data, prompts, tools, vendors and business conditions change. AI systems require ongoing monitoring and periodic reassessment.
Establishing the AI Governance Operating Model
AI governance should combine executive authority with distributed delivery responsibility.
Board and executive leadership
The board or relevant governing body should oversee material AI risks in the same way it oversees cybersecurity, privacy, financial and operational risk.
Executive leadership should:
- Approve the organisation’s AI strategy and risk appetite.
- Assign an accountable executive sponsor.
- Review material AI risks and incidents.
- Ensure adequate investment in controls and capability.
- Decide whether particularly high-risk uses align with organisational values and obligations.
AI Governance Council
An AI Governance Council should coordinate policy and make cross-functional decisions.
Membership will normally include representatives from:
- Business leadership.
- Technology and enterprise architecture.
- Data governance.
- Cybersecurity.
- Privacy.
- Legal and compliance.
- Risk management.
- Human resources.
- Procurement.
- Internal audit or assurance.
- Relevant Māori data, cultural or community governance functions where applicable.
The council should not review every minor use case. Its purpose is to establish policy, resolve high-risk decisions, approve exceptions and oversee the organisation’s AI portfolio.
Responsible AI Office or AI Centre of Enablement
A central AI governance or enablement function should translate policy into practical standards, templates and reusable controls.
Its responsibilities may include:
- Maintaining the AI system inventory.
- Operating the AI risk-assessment process.
- Publishing approved architecture patterns.
- Coordinating model and vendor evaluations.
- Supporting project teams.
- Maintaining evaluation and testing requirements.
- Monitoring changes in regulation and standards.
- Providing training.
- Reporting AI risk and performance metrics.
This function should enable delivery rather than become an approval queue from which useful projects never return.
Business owner
Every AI use case requires a business owner who is accountable for:
- The intended outcome.
- The quality of business rules and source data.
- Operational processes.
- Human oversight.
- Customer or employee impacts.
- Continued business value.
- Accepting residual business risk within delegated authority.
Technical owner
The technical owner is responsible for:
- Architecture.
- Integration.
- Security controls.
- Model configuration.
- Evaluation.
- Monitoring.
- Resilience.
- Change management.
- Technical documentation.
Data owner
The data owner approves how organisational data is accessed and used.
This includes decisions about:
- Data classification.
- Permitted purposes.
- Retention.
- Cross-border processing.
- Model training.
- Retrieval access.
- Derived data.
- Logging.
- Deletion.
Security, privacy, legal and risk functions
These functions should provide specialist review and control requirements based on risk.
They should not inherit ownership of the AI system merely because it contains risk. Business owners remain accountable for the system and its outcomes.
Independent assurance
Internal audit or another independent assurance function should assess whether governance processes and controls are operating effectively.
ISO/IEC 42006:2025 establishes requirements for bodies auditing and certifying AI management systems against ISO/IEC 42001, supporting more consistent and credible assurance.
Create a Complete AI System Inventory
An organisation cannot govern AI systems it does not know exist.
The AI inventory should include internally developed models, external APIs, software-as-a-service features, embedded copilots, machine-learning systems, generative AI applications and autonomous agents.
Each inventory record should identify:
- System name and description.
- Business owner and technical owner.
- Intended purpose.
- Users and affected people.
- Models and model versions.
- Provider and hosting location.
- Data sources.
- Data classifications.
- External integrations.
- Decisions influenced.
- Actions permitted.
- Level of autonomy.
- Human approval points.
- Applicable laws and policies.
- Risk classification.
- Evaluation results.
- Current approval status.
- Review and retirement dates.
The inventory should cover AI embedded in purchased applications, not merely AI developed by the organisation. A vendor adding an AI feature to an existing platform does not make the resulting risk fictional.
Classify AI Systems by Risk
A risk-tier model allows organisations to apply stronger controls where potential harm is greater.
Risk dimensions
An AI assessment should consider:
Data sensitivity
Does the system process public, internal, confidential, commercially sensitive, personal, health, financial or legally privileged information?
Impact on people
Could the system affect employment, access to services, financial outcomes, legal rights, health, safety or reputation?
Decision authority
Does the system provide information, recommend a decision or make the decision itself?
Action authority
Can it send communications, modify records, execute code, move money, change access or control physical equipment?
Autonomy
Does the system act only when directly instructed, or can it plan and continue working without frequent human interaction?
Scale
How many people, transactions, systems or records could be affected?
Reversibility
Can an incorrect action be easily identified and reversed?
Exposure
Is the system used internally, externally or by the public?
Model and provider risk
Is the model managed, self-hosted, open weight or supplied through a third party? What visibility does the organisation have into its lifecycle and security?
Example risk tiers
| Tier | Description | Example | Governance requirement |
|---|---|---|---|
| Tier 1 | Low-risk assistive AI | Grammar correction or meeting summaries using non-sensitive information | Approved service, acceptable-use controls and basic monitoring |
| Tier 2 | Controlled business AI | Internal knowledge assistant or document classification | Risk assessment, data controls, evaluation and named owner |
| Tier 3 | High-impact AI | Customer eligibility recommendation, employee screening or regulated advice | Formal impact assessment, independent validation, human oversight and executive risk acceptance |
| Tier 4 | Agentic or operationally critical AI | Agent modifying production systems, approving transactions or communicating externally | Strong identity controls, constrained tools, runtime supervision, approval gates, transaction limits and emergency suspension |
| Prohibited | Unacceptable organisational use | Covert manipulation, unlawful discrimination or uncontrolled use of highly sensitive information | Use must not proceed |
The organisation should define prohibited uses explicitly. Staff should not be expected to derive the organisation’s ethical and legal boundaries through a series of increasingly nervous experiments.
Apply Governance Across the AI Lifecycle
A controlled AI lifecycle can be organised into eight stages.
1. Discover
Document the problem, intended benefit, stakeholders and alternatives.
The first question should be whether AI is required. A deterministic rule, search engine or conventional workflow may be more reliable and less expensive.
2. Assess
Complete:
- AI risk assessment.
- Privacy impact assessment.
- Security threat assessment.
- Data assessment.
- Legal and regulatory assessment.
- Human and societal impact assessment.
- Vendor due diligence.
ISO/IEC 42005:2025 provides an international standard specifically for AI system impact assessment.
3. Approve
Determine whether the use case can proceed, what conditions apply and who accepts any remaining risk.
Approval should specify:
- Approved purpose.
- Approved data.
- Approved users.
- Approved models.
- Permitted actions.
- Human-control requirements.
- Monitoring requirements.
- Review date.
4. Design and build
Use approved architecture patterns, platforms and controls.
Security and privacy requirements should become testable design requirements rather than paragraphs quietly abandoned inside a project document.
5. Evaluate
Test functionality, accuracy, security, privacy, fairness, resilience and tool use.
Evaluation should use representative business scenarios, including:
- Normal cases.
- Ambiguous cases.
- Adversarial inputs.
- Missing data.
- Conflicting information.
- Tool failures.
- Unauthorised requests.
- Prompt-injection attempts.
- High-impact edge cases.
6. Deploy
Production deployment should require documented evidence that controls have been implemented and required approvals obtained.
7. Operate and monitor
Monitor technical performance, business outcomes, user behaviour, security events, data use, model changes and incidents.
8. Retire
Remove access, revoke credentials, delete data where required, archive evidence and update dependent processes.
A model endpoint that nobody remembers but that still has production credentials is not an AI strategy. It is an archaeological site with network access.
A Layered AI Control Model
Effective AI governance must be applied at every architectural layer.
Layer 1: Data governance and protection
Data is usually the organisation’s most valuable AI input and its most obvious route to harm.
Maintain data classification
Every AI use case should identify the classification of:
- User prompts.
- Uploaded documents.
- Retrieved content.
- Training and fine-tuning data.
- Model outputs.
- Conversation history.
- Agent memory.
- Application and audit logs.
Minimise data
Only provide the model with the information required for the current task.
Avoid copying entire customer records, mailboxes, document libraries or databases into model context merely because the context window is impressively large.
Apply purpose limitation
Document why each data source is required and whether its use is consistent with the purpose for which it was collected.
Protect sensitive information
Controls should include:
- Encryption in transit and at rest.
- Tokenisation or pseudonymisation.
- Data-loss prevention.
- Secret and credential detection.
- Input and output filtering.
- Restricted network paths.
- Approved geographic processing locations.
- Retention and deletion policies.
Preserve source permissions
Retrieval-augmented generation systems must enforce the source system’s permissions.
A user should not gain access to a confidential document simply because an embedding of that document was placed in a vector database. Search indexes and vector stores must support document-level, row-level or attribute-based access controls.
Govern logs and memory
Prompt logs, traces and agent memories can contain the same sensitive information as the source systems.
Logging everything forever may help one audit objective while enthusiastically violating several privacy and security objectives.
Protect data integrity
AI systems must be able to distinguish authoritative records from untrusted or user-supplied content.
Training data, retrieval sources and agent memory should be protected against poisoning, tampering and unauthorised modification.
New Zealand’s NCSC emphasises that data security is essential throughout the training, testing and operation of AI systems.
Layer 2: Model and provider governance
Organisations should maintain an approved model and provider catalogue.
Vendor due diligence should assess:
- Whether customer data is used for provider model training.
- Data retention periods.
- Data residency and cross-border transfers.
- Subprocessors.
- Encryption and access controls.
- Security certifications.
- Incident-notification commitments.
- Model update and retirement practices.
- Service availability.
- Intellectual-property terms.
- Regulatory support.
- Audit rights.
- Data deletion.
- Exit and portability arrangements.
Open-weight and self-hosted models require different controls, including:
- Model provenance.
- Licence review.
- Integrity verification.
- Vulnerability management.
- Dependency scanning.
- Model-file protection.
- Infrastructure capacity.
- Patching and upgrade ownership.
The organisation should approve model families for defined workload classes rather than letting every project team negotiate its own legal, privacy and security position.
Layer 3: AI application, prompt and retrieval controls
An AI application should not trust model output simply because it is formatted confidently.
Separate trusted instructions from untrusted content
System instructions, organisational policies and tool definitions should be isolated from user input and retrieved content.
Emails, webpages, documents and external tool outputs must be treated as untrusted data. They may contain instructions designed to manipulate the model.
OWASP identifies prompt injection and sensitive-information disclosure among the major security risks affecting LLM applications.
Validate outputs
Model output should be checked before it is:
- Displayed to a customer.
- Used in a calculation.
- Passed to another system.
- Interpreted as code.
- Used to select a tool.
- Executed as an action.
Use schemas, business rules, allowlists and deterministic validation wherever possible.
Require evidence
For knowledge and decision-support systems, require citations or references to authoritative sources.
The application should clearly distinguish between:
- Retrieved facts.
- Model-generated interpretations.
- Recommendations.
- Assumptions.
- Missing information.
Keep secrets outside prompts
API keys, passwords and privileged credentials should never be placed in system prompts, source code, conversation memory or retrievable documents.
Applications should access secrets through a managed secrets service only when required.
Test continuously
Prompts, models, retrieval systems and tools should be versioned and regression-tested.
Changing a model version can alter behaviour even when application code remains unchanged.
Layer 4: Process automation and business controls
AI should not replace deterministic business controls.
A safe pattern is:
AI interprets or recommends. The controlled workflow validates and authorises.
For example, an AI model may extract invoice details and identify a likely match. A deterministic workflow should still verify supplier identity, purchase-order values, tax rules, approval limits and segregation of duties.
Use explicit workflow states
The process should identify whether an item is:
- Drafted.
- Validated.
- Pending approval.
- Approved.
- Executed.
- Rejected.
- Escalated.
- Reconciled.
Separate duties
High-impact workflows should use maker-checker or dual-control patterns.
The same agent should not be permitted to create a supplier, change the supplier’s bank account and approve the first payment. Human organisations already learned why this is unwise. There is no need to make software rediscover fraud controls through personal experience.
Establish control limits
Define limits for:
- Transaction value.
- Number of records.
- Communication volume.
- Execution time.
- Tool calls.
- Retry attempts.
- Data volume.
- External recipients.
Make actions idempotent and reversible
Repeated agent requests should not create duplicate payments, orders, tickets or user accounts.
Where possible, processes should support rollback or compensating actions.
Layer 5: User identity and access control
AI must operate within the organisation’s identity architecture.
Use enterprise authentication
AI services should integrate with:
- Single sign-on.
- Multifactor authentication.
- Conditional access.
- Device compliance.
- Session controls.
- Identity lifecycle management.
Apply role- and attribute-based access
Access should consider:
- User role.
- Department.
- location.
- Data classification.
- Customer relationship.
- Business purpose.
- Device and network status.
- Time and risk conditions.
Prevent permission expansion
An AI application must not return information beyond the requesting user’s existing authority.
The AI system should not use a highly privileged service account to retrieve information and then rely on the model to decide which parts a user is allowed to see.
Protect privileged access
Administrative functions should use privileged-access management, just-in-time elevation and additional approval.
Control user-generated agents
Where platforms permit employees to build copilots or agents, the organisation should govern:
- Who can create them.
- Which connectors they can use.
- Who can publish them.
- Which audiences can access them.
- How they are reviewed.
- How unused agents are removed.
Layer 6: Agentic AI identity, tools and authority
Agentic AI requires additional governance because agents can act, not merely generate content.
The New Zealand NCSC published dedicated guidance in May 2026 on the careful adoption of agentic AI, addressing risks introduced by agent behaviour, components, integrations and downstream use. OWASP has likewise published a security framework focused specifically on autonomous and agentic applications.
Give every agent a distinct identity
Agents should not use shared accounts or inherit unrestricted user sessions.
A distinct identity allows the organisation to:
- Assign permissions.
- Trace actions.
- Revoke access.
- Apply conditional policies.
- Separate agent activity from human activity.
Scope tools narrowly
An agent should receive only approved tools.
Each tool should define:
- Permitted operations.
- Permitted data.
- Parameter constraints.
- Rate limits.
- Transaction limits.
- Required approvals.
- Error behaviour.
A generic “execute database query” or “run shell command” tool creates far more risk than a constrained “retrieve approved customer summary” or “restart this approved service” tool.
Use short-lived credentials
Agents should use temporary, just-in-time credentials rather than permanent secrets.
Separate planning from execution
A strong pattern is:
- The model creates a proposed plan.
- A policy engine validates the plan.
- A human or deterministic control approves high-risk steps.
- A constrained execution service performs the action.
- The result is independently verified.
Establish autonomy levels
Organisations can define progressive autonomy levels:
- Level 0: AI generates information only.
- Level 1: AI recommends actions.
- Level 2: AI prepares actions for human approval.
- Level 3: AI executes low-risk, reversible actions within limits.
- Level 4: AI executes higher-impact actions under active supervision.
- Level 5: AI operates independently within a formally approved and continuously monitored domain.
Most organisations should proceed cautiously beyond Level 3.
Apply action budgets
Limit how much an agent can do during a single session or time period.
Budgets can cover:
- Money.
- Records changed.
- Emails sent.
- Systems accessed.
- Compute consumed.
- Tool calls.
- Elapsed time.
Sandbox dangerous operations
Code execution, browser automation, file processing and testing of untrusted content should occur in isolated environments with restricted network access.
Control agent memory
Memory should have:
- Defined content.
- Classification.
- Retention.
- Access controls.
- Integrity checks.
- User visibility where appropriate.
- Deletion processes.
Agents should not silently build permanent profiles of employees or customers from every interaction.
Provide an emergency stop
Operators must be able to suspend:
- The agent.
- A specific tool.
- A model.
- A connector.
- An identity.
- A workflow.
- External network access.
The shutdown mechanism should not depend on asking the agent politely to stop.
Layer 7: Infrastructure and supply-chain security
AI platforms should follow established secure architecture practices.
Controls should include:
- Separation of development, test and production.
- Private network connectivity where appropriate.
- Egress filtering.
- Web application and API protection.
- Encryption.
- Secrets management.
- Endpoint protection.
- Vulnerability management.
- Container and dependency scanning.
- Infrastructure-as-code review.
- Backup and recovery.
- Availability and capacity planning.
- Denial-of-service protection.
- Supplier and software-component assurance.
AI introduces additional supply-chain elements such as:
- Model providers.
- Model files.
- Fine-tuning datasets.
- Embedding models.
- Vector databases.
- Agent frameworks.
- Plugins and connectors.
- Model Context Protocol servers.
- Evaluation datasets.
- Prompt libraries.
Each component must be inventoried, approved and maintained.
Layer 8: Monitoring, assurance and incident response
AI systems require observability at both technical and business levels.
Record traceable events
Logs should capture, subject to privacy and minimisation requirements:
- User and agent identity.
- Model and version.
- Prompt or request reference.
- Retrieved sources.
- Tools selected.
- Parameters supplied.
- Approvals.
- Actions executed.
- Results and errors.
- Policy decisions.
- Safety or DLP events.
- Cost and duration.
Monitor behaviour
Useful indicators include:
- Accuracy and groundedness.
- Unsupported-answer rates.
- Human override rates.
- Tool failures.
- Unauthorised tool attempts.
- Sensitive-data detections.
- Prompt-injection detections.
- Unexpected data access.
- Abnormal transaction volume.
- User complaints.
- Process exceptions.
- Business-value measures.
Red-team high-risk systems
Testing should include attempts to:
- Extract confidential information.
- Override policies.
- Manipulate tool selection.
- Poison retrieved content.
- Escalate permissions.
- Cause unintended transactions.
- Generate unsafe code.
- Exploit agent-to-agent trust.
- Exhaust cost or execution budgets.
Extend incident response
AI incident procedures should cover:
- Data leakage.
- Privacy breach.
- Incorrect high-impact decisions.
- Unauthorised actions.
- Compromised model or connector.
- Prompt injection.
- Model or data poisoning.
- Vendor incident.
- Harmful content.
- Material model-behaviour change.
The response plan should define containment, evidence preservation, stakeholder notification, rollback and regulatory reporting.
For New Zealand organisations, Privacy Principle 5 requires safeguards reasonable in the circumstances to protect personal information against loss, unauthorised access, disclosure and misuse. Serious privacy breaches must be notified to the Office of the Privacy Commissioner as soon as possible, with the Commissioner describing this as within 72 hours. New Zealand organisations are also required to appoint a privacy officer.
Mitigating the Main Enterprise AI Risks
Data leakage
Data leakage can occur through prompts, uploaded documents, model training, logs, retrieval results, outputs, connectors or agent actions.
Key controls include:
- Approved enterprise AI services.
- Data classification.
- DLP inspection of prompts and outputs.
- Provider contractual controls.
- Restricted model training.
- Encryption.
- Access-aware retrieval.
- Redaction and tokenisation.
- Controlled logging.
- Employee training.
- Blocking or limiting unapproved consumer AI services.
Data loss and corruption
AI systems may overwrite, delete or incorrectly transform organisational records.
Controls include:
- Read-only access by default.
- Draft-before-execute patterns.
- Human approval.
- Transaction limits.
- Versioning.
- Backups.
- Reconciliation.
- Idempotent APIs.
- Rollback.
- Separation between AI working memory and systems of record.
Security compromise
Attackers may manipulate AI systems through prompt injection, malicious documents, poisoned tools, compromised plugins or stolen agent credentials.
Controls include:
- Treating external content as untrusted.
- Strong identity controls.
- Tool allowlists.
- Sandboxing.
- Network egress restrictions.
- Input and output validation.
- Software supply-chain security.
- Secrets management.
- Runtime anomaly detection.
- Adversarial testing.
Privacy harm
AI may reveal, infer or reuse personal information in ways individuals do not expect.
Controls include:
- Privacy impact assessments.
- Purpose limitation.
- Data minimisation.
- Transparency notices.
- Consent or another appropriate legal basis.
- De-identification.
- Retention limits.
- Rights-management processes.
- Restrictions on profiling and automated decisions.
- Human review of consequential outcomes.
NIST notes that AI systems can introduce privacy risks through activities such as data reconstruction, prompt injection and inference of personal attributes.
Incorrect or fabricated outputs
Controls include:
- Retrieval from authoritative sources.
- Citation requirements.
- Confidence thresholds.
- Deterministic validation.
- Human review.
- Independent calculation.
- Fallback procedures.
- Clear user warnings.
- Monitoring of production errors.
Excessive agent authority
Controls include:
- Separate agent identities.
- Least privilege.
- Tool-specific permissions.
- Approval gates.
- Action budgets.
- Transaction limits.
- Supervised autonomy.
- Reversible actions.
- Kill switches.
- Complete audit trails.
Shadow AI
Shadow AI emerges when staff use unapproved tools because approved alternatives are absent, inconvenient or poorly communicated.
Controls should combine:
- A clear acceptable-use policy.
- Approved enterprise tools.
- Fast onboarding for low-risk use cases.
- Training.
- Browser and network controls.
- SaaS discovery.
- DLP monitoring.
- Proportionate enforcement.
Simply banning AI while employees remain expected to produce more work with fewer resources tends to create exceptionally predictable non-compliance.
The Minimum AI Governance Policy Set
An organisation should maintain at least the following documents:
-
Enterprise AI policy Defines principles, scope, prohibited uses, accountability and acceptable use.
-
AI risk-classification standard Defines risk dimensions, tiers and required controls.
-
AI development and lifecycle standard Defines architecture, testing, documentation, release and retirement requirements.
-
AI data and privacy standard Defines permitted data use, training restrictions, retention and privacy controls.
-
AI provider and procurement standard Defines due diligence and contractual requirements.
-
Generative AI acceptable-use standard Defines what employees may enter into approved and unapproved tools.
-
Agentic AI security standard Defines agent identities, autonomy levels, tools, approval gates and monitoring.
-
AI evaluation standard Defines functional, security, privacy, fairness and operational testing.
-
AI incident-response procedure Defines containment, investigation, notification and recovery.
-
AI change and model-management procedure Defines how model, prompt, data and tool changes are evaluated and approved.
Measuring Whether AI Governance Is Working
Governance should be measured through outcomes, not the number of policies published.
Useful metrics include:
Portfolio metrics
- Percentage of AI systems recorded in the inventory.
- Percentage with named business and technical owners.
- Percentage with current risk assessments.
- Number of unapproved AI services discovered.
- Number of high-risk systems awaiting review.
Data and privacy metrics
- Sensitive-data prompts blocked.
- Data-access violations.
- Privacy-impact assessments completed.
- Retention-policy exceptions.
- Unauthorised cross-border processing events.
Security metrics
- Prompt-injection detections.
- Unauthorised tool attempts.
- Agent permission violations.
- AI-related vulnerabilities.
- Time to contain AI incidents.
- Percentage of high-risk systems red-teamed.
Quality metrics
- Grounded-answer rates.
- Incorrect-action rates.
- Human override rates.
- Escalation rates.
- Evaluation regression failures.
- Customer or employee complaints.
Business metrics
- Successful task-completion rate.
- Time saved.
- Cost per completed outcome.
- Process-quality improvement.
- Reduction in manual rework.
- User adoption.
- Realised business value.
The organisation should avoid measuring success through token consumption or number of chatbot conversations. Spending more money while generating more text is not, by itself, a transformation.
A Practical 12-Month Implementation Roadmap
First 30 days: Establish control
- Appoint an executive sponsor.
- Establish an interim AI policy.
- Identify approved and unapproved AI tools.
- Begin the AI inventory.
- Define prohibited data and use cases.
- Provide basic employee guidance.
- Establish an AI incident-reporting route.
Days 31–90: Build the governance foundation
- Form the AI Governance Council.
- Define AI risk tiers.
- Create assessment templates.
- Establish model and vendor requirements.
- Approve initial architecture patterns.
- Select sanctioned AI platforms.
- Integrate privacy, security and legal review.
- Launch mandatory role-based training.
Months 3–6: Operationalise controls
- Implement model gateways and central logging.
- Integrate DLP and identity controls.
- Establish evaluation pipelines.
- Define agent identities and autonomy levels.
- Introduce lifecycle approval gates.
- Complete assessments of existing high-risk systems.
- Establish monitoring dashboards.
- Conduct initial adversarial testing.
Months 6–12: Scale and assure
- Align the programme with ISO/IEC 42001.
- Introduce independent assurance.
- Expand reusable agent and retrieval patterns.
- Establish production AI red-teaming.
- Automate inventory and control evidence.
- Test incident-response procedures.
- Measure business outcomes and residual risk.
- Review governance based on actual incidents and delivery experience.
Aligning with International Standards and Regulation
A governance model should be designed to satisfy multiple frameworks rather than creating a separate process for every jurisdiction.
A practical foundation can combine:
- ISO/IEC 42001 for the organisational AI management system.
- NIST AI RMF for risk management through Govern, Map, Measure and Manage.
- NIST Privacy Framework for privacy risk.
- ISO/IEC 27001 and established cybersecurity frameworks for information security.
- ISO/IEC 42005 for AI impact assessment.
- OWASP guidance for generative and agentic AI security.
- Applicable privacy, employment, consumer, intellectual-property and sector-specific laws.
The European Union’s Artificial Intelligence Act establishes harmonised, risk-based rules for AI systems and is being applied through a phased schedule. Organisations offering or using relevant AI systems in the European market should map provider, deployer, transparency, risk-management and oversight obligations to their AI inventory.
For New Zealand organisations, AI governance should integrate the Privacy Act 2020, contractual duties, sector requirements, employment obligations, information-management responsibilities and guidance from the Office of the Privacy Commissioner and NCSC.
Regulatory compliance should be treated as the minimum boundary, not the complete definition of trustworthy AI.
Conclusion
Safe AI adoption does not require an organisation to eliminate all risk.
It requires the organisation to understand which AI systems it uses, what those systems can access, what decisions they influence and what actions they are permitted to perform.
An effective AI governance model establishes:
- Clear executive and business accountability.
- A complete inventory of AI systems.
- Risk-based assessment and approval.
- Strong data and privacy governance.
- Approved models and providers.
- Secure application and retrieval patterns.
- Deterministic process controls.
- Identity-based user and agent access.
- Constrained agent tools and autonomy.
- Continuous monitoring and independent assurance.
- Incident response, rollback and recovery.
The most important architectural principle is simple:
AI should never receive more data, authority or autonomy than the organisation can observe, control and safely recover from.
Generative AI changed how organisations create and analyse information.
Agentic AI is changing who, or what, can initiate actions across enterprise systems.
That transition makes governance a runtime engineering capability, not merely a policy function.
Organisations that implement governance as part of their AI platform will be able to adopt new models and agents more quickly because approved controls, decision rights and architecture patterns are already available.
Organisations that delay governance will still adopt AI. They will simply discover it through data-loss alerts, unexplained transactions, privacy complaints and agents that nobody remembers authorising.
Technology has always found creative ways to expose weak organisational controls. AI merely does it faster and with better grammar.