Building an Enterprise AI Governance Model: Securing Data, Automation and Agentic AI

Created on 17 July 2026

Introduction

Artificial intelligence adoption is no longer limited to isolated experiments, chatbots or data-science projects.

Employees are using generative AI to write documents, analyse information and generate code. Business applications are embedding AI into everyday processes. Development teams are connecting large language models to organisational data, while agentic AI systems are beginning to search records, call APIs, operate software and execute multistep workflows.

These technologies can improve productivity, customer service, software delivery and decision-making. They can also expose confidential information, make incorrect decisions at scale, bypass established controls and give autonomous systems more authority than the organisation intended.

The challenge is not simply whether an organisation should permit AI.

The challenge is:

How can an organisation adopt AI at scale while retaining control over its data, decisions, systems and accountability?

An effective AI governance model must operate across the entire technology and business stack:

  • Organisational strategy and policy.
  • Data collection, classification and retention.
  • AI models and external providers.
  • Applications, prompts and retrieval systems.
  • Process automation and business controls.
  • User identity and access management.
  • Agent identities, tools and permissions.
  • Infrastructure and software supply chains.
  • Monitoring, incident response and continual improvement.

AI governance should not be created as a separate bureaucracy disconnected from existing technology management. It should extend enterprise architecture, data governance, cybersecurity, privacy, risk management, procurement and internal assurance into the AI lifecycle.

ISO/IEC 42001 defines an AI management system covering leadership, AI policy, risk management, data governance, lifecycle controls, transparency, monitoring and continual improvement. NIST’s AI Risk Management Framework organises AI risk management around four functions: Govern, Map, Measure and Manage. Together, these provide a useful foundation for an enterprise AI governance model.


What Is AI Governance?

AI governance is the system through which an organisation directs, controls and remains accountable for the development, procurement and use of artificial intelligence.

It includes the policies, roles, decision rights, technical controls, assurance activities and evidence needed to answer questions such as:

  • Which AI systems are being used?
  • What business purpose does each system serve?
  • What data can it access?
  • What decisions can it influence?
  • What actions can it perform?
  • Who owns the outcome?
  • How was the system evaluated?
  • What happens when it produces an incorrect or harmful result?
  • How can its access be suspended?
  • How can the organisation prove that appropriate controls were applied?

Governance is therefore not the same as compliance.

Compliance asks whether minimum legal or regulatory requirements have been met. Governance determines whether the organisation is making informed, accountable and risk-appropriate decisions throughout the AI system’s lifecycle.

A mature governance model supports innovation by creating a clear path from an AI idea to an approved production service. Without that path, employees and project teams tend to either avoid AI completely or adopt it outside approved channels. Neither outcome is especially sophisticated.


The Three Components of an Enterprise AI Governance Model

A practical AI governance model consists of three connected systems.

1. Organisational governance

This establishes accountability, policy, risk appetite, investment priorities and decision rights.

It answers:

  • Who can approve AI use?
  • Which uses are prohibited?
  • Which risks require executive acceptance?
  • Who owns AI-related incidents?
  • How does AI support the organisation’s strategy?
  • How are legal, ethical and stakeholder impacts considered?

2. AI lifecycle assurance

This governs how AI systems are proposed, assessed, designed, tested, deployed, changed and retired.

It provides repeatable assurance gates rather than relying on informal conversations between a project manager and whichever security architect had the misfortune to be available that afternoon.

3. Runtime control

This governs what an AI system can access and do while it is operating.

Runtime controls include:

  • Identity and authorisation.
  • Tool restrictions.
  • Data-loss prevention.
  • Transaction limits.
  • Human approval requirements.
  • Logging and monitoring.
  • Emergency suspension.
  • Rollback and recovery.

This third component becomes especially important for agentic AI. An AI assistant that produces a poor paragraph creates limited harm. An AI agent that can modify customer records, execute code or approve a payment creates an entirely different risk profile.


Core Principles for Responsible Enterprise AI

Every organisation should define its own AI principles, but an effective set usually includes the following.

Accountability

Every AI system must have a named business owner who remains accountable for its purpose, operation and outcomes.

The model provider, development team or software vendor may be responsible for part of the system, but the organisation deploying the AI cannot outsource accountability for how it is used.

The OECD AI Principles similarly emphasise accountability throughout the AI lifecycle, alongside transparency, fairness, privacy, robustness, security and safety.

Risk proportionality

Controls should be based on the potential impact of the AI system.

A writing assistant that helps employees improve grammar should not require the same assurance as an AI system that recommends whether a customer receives credit, employment, healthcare or access to a public service.

Purpose limitation

AI systems should use data only for clearly defined, approved purposes.

Access to information does not automatically imply permission to use that information for model training, prompt processing, evaluation, profiling or an unrelated business process.

Privacy and security by design

Privacy, security and data protection requirements should be incorporated before development begins, rather than attached after deployment as decorative compliance.

The NIST Privacy Framework is intended to help organisations identify and manage privacy risks while developing innovative products and services.

Least privilege

Users, applications and agents should receive only the minimum data and system access required to perform an approved task.

Human authority

Humans should retain meaningful control over high-impact, irreversible or legally significant actions.

Human oversight must be more than showing someone a result after the decision has already been executed.

Transparency and traceability

The organisation should be able to identify when AI is being used, what information influenced an outcome and what actions the system performed.

Safety and reversibility

AI systems should fail safely. Actions should be limited, reviewable and reversible wherever practical.

Continuous assurance

Approval should not be treated as permanent. Models, data, prompts, tools, vendors and business conditions change. AI systems require ongoing monitoring and periodic reassessment.


Establishing the AI Governance Operating Model

AI governance should combine executive authority with distributed delivery responsibility.

Board and executive leadership

The board or relevant governing body should oversee material AI risks in the same way it oversees cybersecurity, privacy, financial and operational risk.

Executive leadership should:

  • Approve the organisation’s AI strategy and risk appetite.
  • Assign an accountable executive sponsor.
  • Review material AI risks and incidents.
  • Ensure adequate investment in controls and capability.
  • Decide whether particularly high-risk uses align with organisational values and obligations.

AI Governance Council

An AI Governance Council should coordinate policy and make cross-functional decisions.

Membership will normally include representatives from:

  • Business leadership.
  • Technology and enterprise architecture.
  • Data governance.
  • Cybersecurity.
  • Privacy.
  • Legal and compliance.
  • Risk management.
  • Human resources.
  • Procurement.
  • Internal audit or assurance.
  • Relevant Māori data, cultural or community governance functions where applicable.

The council should not review every minor use case. Its purpose is to establish policy, resolve high-risk decisions, approve exceptions and oversee the organisation’s AI portfolio.

Responsible AI Office or AI Centre of Enablement

A central AI governance or enablement function should translate policy into practical standards, templates and reusable controls.

Its responsibilities may include:

  • Maintaining the AI system inventory.
  • Operating the AI risk-assessment process.
  • Publishing approved architecture patterns.
  • Coordinating model and vendor evaluations.
  • Supporting project teams.
  • Maintaining evaluation and testing requirements.
  • Monitoring changes in regulation and standards.
  • Providing training.
  • Reporting AI risk and performance metrics.

This function should enable delivery rather than become an approval queue from which useful projects never return.

Business owner

Every AI use case requires a business owner who is accountable for:

  • The intended outcome.
  • The quality of business rules and source data.
  • Operational processes.
  • Human oversight.
  • Customer or employee impacts.
  • Continued business value.
  • Accepting residual business risk within delegated authority.

Technical owner

The technical owner is responsible for:

  • Architecture.
  • Integration.
  • Security controls.
  • Model configuration.
  • Evaluation.
  • Monitoring.
  • Resilience.
  • Change management.
  • Technical documentation.

Data owner

The data owner approves how organisational data is accessed and used.

This includes decisions about:

  • Data classification.
  • Permitted purposes.
  • Retention.
  • Cross-border processing.
  • Model training.
  • Retrieval access.
  • Derived data.
  • Logging.
  • Deletion.

Security, privacy, legal and risk functions

These functions should provide specialist review and control requirements based on risk.

They should not inherit ownership of the AI system merely because it contains risk. Business owners remain accountable for the system and its outcomes.

Independent assurance

Internal audit or another independent assurance function should assess whether governance processes and controls are operating effectively.

ISO/IEC 42006:2025 establishes requirements for bodies auditing and certifying AI management systems against ISO/IEC 42001, supporting more consistent and credible assurance.


Create a Complete AI System Inventory

An organisation cannot govern AI systems it does not know exist.

The AI inventory should include internally developed models, external APIs, software-as-a-service features, embedded copilots, machine-learning systems, generative AI applications and autonomous agents.

Each inventory record should identify:

  • System name and description.
  • Business owner and technical owner.
  • Intended purpose.
  • Users and affected people.
  • Models and model versions.
  • Provider and hosting location.
  • Data sources.
  • Data classifications.
  • External integrations.
  • Decisions influenced.
  • Actions permitted.
  • Level of autonomy.
  • Human approval points.
  • Applicable laws and policies.
  • Risk classification.
  • Evaluation results.
  • Current approval status.
  • Review and retirement dates.

The inventory should cover AI embedded in purchased applications, not merely AI developed by the organisation. A vendor adding an AI feature to an existing platform does not make the resulting risk fictional.


Classify AI Systems by Risk

A risk-tier model allows organisations to apply stronger controls where potential harm is greater.

Risk dimensions

An AI assessment should consider:

Data sensitivity

Does the system process public, internal, confidential, commercially sensitive, personal, health, financial or legally privileged information?

Impact on people

Could the system affect employment, access to services, financial outcomes, legal rights, health, safety or reputation?

Decision authority

Does the system provide information, recommend a decision or make the decision itself?

Action authority

Can it send communications, modify records, execute code, move money, change access or control physical equipment?

Autonomy

Does the system act only when directly instructed, or can it plan and continue working without frequent human interaction?

Scale

How many people, transactions, systems or records could be affected?

Reversibility

Can an incorrect action be easily identified and reversed?

Exposure

Is the system used internally, externally or by the public?

Model and provider risk

Is the model managed, self-hosted, open weight or supplied through a third party? What visibility does the organisation have into its lifecycle and security?

Example risk tiers

Tier Description Example Governance requirement
Tier 1 Low-risk assistive AI Grammar correction or meeting summaries using non-sensitive information Approved service, acceptable-use controls and basic monitoring
Tier 2 Controlled business AI Internal knowledge assistant or document classification Risk assessment, data controls, evaluation and named owner
Tier 3 High-impact AI Customer eligibility recommendation, employee screening or regulated advice Formal impact assessment, independent validation, human oversight and executive risk acceptance
Tier 4 Agentic or operationally critical AI Agent modifying production systems, approving transactions or communicating externally Strong identity controls, constrained tools, runtime supervision, approval gates, transaction limits and emergency suspension
Prohibited Unacceptable organisational use Covert manipulation, unlawful discrimination or uncontrolled use of highly sensitive information Use must not proceed

The organisation should define prohibited uses explicitly. Staff should not be expected to derive the organisation’s ethical and legal boundaries through a series of increasingly nervous experiments.


Apply Governance Across the AI Lifecycle

A controlled AI lifecycle can be organised into eight stages.

1. Discover

Document the problem, intended benefit, stakeholders and alternatives.

The first question should be whether AI is required. A deterministic rule, search engine or conventional workflow may be more reliable and less expensive.

2. Assess

Complete:

  • AI risk assessment.
  • Privacy impact assessment.
  • Security threat assessment.
  • Data assessment.
  • Legal and regulatory assessment.
  • Human and societal impact assessment.
  • Vendor due diligence.

ISO/IEC 42005:2025 provides an international standard specifically for AI system impact assessment.

3. Approve

Determine whether the use case can proceed, what conditions apply and who accepts any remaining risk.

Approval should specify:

  • Approved purpose.
  • Approved data.
  • Approved users.
  • Approved models.
  • Permitted actions.
  • Human-control requirements.
  • Monitoring requirements.
  • Review date.

4. Design and build

Use approved architecture patterns, platforms and controls.

Security and privacy requirements should become testable design requirements rather than paragraphs quietly abandoned inside a project document.

5. Evaluate

Test functionality, accuracy, security, privacy, fairness, resilience and tool use.

Evaluation should use representative business scenarios, including:

  • Normal cases.
  • Ambiguous cases.
  • Adversarial inputs.
  • Missing data.
  • Conflicting information.
  • Tool failures.
  • Unauthorised requests.
  • Prompt-injection attempts.
  • High-impact edge cases.

6. Deploy

Production deployment should require documented evidence that controls have been implemented and required approvals obtained.

7. Operate and monitor

Monitor technical performance, business outcomes, user behaviour, security events, data use, model changes and incidents.

8. Retire

Remove access, revoke credentials, delete data where required, archive evidence and update dependent processes.

A model endpoint that nobody remembers but that still has production credentials is not an AI strategy. It is an archaeological site with network access.


A Layered AI Control Model

Effective AI governance must be applied at every architectural layer.

Layer 1: Data governance and protection

Data is usually the organisation’s most valuable AI input and its most obvious route to harm.

Maintain data classification

Every AI use case should identify the classification of:

  • User prompts.
  • Uploaded documents.
  • Retrieved content.
  • Training and fine-tuning data.
  • Model outputs.
  • Conversation history.
  • Agent memory.
  • Application and audit logs.

Minimise data

Only provide the model with the information required for the current task.

Avoid copying entire customer records, mailboxes, document libraries or databases into model context merely because the context window is impressively large.

Apply purpose limitation

Document why each data source is required and whether its use is consistent with the purpose for which it was collected.

Protect sensitive information

Controls should include:

  • Encryption in transit and at rest.
  • Tokenisation or pseudonymisation.
  • Data-loss prevention.
  • Secret and credential detection.
  • Input and output filtering.
  • Restricted network paths.
  • Approved geographic processing locations.
  • Retention and deletion policies.

Preserve source permissions

Retrieval-augmented generation systems must enforce the source system’s permissions.

A user should not gain access to a confidential document simply because an embedding of that document was placed in a vector database. Search indexes and vector stores must support document-level, row-level or attribute-based access controls.

Govern logs and memory

Prompt logs, traces and agent memories can contain the same sensitive information as the source systems.

Logging everything forever may help one audit objective while enthusiastically violating several privacy and security objectives.

Protect data integrity

AI systems must be able to distinguish authoritative records from untrusted or user-supplied content.

Training data, retrieval sources and agent memory should be protected against poisoning, tampering and unauthorised modification.

New Zealand’s NCSC emphasises that data security is essential throughout the training, testing and operation of AI systems.


Layer 2: Model and provider governance

Organisations should maintain an approved model and provider catalogue.

Vendor due diligence should assess:

  • Whether customer data is used for provider model training.
  • Data retention periods.
  • Data residency and cross-border transfers.
  • Subprocessors.
  • Encryption and access controls.
  • Security certifications.
  • Incident-notification commitments.
  • Model update and retirement practices.
  • Service availability.
  • Intellectual-property terms.
  • Regulatory support.
  • Audit rights.
  • Data deletion.
  • Exit and portability arrangements.

Open-weight and self-hosted models require different controls, including:

  • Model provenance.
  • Licence review.
  • Integrity verification.
  • Vulnerability management.
  • Dependency scanning.
  • Model-file protection.
  • Infrastructure capacity.
  • Patching and upgrade ownership.

The organisation should approve model families for defined workload classes rather than letting every project team negotiate its own legal, privacy and security position.


Layer 3: AI application, prompt and retrieval controls

An AI application should not trust model output simply because it is formatted confidently.

Separate trusted instructions from untrusted content

System instructions, organisational policies and tool definitions should be isolated from user input and retrieved content.

Emails, webpages, documents and external tool outputs must be treated as untrusted data. They may contain instructions designed to manipulate the model.

OWASP identifies prompt injection and sensitive-information disclosure among the major security risks affecting LLM applications.

Validate outputs

Model output should be checked before it is:

  • Displayed to a customer.
  • Used in a calculation.
  • Passed to another system.
  • Interpreted as code.
  • Used to select a tool.
  • Executed as an action.

Use schemas, business rules, allowlists and deterministic validation wherever possible.

Require evidence

For knowledge and decision-support systems, require citations or references to authoritative sources.

The application should clearly distinguish between:

  • Retrieved facts.
  • Model-generated interpretations.
  • Recommendations.
  • Assumptions.
  • Missing information.

Keep secrets outside prompts

API keys, passwords and privileged credentials should never be placed in system prompts, source code, conversation memory or retrievable documents.

Applications should access secrets through a managed secrets service only when required.

Test continuously

Prompts, models, retrieval systems and tools should be versioned and regression-tested.

Changing a model version can alter behaviour even when application code remains unchanged.


Layer 4: Process automation and business controls

AI should not replace deterministic business controls.

A safe pattern is:

AI interprets or recommends. The controlled workflow validates and authorises.

For example, an AI model may extract invoice details and identify a likely match. A deterministic workflow should still verify supplier identity, purchase-order values, tax rules, approval limits and segregation of duties.

Use explicit workflow states

The process should identify whether an item is:

  • Drafted.
  • Validated.
  • Pending approval.
  • Approved.
  • Executed.
  • Rejected.
  • Escalated.
  • Reconciled.

Separate duties

High-impact workflows should use maker-checker or dual-control patterns.

The same agent should not be permitted to create a supplier, change the supplier’s bank account and approve the first payment. Human organisations already learned why this is unwise. There is no need to make software rediscover fraud controls through personal experience.

Establish control limits

Define limits for:

  • Transaction value.
  • Number of records.
  • Communication volume.
  • Execution time.
  • Tool calls.
  • Retry attempts.
  • Data volume.
  • External recipients.

Make actions idempotent and reversible

Repeated agent requests should not create duplicate payments, orders, tickets or user accounts.

Where possible, processes should support rollback or compensating actions.


Layer 5: User identity and access control

AI must operate within the organisation’s identity architecture.

Use enterprise authentication

AI services should integrate with:

  • Single sign-on.
  • Multifactor authentication.
  • Conditional access.
  • Device compliance.
  • Session controls.
  • Identity lifecycle management.

Apply role- and attribute-based access

Access should consider:

  • User role.
  • Department.
  • location.
  • Data classification.
  • Customer relationship.
  • Business purpose.
  • Device and network status.
  • Time and risk conditions.

Prevent permission expansion

An AI application must not return information beyond the requesting user’s existing authority.

The AI system should not use a highly privileged service account to retrieve information and then rely on the model to decide which parts a user is allowed to see.

Protect privileged access

Administrative functions should use privileged-access management, just-in-time elevation and additional approval.

Control user-generated agents

Where platforms permit employees to build copilots or agents, the organisation should govern:

  • Who can create them.
  • Which connectors they can use.
  • Who can publish them.
  • Which audiences can access them.
  • How they are reviewed.
  • How unused agents are removed.

Layer 6: Agentic AI identity, tools and authority

Agentic AI requires additional governance because agents can act, not merely generate content.

The New Zealand NCSC published dedicated guidance in May 2026 on the careful adoption of agentic AI, addressing risks introduced by agent behaviour, components, integrations and downstream use. OWASP has likewise published a security framework focused specifically on autonomous and agentic applications.

Give every agent a distinct identity

Agents should not use shared accounts or inherit unrestricted user sessions.

A distinct identity allows the organisation to:

  • Assign permissions.
  • Trace actions.
  • Revoke access.
  • Apply conditional policies.
  • Separate agent activity from human activity.

Scope tools narrowly

An agent should receive only approved tools.

Each tool should define:

  • Permitted operations.
  • Permitted data.
  • Parameter constraints.
  • Rate limits.
  • Transaction limits.
  • Required approvals.
  • Error behaviour.

A generic “execute database query” or “run shell command” tool creates far more risk than a constrained “retrieve approved customer summary” or “restart this approved service” tool.

Use short-lived credentials

Agents should use temporary, just-in-time credentials rather than permanent secrets.

Separate planning from execution

A strong pattern is:

  1. The model creates a proposed plan.
  2. A policy engine validates the plan.
  3. A human or deterministic control approves high-risk steps.
  4. A constrained execution service performs the action.
  5. The result is independently verified.

Establish autonomy levels

Organisations can define progressive autonomy levels:

  • Level 0: AI generates information only.
  • Level 1: AI recommends actions.
  • Level 2: AI prepares actions for human approval.
  • Level 3: AI executes low-risk, reversible actions within limits.
  • Level 4: AI executes higher-impact actions under active supervision.
  • Level 5: AI operates independently within a formally approved and continuously monitored domain.

Most organisations should proceed cautiously beyond Level 3.

Apply action budgets

Limit how much an agent can do during a single session or time period.

Budgets can cover:

  • Money.
  • Records changed.
  • Emails sent.
  • Systems accessed.
  • Compute consumed.
  • Tool calls.
  • Elapsed time.

Sandbox dangerous operations

Code execution, browser automation, file processing and testing of untrusted content should occur in isolated environments with restricted network access.

Control agent memory

Memory should have:

  • Defined content.
  • Classification.
  • Retention.
  • Access controls.
  • Integrity checks.
  • User visibility where appropriate.
  • Deletion processes.

Agents should not silently build permanent profiles of employees or customers from every interaction.

Provide an emergency stop

Operators must be able to suspend:

  • The agent.
  • A specific tool.
  • A model.
  • A connector.
  • An identity.
  • A workflow.
  • External network access.

The shutdown mechanism should not depend on asking the agent politely to stop.


Layer 7: Infrastructure and supply-chain security

AI platforms should follow established secure architecture practices.

Controls should include:

  • Separation of development, test and production.
  • Private network connectivity where appropriate.
  • Egress filtering.
  • Web application and API protection.
  • Encryption.
  • Secrets management.
  • Endpoint protection.
  • Vulnerability management.
  • Container and dependency scanning.
  • Infrastructure-as-code review.
  • Backup and recovery.
  • Availability and capacity planning.
  • Denial-of-service protection.
  • Supplier and software-component assurance.

AI introduces additional supply-chain elements such as:

  • Model providers.
  • Model files.
  • Fine-tuning datasets.
  • Embedding models.
  • Vector databases.
  • Agent frameworks.
  • Plugins and connectors.
  • Model Context Protocol servers.
  • Evaluation datasets.
  • Prompt libraries.

Each component must be inventoried, approved and maintained.


Layer 8: Monitoring, assurance and incident response

AI systems require observability at both technical and business levels.

Record traceable events

Logs should capture, subject to privacy and minimisation requirements:

  • User and agent identity.
  • Model and version.
  • Prompt or request reference.
  • Retrieved sources.
  • Tools selected.
  • Parameters supplied.
  • Approvals.
  • Actions executed.
  • Results and errors.
  • Policy decisions.
  • Safety or DLP events.
  • Cost and duration.

Monitor behaviour

Useful indicators include:

  • Accuracy and groundedness.
  • Unsupported-answer rates.
  • Human override rates.
  • Tool failures.
  • Unauthorised tool attempts.
  • Sensitive-data detections.
  • Prompt-injection detections.
  • Unexpected data access.
  • Abnormal transaction volume.
  • User complaints.
  • Process exceptions.
  • Business-value measures.

Red-team high-risk systems

Testing should include attempts to:

  • Extract confidential information.
  • Override policies.
  • Manipulate tool selection.
  • Poison retrieved content.
  • Escalate permissions.
  • Cause unintended transactions.
  • Generate unsafe code.
  • Exploit agent-to-agent trust.
  • Exhaust cost or execution budgets.

Extend incident response

AI incident procedures should cover:

  • Data leakage.
  • Privacy breach.
  • Incorrect high-impact decisions.
  • Unauthorised actions.
  • Compromised model or connector.
  • Prompt injection.
  • Model or data poisoning.
  • Vendor incident.
  • Harmful content.
  • Material model-behaviour change.

The response plan should define containment, evidence preservation, stakeholder notification, rollback and regulatory reporting.

For New Zealand organisations, Privacy Principle 5 requires safeguards reasonable in the circumstances to protect personal information against loss, unauthorised access, disclosure and misuse. Serious privacy breaches must be notified to the Office of the Privacy Commissioner as soon as possible, with the Commissioner describing this as within 72 hours. New Zealand organisations are also required to appoint a privacy officer.


Mitigating the Main Enterprise AI Risks

Data leakage

Data leakage can occur through prompts, uploaded documents, model training, logs, retrieval results, outputs, connectors or agent actions.

Key controls include:

  • Approved enterprise AI services.
  • Data classification.
  • DLP inspection of prompts and outputs.
  • Provider contractual controls.
  • Restricted model training.
  • Encryption.
  • Access-aware retrieval.
  • Redaction and tokenisation.
  • Controlled logging.
  • Employee training.
  • Blocking or limiting unapproved consumer AI services.

Data loss and corruption

AI systems may overwrite, delete or incorrectly transform organisational records.

Controls include:

  • Read-only access by default.
  • Draft-before-execute patterns.
  • Human approval.
  • Transaction limits.
  • Versioning.
  • Backups.
  • Reconciliation.
  • Idempotent APIs.
  • Rollback.
  • Separation between AI working memory and systems of record.

Security compromise

Attackers may manipulate AI systems through prompt injection, malicious documents, poisoned tools, compromised plugins or stolen agent credentials.

Controls include:

  • Treating external content as untrusted.
  • Strong identity controls.
  • Tool allowlists.
  • Sandboxing.
  • Network egress restrictions.
  • Input and output validation.
  • Software supply-chain security.
  • Secrets management.
  • Runtime anomaly detection.
  • Adversarial testing.

Privacy harm

AI may reveal, infer or reuse personal information in ways individuals do not expect.

Controls include:

  • Privacy impact assessments.
  • Purpose limitation.
  • Data minimisation.
  • Transparency notices.
  • Consent or another appropriate legal basis.
  • De-identification.
  • Retention limits.
  • Rights-management processes.
  • Restrictions on profiling and automated decisions.
  • Human review of consequential outcomes.

NIST notes that AI systems can introduce privacy risks through activities such as data reconstruction, prompt injection and inference of personal attributes.

Incorrect or fabricated outputs

Controls include:

  • Retrieval from authoritative sources.
  • Citation requirements.
  • Confidence thresholds.
  • Deterministic validation.
  • Human review.
  • Independent calculation.
  • Fallback procedures.
  • Clear user warnings.
  • Monitoring of production errors.

Excessive agent authority

Controls include:

  • Separate agent identities.
  • Least privilege.
  • Tool-specific permissions.
  • Approval gates.
  • Action budgets.
  • Transaction limits.
  • Supervised autonomy.
  • Reversible actions.
  • Kill switches.
  • Complete audit trails.

Shadow AI

Shadow AI emerges when staff use unapproved tools because approved alternatives are absent, inconvenient or poorly communicated.

Controls should combine:

  • A clear acceptable-use policy.
  • Approved enterprise tools.
  • Fast onboarding for low-risk use cases.
  • Training.
  • Browser and network controls.
  • SaaS discovery.
  • DLP monitoring.
  • Proportionate enforcement.

Simply banning AI while employees remain expected to produce more work with fewer resources tends to create exceptionally predictable non-compliance.


The Minimum AI Governance Policy Set

An organisation should maintain at least the following documents:

  1. Enterprise AI policy Defines principles, scope, prohibited uses, accountability and acceptable use.

  2. AI risk-classification standard Defines risk dimensions, tiers and required controls.

  3. AI development and lifecycle standard Defines architecture, testing, documentation, release and retirement requirements.

  4. AI data and privacy standard Defines permitted data use, training restrictions, retention and privacy controls.

  5. AI provider and procurement standard Defines due diligence and contractual requirements.

  6. Generative AI acceptable-use standard Defines what employees may enter into approved and unapproved tools.

  7. Agentic AI security standard Defines agent identities, autonomy levels, tools, approval gates and monitoring.

  8. AI evaluation standard Defines functional, security, privacy, fairness and operational testing.

  9. AI incident-response procedure Defines containment, investigation, notification and recovery.

  10. AI change and model-management procedure Defines how model, prompt, data and tool changes are evaluated and approved.


Measuring Whether AI Governance Is Working

Governance should be measured through outcomes, not the number of policies published.

Useful metrics include:

Portfolio metrics

  • Percentage of AI systems recorded in the inventory.
  • Percentage with named business and technical owners.
  • Percentage with current risk assessments.
  • Number of unapproved AI services discovered.
  • Number of high-risk systems awaiting review.

Data and privacy metrics

  • Sensitive-data prompts blocked.
  • Data-access violations.
  • Privacy-impact assessments completed.
  • Retention-policy exceptions.
  • Unauthorised cross-border processing events.

Security metrics

  • Prompt-injection detections.
  • Unauthorised tool attempts.
  • Agent permission violations.
  • AI-related vulnerabilities.
  • Time to contain AI incidents.
  • Percentage of high-risk systems red-teamed.

Quality metrics

  • Grounded-answer rates.
  • Incorrect-action rates.
  • Human override rates.
  • Escalation rates.
  • Evaluation regression failures.
  • Customer or employee complaints.

Business metrics

  • Successful task-completion rate.
  • Time saved.
  • Cost per completed outcome.
  • Process-quality improvement.
  • Reduction in manual rework.
  • User adoption.
  • Realised business value.

The organisation should avoid measuring success through token consumption or number of chatbot conversations. Spending more money while generating more text is not, by itself, a transformation.


A Practical 12-Month Implementation Roadmap

First 30 days: Establish control

  • Appoint an executive sponsor.
  • Establish an interim AI policy.
  • Identify approved and unapproved AI tools.
  • Begin the AI inventory.
  • Define prohibited data and use cases.
  • Provide basic employee guidance.
  • Establish an AI incident-reporting route.

Days 31–90: Build the governance foundation

  • Form the AI Governance Council.
  • Define AI risk tiers.
  • Create assessment templates.
  • Establish model and vendor requirements.
  • Approve initial architecture patterns.
  • Select sanctioned AI platforms.
  • Integrate privacy, security and legal review.
  • Launch mandatory role-based training.

Months 3–6: Operationalise controls

  • Implement model gateways and central logging.
  • Integrate DLP and identity controls.
  • Establish evaluation pipelines.
  • Define agent identities and autonomy levels.
  • Introduce lifecycle approval gates.
  • Complete assessments of existing high-risk systems.
  • Establish monitoring dashboards.
  • Conduct initial adversarial testing.

Months 6–12: Scale and assure

  • Align the programme with ISO/IEC 42001.
  • Introduce independent assurance.
  • Expand reusable agent and retrieval patterns.
  • Establish production AI red-teaming.
  • Automate inventory and control evidence.
  • Test incident-response procedures.
  • Measure business outcomes and residual risk.
  • Review governance based on actual incidents and delivery experience.

Aligning with International Standards and Regulation

A governance model should be designed to satisfy multiple frameworks rather than creating a separate process for every jurisdiction.

A practical foundation can combine:

  • ISO/IEC 42001 for the organisational AI management system.
  • NIST AI RMF for risk management through Govern, Map, Measure and Manage.
  • NIST Privacy Framework for privacy risk.
  • ISO/IEC 27001 and established cybersecurity frameworks for information security.
  • ISO/IEC 42005 for AI impact assessment.
  • OWASP guidance for generative and agentic AI security.
  • Applicable privacy, employment, consumer, intellectual-property and sector-specific laws.

The European Union’s Artificial Intelligence Act establishes harmonised, risk-based rules for AI systems and is being applied through a phased schedule. Organisations offering or using relevant AI systems in the European market should map provider, deployer, transparency, risk-management and oversight obligations to their AI inventory.

For New Zealand organisations, AI governance should integrate the Privacy Act 2020, contractual duties, sector requirements, employment obligations, information-management responsibilities and guidance from the Office of the Privacy Commissioner and NCSC.

Regulatory compliance should be treated as the minimum boundary, not the complete definition of trustworthy AI.


Conclusion

Safe AI adoption does not require an organisation to eliminate all risk.

It requires the organisation to understand which AI systems it uses, what those systems can access, what decisions they influence and what actions they are permitted to perform.

An effective AI governance model establishes:

  • Clear executive and business accountability.
  • A complete inventory of AI systems.
  • Risk-based assessment and approval.
  • Strong data and privacy governance.
  • Approved models and providers.
  • Secure application and retrieval patterns.
  • Deterministic process controls.
  • Identity-based user and agent access.
  • Constrained agent tools and autonomy.
  • Continuous monitoring and independent assurance.
  • Incident response, rollback and recovery.

The most important architectural principle is simple:

AI should never receive more data, authority or autonomy than the organisation can observe, control and safely recover from.

Generative AI changed how organisations create and analyse information.

Agentic AI is changing who, or what, can initiate actions across enterprise systems.

That transition makes governance a runtime engineering capability, not merely a policy function.

Organisations that implement governance as part of their AI platform will be able to adopt new models and agents more quickly because approved controls, decision rights and architecture patterns are already available.

Organisations that delay governance will still adopt AI. They will simply discover it through data-loss alerts, unexplained transactions, privacy complaints and agents that nobody remembers authorising.

Technology has always found creative ways to expose weak organisational controls. AI merely does it faster and with better grammar.


Profile picture

Written by Hossam Katory with help of LLMs
Follow me on LinkedIn
Follow me on X