AI Readiness Partner
Free audit

Pillar 6 of 6

Guardrails, or exposure?

AI governance is an operational question, not a legal one. It comes down to who owns AI decisions and whether those decisions can be defended. This page lays out what governance readiness looks like in practice. It is not a substitute for legal counsel.

Take the free 7-minute assessment Talk to us about AI governance →

"Are we compliant?" is the wrong question. The right one is: if AI made a wrong decision in our name tomorrow, who would own it? When that question gets asked seriously, the honest answer is usually nobody. There is no named owner, no documented boundary, no way to reconstruct what the model did or why. The governance gap is not legal exposure. It is operational ambiguity dressed up in a values statement.

What governance readiness actually means

Governance readiness is not a legal sign-off. It is not your vendor's compliance certificate. It is not the values statement on your About page. It is whether your business can answer five operational questions: who owns each AI decision, what the AI did, on what data, within what documented boundary, and whether anyone is checking.

Frameworks like the EU AI Act, GDPR, ISO 42001, and the NIST AI RMF are useful as scaffolds. They are not substitutes for those five answers. The frameworks enforce what leadership should already be asking, which is why our bespoke transformation engagement starts with the operational position, not the regulatory one.

Ownership

When AI makes a decision in the business, is there a named person who owns the outcome? Not the tool, the person. We have audited businesses with sophisticated AI tooling and no human who could say, when pressed, what they had personally signed off. Ownership is not which job title sits closest to the use case. It is who can answer for it.

Transparency

Can you explain to a customer, a regulator, or an internal auditor what the AI did, why, and on what data? If the answer requires a vendor support ticket, your transparency is the vendor's, not yours. The bar is that someone in your business can give the explanation, today, without leaving the building.

Boundaries

Are there documented rules for what AI is allowed to do without human review, and is anyone actually enforcing them? Boundaries that exist only on a policy page are decorative. Boundaries that exist in the live workflow, with someone responsible for the threshold, are operational. The difference becomes visible the first time a system drifts.

Audit trail

If a decision is challenged six months later, can you reconstruct what happened? Inputs, model, prompt, output, who approved it, what the boundary was at the time. Most teams cannot. The audit trail does not exist until you build it deliberately, and the time to build it is before the challenge, not after.

Review cadence

Is AI behaviour reviewed on a defined schedule, or only when something goes wrong? The most expensive governance failures we have audited all share one feature: the first review of the AI system happened in response to the incident. By definition that review is too late. Cadence is what makes review preventative rather than reactive.

The audit trail dimension depends materially on the data pillar: without lineage, no trail. Boundaries that survive contact with the work depend on the process pillar, because a boundary that is not in actual workflow is a boundary in name only. Ownership only works if the named person actually has the authority to act, which is a people pillar question.

The four readiness bands for Governance

Our audit scores your governance readiness from 5 to 20 across five questions. The bands describe whether AI in your business is defensible, partly defensible, or operationally invisible.

  • Ready
    17–20

    Defensible end-to-end.

    Every AI use case has a named owner who can answer for it. Decisions are reproducible from logs months after the fact. Boundaries are documented and enforced in the workflow, not just on a policy page. Reviews happen on a defined cadence. At this band, a regulator query, a customer challenge, or a board question has a defensible answer in hours, not weeks.

  • Progressing
    12–16

    Defensible in places.

    Some use cases have named owners. Audit trails exist for the higher-profile work. Boundaries are documented but only loosely enforced. Reviews happen, but irregularly. The work at this band is closing the long tail: the AI uses that grew up inside individual teams without going through formal governance.

  • Developing
    7–11

    Defensible only because nobody has asked.

    AI is being used across the business in ways the senior team is not fully aware of. Ownership is ambiguous. Audit trails are partial. Boundaries exist for some use cases and not others. The governance position has not been tested because no incident has forced it. When one does, the response will be improvised, which is the worst kind of governance answer.

  • Critical
    5–6

    Operationally invisible.

    Nobody can list, with confidence, every place AI is being used in the business. Ownership is undefined. There is no audit trail. There is no documented boundary. The first time the business will discover what its AI is doing is when someone outside the building points it out. Stop. Build a register. Then have the governance conversation.

Why most teams get this wrong

After running this audit across more than a hundred organisations, the same four patterns repeat. Each is a leadership decision dressed up as a legal or technical problem. Each is fixable without rewriting policy.

They confuse a vendor compliance certificate with their own governance

A vendor's SOC 2 report tells you something about the vendor. It does not tell you what your business is doing with the vendor's tool, who owns those decisions, or whether a regulator would find the use defensible. We have audited businesses whose entire AI governance position was a folder of vendor certificates. That folder is necessary. It is not sufficient.

They publish a values statement and call it AI governance

A page on the website stating your values around AI is not governance. It is marketing. Governance is who owns what, what is documented, what is enforced, and what gets reviewed. The values statement and the operational reality are different documents, written by different people, frequently inconsistent with each other. The first place a regulator looks is the gap between the two.

Nobody can say what AI is actually doing in the business right now

We ask leadership teams to list every place AI is being used in the business. They name four. The marketing team is using AI to personalise outbound. The customer service team has a chatbot updated by a vendor release no one has reviewed. The sales team is scoring leads with an AI feature that came with their CRM upgrade. Three of those did not appear on the leadership list. None of them are anyone's fault individually. All of them are someone's accountability collectively.

The governance question only gets asked after something has gone wrong

An AI-generated marketing claim turns out to be factually wrong. A customer complaint surfaces an automated decision nobody can explain. A regulator asks for documentation that does not exist. At this point the governance position is being constructed in real time, by lawyers, under pressure. It is the most expensive moment in the cycle and the worst time to be having the conversation. The conversation should have happened a year earlier, when the question was "who owns this?", not "who do we blame?".

If nobody owns the decision when AI gets it wrong, you do not have governance. You have exposure.

What good actually looks like

"Governance ready" is not "fully compliant with every framework". It is operationally defensible. Every AI use case in the business has a named owner who could answer for it. Decisions are reproducible from logs. Boundaries are documented as actual workflow, not as aspirational policy. Reviews happen on a schedule. Most organisations that get this right did not start with the legal team. They started with leadership getting honest about who was accountable for what.

95%

of AI pilots fail to create measurable value, according to MIT NANDA's 2025 research. Governance gaps are not the headline cause, but they accelerate the failure. When an AI initiative goes wrong because nobody owned the decision, the legal cost is the visible part. The invisible part is the project being killed prematurely because the business cannot defend what it did, regardless of whether the AI worked.

Source: MIT NANDA Research, 2025

The bar for governance ready is roughly this. Every AI use case in the business has a named owner. Decisions are reproducible from logs going back six months. There is a documented boundary for every model that interacts with customers, employees, or regulators, and someone is enforcing it. Reviews happen on a scheduled cadence, not in response to incidents. When a board, a regulator, or a customer asks what the AI is doing in your name and who decided that, the answer exists in writing, today.

None of that is the lawyers' job. The lawyers come in once leadership has done its part, which is the answer to who owns what. Governance gaps almost always trace back to unclear strategy: if leadership cannot say what AI is for, they cannot say who owns what when it misbehaves. Our bespoke transformation engagement connects the operational and the strategic. The Deep Dive report walks through your specific gaps in writing.

How the audit measures your governance readiness

The Governance pillar in our audit is five questions, each scored 1 to 4: ownership, transparency, boundaries, audit trail, review cadence. The total places you in one of the four bands above. The questions are designed to surface the operational position, which is the necessary input to any conversation with legal counsel about regulatory exposure.

The free 7-minute version gives you the band, the score, and a teaser of where your biggest governance-readiness gap sits. The £97 Full Report walks through each dimension in writing. The £497 Deep Dive takes that further with a 30 / 60 / 90 day plan, including the specific operational gaps that need closing before legal counsel can do their part of the work. If you would rather talk to a consultant directly about your operational governance position, that work lives inside our bespoke transformation engagement.

Take the free 7-minute assessment No card. No sales call. Just your score across all six pillars.

Frequently asked questions

What does "AI governance" actually mean in operational terms?

AI governance is whether your business can defend what AI is doing in its name. It is not a legal document. It is the operational answer to five questions: who owns each AI decision, what the AI did, on what data, within what documented boundary, and who is reviewing it. Legal frameworks exist to enforce those answers. They do not produce them.

Is AI governance a legal problem or a leadership problem?

It is a leadership problem with legal consequences. Legal counsel cannot answer "who owns this decision in our business" on behalf of leadership. They can only check that the answer leadership gives meets the relevant regulatory bar. If leadership has not done its work, the legal review has nothing to review. The order matters.

Are you a substitute for legal advice on the EU AI Act or GDPR?

No. We are not lawyers and nothing on this page is legal advice. We help leaders get operational clarity (who owns what, what is documented, what is enforced) before they engage legal counsel. Once that operational position exists, qualified legal counsel can assess regulatory exposure against it. We work alongside legal teams, never in their place.

Who should own AI governance in a business: legal, IT, or leadership?

Leadership, supported by both. Legal can tell you whether your operational position meets the regulatory bar. IT can tell you what the systems do. Neither can decide what AI the business should be using and who owns each use case. That is a leadership decision. Committee ownership is the most common failure pattern, because nobody alone has the authority to act.

What is the difference between AI governance and AI compliance?

Governance is the operating model: who owns what, what is documented, what is enforced, what gets reviewed. Compliance is whether that operating model satisfies the relevant external requirements: regulation, contract terms, industry codes. Governance is what you build. Compliance is what you can defend. Without governance, compliance is a document nobody can stand behind.

How do you audit an AI decision after the fact?

By reconstructing the inputs, the model state, the prompt, the output, the boundary in force at the time, and the human approval if one was required. If any of those cannot be reconstructed, the decision is, in practice, not auditable. Most AI use cases inside businesses today are not auditable in that sense, because the trail was never built deliberately. The work is building it before it is needed.

What happens when AI makes a wrong decision and nobody owns it?

Three things, usually in this order. The wrong decision affects a customer, an employee, or a regulator. The business cannot give a defensible answer to who decided this and on what basis. The governance position is then constructed in real time, by lawyers, under pressure, often with the AI use suspended. The cost is rarely the original mistake. It is the unprepared response to it.

Where do most companies fail on governance readiness?

Ownership and audit trail. Boundaries get documented because policy work has a visible output. Reviews happen because they look like meetings. Ownership requires a leader to put their name against a use case and accept that the answer becomes theirs when something goes wrong, which is uncomfortable. The audit trail requires deliberate logging that nobody has time for until they need it. Both are fixable. Both are deferred.

See where your governance position actually stands.

Seven minutes. Thirty questions. A scored band for Governance and the five other pillars that decide whether AI works in your business.

Take the free 7-minute assessment

No card. No sales call. Just your score across all six pillars.