I’ve sat through enough AI governance workshops to recognise policy theatre when I see it. Every enterprise wants an “AI governance framework” now, but most end up with documents that look impressive in board papers and do nothing to manage actual risk.

Here’s what I’ve learned works in Australian organisations that are deploying AI at scale.

Start with Inventory, Not Policy

The first mistake: writing AI governance policies before you know what AI you’re actually using.

Most organisations discover they have AI deployed in places they didn’t know about. Marketing teams using generative tools. Finance running predictive models. Sales using AI-powered prospecting platforms.

Your first job is inventory. What AI systems are in production? What data do they access? Who approves their use? What decisions do they inform or make?

You can’t govern what you can’t see.

Risk-Based Tiering Makes It Practical

Not all AI use cases carry the same risk. A chatbot that answers HR policy questions is different from an AI system that approves credit applications.

The organisations doing this well use a tiering system:

Low risk: AI that informs human decisions, limited data access, no legal or financial impact. Light touch governance - register it, document the vendor, annual review.

Medium risk: AI that makes automated decisions with human oversight, access to customer data, moderate business impact. Requires bias testing, regular performance monitoring, clear escalation paths.

High risk: AI making decisions without human review, processing sensitive data, significant legal or financial consequences. Full governance process - ethics review, ongoing auditing, incident response plans.

Most of your AI use will fall into low or medium risk. Don’t apply high-risk governance processes to everything or you’ll create bureaucracy that people route around.

Build Guardrails, Not Gates

Traditional IT governance was about gates - approval processes that everything had to pass through. That doesn’t work when business units are signing up for AI SaaS tools with a credit card.

Better approach: guardrails. Clear principles about what’s acceptable, technical controls where possible, and lightweight approval for edge cases.

Example guardrails that work:

• No AI systems that process customer data without InfoSec review
• All generative AI tools must be on the approved vendor list
• Any AI that makes decisions about people requires ethics review
• Vendor contracts must include data sovereignty clauses

These are rules people can follow without waiting for a committee meeting.

The Human Review Question

Every AI governance framework hits this question: when do you need human review of AI decisions?

The legal default in Australia is moving toward “always” for consequential decisions. But that’s not always practical or even better for outcomes.

My rule: require human review when:

1. The decision significantly affects someone’s life (employment, credit, benefits)
2. The AI is operating outside its training domain
3. The decision can’t be easily reversed
4. The stakeholder requests it

But don’t require human review just to tick a box. A human rubber-stamping AI decisions because they’re overwhelmed isn’t meaningful oversight. Better to invest in better AI.

Get the Right Expertise Involved

AI governance isn’t just an IT problem. You need legal (for compliance), HR (for workplace impacts), risk (for business continuity), and business unit leaders (who understand operational context).

I’ve seen this work well: a small AI governance team (maybe 2-3 people) who coordinate across functions. They run the inventory, maintain the framework, escalate edge cases. But they’re not bottlenecks - they’re enablers.

Some organisations bring in outside support to set this up initially. Team400, for instance, helps enterprises build governance frameworks that fit their risk appetite and culture. The key is finding people who’ve done this before and can save you from common mistakes.

Performance Monitoring That Matters

Your AI governance framework needs to include ongoing monitoring. AI systems degrade over time as data distributions shift.

But don’t just monitor technical metrics. Monitor for:

• Fairness: are outcomes skewed across demographic groups?
• Accuracy: is the system still performing as expected?
• Data quality: has the input data changed?
• User satisfaction: do people trust the system?
• Business impact: is it delivering expected value?

Set up dashboards that surface problems early. Assign clear owners for each AI system who are responsible for monitoring.

Document Decisions, Not Just Policies

The most useful part of AI governance isn’t the policy document. It’s the record of decisions made and why.

When you approve or reject an AI use case, document the reasoning. When you discover an edge case, capture how you handled it. When something goes wrong, record lessons learned.

This creates institutional knowledge that actually helps people navigate future decisions. The policy doc is just a starting point.

Make It Easy to Do the Right Thing

Your governance framework will fail if doing the right thing is harder than doing nothing.

Make the approval process fast for low-risk AI. Provide templates that make documentation easy. Offer a list of pre-approved vendors that have already passed security review.

Governance should enable AI adoption, not prevent it. If business units are routing around your framework, that’s a sign it’s too heavy.

The Reality Check

Here’s the uncomfortable truth: you can’t govern AI perfectly. The technology is moving too fast. The use cases are too diverse. Your people will make mistakes.

Your governance framework needs to acknowledge this. Build in incident response. Create safe channels for people to report concerns. Focus on learning, not blame.

The goal isn’t zero risk. It’s acceptable risk, managed intelligently, with clear accountability.

That’s governance that actually works.