AI Governance. Build it before the first incident.

AI governance is the set of structures, roles, processes, and tools by which an organization steers the responsible use of AI systems. Where AI compliance meets the legal floor, AI governance goes further: strategic direction, value alignment, risk appetite, investment decisions, ethical guardrails. Governance is the precondition for compliance — without clear roles and decision paths, EU AI Act obligations cannot be reliably met.

Every organization that develops, operates, or strategically deploys AI systems. Concretely required for: (1) providers of high-risk AI (Art. 17 EU AI Act mandates a quality management system), (2) organizations targeting ISO 42001 certification, (3) listed companies with ESG reporting obligations, (4) financial institutions under DORA, (5) public bodies with fundamental rights impact assessment obligations. Pragmatically valuable for any org above ~20 employees actively using AI — the build is cheaper than the first incident without governance.

Recommended composition (4-7 people): (1) C-level sponsor — typically CIO, CTO, or COO, drives mandate and budget. (2) Compliance / DPO — bringing regulatory perspective. (3) Legal — for contract, liability, IP. (4) Data/AI team — technical representation. (5) Business unit — largest AI use-case owner. (6) Optional: ethics representative or works council (statutorily required for HR/recruiting AI in Germany). The board typically meets quarterly, with escalation-based ad-hoc sessions for classification-critical decisions.

Data governance regulates the lifecycle of data (collection, quality, ownership, classification, retention). AI governance regulates the lifecycle of AI systems — data is only one component. AI governance additionally covers: model selection, training/inference processes, model evaluation, bias detection, explainability, model lifecycle, AI-specific risks (hallucination, model dependency, adversarial attacks). Data governance is a prerequisite for AI governance, not a substitute. Mature organizations integrate both under a Chief Data + AI Officer.

Both frameworks operationalize AI governance, with different emphases. ISO 42001 provides the structural backbone — Clause 5 (Leadership), Clause 6 (Planning), and Annex A.3 (Internal organization) directly require AI governance artifacts. NIST AI RMF provides the operational risk methodology — the Govern function is the cross-cutting backbone, supported by Map, Measure, and Manage. Most mature organizations use ISO 42001 as the management system shell and NIST AI RMF as the operational risk methodology within. Matproof maps both into a single workspace.

Five-stage model: (1) Ad hoc — AI used uncontrolled, no inventory or policy. (2) Aware — policy exists on paper, inventory starting, no consistent classification. (3) Defined — governance board established, classification process running, AI literacy training launched, risk management in place. (4) Managed — post-market monitoring operational, quarterly reviews, ISO 42001 audit-ready. (5) Optimized — continuous improvement, ISO 42001 certified, EU AI Act conformity assessment passed, proactive on emerging regulations. Typical progression: 12-24 months per stage manually, 6-12 months per stage with platform support.

Realistic budget for a mid-sized organization (50-500 employees) in year one: EUR 80,000-250,000. Breakdown: AI governance lead 0.5 FTE (EUR 40,000-80,000), Compliance/Legal involvement 0.2 FTE (EUR 20,000-40,000), external advisory (EUR 15,000-50,000), technology platform (EUR 5,000-30,000), training and change management (EUR 5,000-20,000), audit preparation (EUR 5,000-15,000). Ongoing year 2-3 typically 30-50 percent of year one. Cost of NOT having governance: average EU AI Act penalty range starts at low six figures; reputational and legal exposure unbounded.