Guide · Owning governance

Who owns AI governance?

If you can't name who owns it, you don't have it. AI governance isn't a person you hire, a policy you write or a framework you buy — it's an operating model: a way of spreading accountability so that, when something goes wrong, your organisation answers from a system instead of scrambling to find a person to blame. Here's how it's structured — and the trap nearly everyone hits first.

The reframe

Not a person. Not a policy. Not a framework.

The instinct is to make governance a thing you can hold: appoint a Head of AI Governance, write a policy, buy a framework. Each helps. None of them, on its own, is governance. Governance is the operating model underneath — who decides, who checks, who can stop a system, and where the evidence lives. This guide is the "who owns it" companion to AI governance, explained (the what and the why).

There's a simple test for whether you have it. When something goes wrong, can the organisation answer — what did the system do, on what basis, who approved it, what happens now — from a process? Or does the answer depend on one person happening to be in the room?

Governance you can't point to isn't governance. The test isn't whether you've named someone — it's whether the organisation can answer without them.

The first trap

You can't hire your way to it.

The usual first move is a job advert: "Head of AI Governance — must know the AI Act, GDPR, machine learning, our sector, and chair a committee." That person is nearly impossible to find. And if you found them, hiring them wouldn't fix it — because governance isn't a role, it's a distribution.

One person cannot be the strategy, the oversight, the operation and the audit at once — and if they were, there'd be no independent check anywhere in the system. A single owner is a single point of failure wearing a job title. You don't hire your way to governance. You design it, then staff it.

The structure

Four zones of accountability.

Accountability for AI clusters into four zones. The job is to fill each one — and keep them genuinely separate.

Strategic

Board & C-suite

Sets the risk appetite and the red lines, and owns the "should we do this at all?" calls. Without it, everything below is improvised.

Oversight

Risk & ethics committee

Independent challenge: approves high-risk deployments and signs off the impact assessments — and is not the people who built the system, or it isn't oversight.

Operating

AI teams & business units

Builds, runs and documents the systems day to day, and owns the controls and the logs that prove what actually happened.

Assurance

Internal audit & external review

Checks that the other three do what they claim, and owns the evidence trail a regulator or a buyer will ask to see.

The failure mode is letting the zones blur: when the team that builds the AI also signs off its own risk, you don't have oversight — you have a rubber stamp. Keeping the zones apart is most of the work, and most of the value.

Where it starts

The board sets the appetite first.

None of this runs until the top of the house has said, in writing, how much risk it's willing to carry and where the red lines are. Skip that and every later decision is improvised, and governance only ever shows up after something breaks — as cleanup, not control.

Done in the right order it's the opposite of a brake: agree the floor and the red lines once, up front, and everything inside them can move fast with a clear conscience. The appetite is what lets the rest of the organisation say "yes" quickly and still answer for it.

What makes it real

The model becomes a handful of artefacts.

An operating model isn't a diagram on a wall — it's a small set of documents people actually use:

An AI governance policy The standing rules — who may do what, and how a decision escalates.

A RACI For each duty: who is accountable, who is consulted, who is merely informed. The end of "I thought you had that".

Committee terms of reference & decision gates Who sits where, what they decide, and the checkpoints a deployment must pass before it ships.

A competence matrix What each role must actually be able to do — and the training behind it. Reg-to-Skills in practice.

A risk-appetite statement The board’s written line on how much risk is acceptable, and where the red lines sit.

Naming these is easy; building ones people use — and that hold up when a regulator or a buyer asks — is the work. The competence matrix in particular is just Reg-to-Skills pointed inward: translate each duty into what a specific role must be able to do.

How Kramer Consulting helps

We design the model with the people who'll run it.

We map the four zones onto your actual organisation, fill the gaps, write the artefacts with the people who'll own them, and leave the capability behind — so the answer to "how do you govern your AI?" is your team speaking, not a binder on a shelf. It pairs with the AI Act Compliance Accelerator when there's a regulatory clock, and with the training that makes the model stick.

See the governance advisory → What governance is & why it pays

Who owns AI governance in your organisation?

If the honest answer is a shrug, that's the place to start. Thirty minutes, an honest read, no pitch.

Book a discovery call →

Keep reading

Related guides

Governance

AI governance, explained

What it is, why it pays for itself, and how to make it live in your people instead of a binder nobody reads.

Read the guide EU AI Act

The EU AI Act, explained

Heard of it, hazy on the detail? Grasp it through two laws you may already know — GDPR and product-safety regulation.

Read the guide

All guides →