The Governance Field Guide to AI Systems

Executive Summary: Why This Guide Exists

AI governance is not a policy document, an ethics statement, or a compliance checkbox.

It is the set of enforceable constraints, evidence mechanisms, and accountability structures that determine how an AI system is allowed to behave over time.

This field guide is written for teams designing, deploying, and operating real AI systems. It focuses on governance that binds the system — governance that can be enforced, measured, audited, updated, and defended.

If governance cannot be translated into system controls, documentation, or operational rules, it is not governance — it is aspiration.

This guide explains:

• What governance means in AI systems
• Where governance lives inside the system
• How governance is operationalized
• What evidence and documentation must exist
• How governance enables compliance, trust, and long-term scale

What Governance Means in AI Systems

Governance defines who is allowed to decide what, under what conditions, and with what evidence.

In AI systems, governance answers questions such as:

• Who approved the system’s purpose and intended use?
• What behaviors are allowed or prohibited?
• What evidence exists to justify outputs and decisions?
• Who is accountable when the system fails or causes harm?
• What happens when the system changes?

Governance exists above engineering, but it must be expressed through engineering.

A governed AI system does not rely on trust, intent, or good faith.
It relies on constraints, controls, and proof.

Governance That Binds the System

Governance only matters if it binds system behavior.

Binding governance has three defining properties:

1. It is enforced at runtime or deployment
2. It produces durable evidence
3. It assigns responsibility

Examples of binding governance include:

• Explicit system purpose definitions
• Approved data or source allowlists
• Output and behavior constraints
• Version-locked deployments
• Logged approvals and change history

Examples of non-binding governance include:

• Ethical principles without enforcement
• Risk statements without controls
• Oversight bodies without authority
• Policies that are never checked or tested

If governance cannot be tested, it cannot be trusted.

Core Governance Control Categories

All AI governance controls fall into five categories.
Every governed AI system should implement controls in all five.

Evidence & Provenance Controls

What did the system rely on?

Evidence and provenance controls ensure the system can demonstrate:

• Where information came from
• What context was used
• How decisions were formed

Typical controls include:

• Source attribution
• Retrieval and context logging
• Training data documentation
• Prompt and configuration preservation
• Decision traces

Why this matters:

• Enables audits and investigations
• Supports legal and regulatory defensibility
• Reduces hallucinations
• Makes explanations possible

Without provenance, governance collapses under scrutiny.

Behavioral & Safety Controls

What is the system allowed to do?

Behavioral controls define and enforce:

• Allowed and disallowed behaviors
• Role-based output constraints
• Safety and policy rules
• Escalation and refusal mechanisms
• Limits on autonomy

Why this matters:

• Prevents unsafe or unintended behavior
• Aligns outputs with approved use cases
• Prevents scope creep over time

Behavioral governance must be explicit and testable.

Operational Controls

How is the system run?

Operational controls govern how the system is deployed and operated, including:

• Deployment and release approvals
• Access controls and permissions
• Monitoring and alerting thresholds
• Incident response procedures
• Authority to pause or shut down the system

Why this matters:

• Most governance failures occur after deployment
• Runtime misuse is more common than design failure
• Incident response must be pre-authorized

A system that cannot be intervened in is not governed.

Documentation & Record-Keeping Controls

What must exist to prove governance?

Documentation controls ensure the system has:

• A clear purpose statement
• Risk assessments
• Model or system cards
• Evaluation records
• Change logs and approval history

Why this matters:

• Preserves institutional memory
• Enables audits and reviews
• Prevents “we didn’t know” failures

If documentation is missing, governance is unverifiable.

Accountability & Oversight Controls

Who is responsible?

Accountability controls define:

• Named system owners
• Approval authorities
• Escalation paths
• Review cadences
• Decommissioning authority

Why this matters:

• Prevents responsibility gaps
• Enables decisive intervention
• Ensures accountability survives staff turnover

A system without ownership is not governed, regardless of safeguards.

Governance Across the AI Lifecycle

Governance must persist across the entire lifecycle of an AI system.

Design

• Define system purpose and intended use
• Identify risks and constraints

Build

• Implement governance controls
• Create required documentation
• Define evaluation criteria

Deploy

• Approve release
• Lock versions
• Activate monitoring

Operate

• Monitor behavior
• Log evidence
• Respond to incidents

Change

• Review modifications
• Re-evaluate risks
• Trigger re-approval when required

Retire

• Archive evidence
• Revoke access
• Document decommissioning

Most governance failures occur during change, not initial launch.

Evaluations That Support Governance

Not all evaluations support governance.

Governance-relevant evaluations:

• Measure adherence to constraints
• Detect drift or deviation
• Validate provenance and safety
• Inform approval decisions

Governance-irrelevant evaluations:

• Pure performance benchmarks
• One-off demos
• Marketing metrics

Effective governance evaluations are:

• Repeatable
• Versioned
• Tied to release and approval decisions

If an evaluation does not affect whether a system can ship or continue operating, it is advisory — not governance.

Related tools:
AI Change, Drift & Incident Review

AI Governance & Compliance Readiness Questionnaire

Drift and Change Management

AI systems change even when you do not explicitly update them.

Common sources of drift include:

• Model updates
• Data changes
• Prompt or configuration changes
• User behavior
• Environmental context

Governance requires:

• Drift detection mechanisms
• Defined change thresholds
• Re-approval triggers
• Rollback procedures

Uncontrolled drift is a governance failure, not a technical accident.

Governance Is Not Compliance (But Enables It)

Governance is an internal control system.
Compliance is an external obligation.

Strong governance:

• Produces evidence on demand
• Makes compliance achievable
• Reduces regulatory friction

Weak governance:

• Reacts to regulation
• Scrambles for documentation
• Increases legal and operational risk

This is why modern AI policies and standards increasingly emphasize governance mechanisms, not just outcomes.

Examples include:

• EU AI Act (risk classification, documentation, post-market monitoring)
• NIST AI Risk Management Framework (governance, mapping, measurement)
• ISO/IEC 42001 (AI management systems and controls)
• OECD AI Principles (accountability, transparency, human oversight)

These frameworks differ in scope and jurisdiction, but they rely on the same governance primitives described in this guide: evidence, constraints, accountability, and change management.

Looking Forward

Governance is not about slowing AI down.

It is about making AI systems safe, defensible, and scalable.

Well-governed systems:

• Ship faster
• Fail more predictably
• Earn trust over time

If a system cannot explain its behavior, demonstrate its constraints, or show who is accountable for it, governance is incomplete — regardless of intent.h targeted controls.

Practical Governance Tools

Governance becomes effective only when operationalized.

The following tools translate this guide into concrete review and approval artifacts:

These tools are designed to be used:

• Before deployment
• During periodic reviews
• After incidents
• Whenever systems change

Tools Guides explain what “good” looks like. Questionnaires show where you are.

Field guides All Field Guides → Assessments All Questionnaires → Evaluator TrustEval → Operational review Incident Report →

Related Questionnaires

These questionnaires are designed to be used alongside this field guide. Each one tests whether the concepts discussed here exist in practice — across strategy, intake, engineering, governance, and operations.

Strategy & Alignment

• AI Strategy & Adoption Readiness (Executive)
  Used by executives and senior leaders to assess whether AI initiatives have clear objectives, ownership, decision gates, and rollout discipline.

Use-Case Intake & Risk Decisions

• AI Adoption Readiness
  A baseline assessment for organisations beginning or scaling AI, focused on foundational controls and early-stage safeguards.
• AI Use-Case Intake & Risk Tiering
  Used when deciding what AI systems to build or ship, and under what risk tier, approval path, and control set.

Build, Reliability & Grounding

• AI Engineering Maturity (Systems)
  Assesses whether AI systems are production-ready, including evaluation, monitoring, drift handling, and operational reliability.
• RAG & Grounding Readiness
  Used by teams building retrieval-augmented systems to assess evidence handling, source control, grounding quality, and traceability.

Governance, Procurement & Oversight

• AI Governance & Compliance Readiness
  Used by legal, risk, compliance, and policy teams to assess enforceable controls, auditability, and accountability structures.
• AI Vendor Procurement & Due Diligence
  Used before purchasing or renewing AI tools to assess evidence access, failure transparency, exportability, and vendor risk posture.

Operations & Incident Review

• AI Change, Drift & Incident Review
  Used after incidents, unexpected behaviour, or major changes to identify root causes, control gaps, and corrective actions.

These questionnaires are most effective when completed by multiple roles (e.g., executive, engineering, governance) and compared for alignment gaps.