Tom Cedoz

Framework · AI & emerging risk

AI Governance: Inventory, Risk-Tiering, and Oversight

Most companies do not need a fifty-page AI program; they need to know where AI already touches decisions about people, who owns each use, and which uses get a closer look before launch. This is a six-step framework for governance a lean legal or operations team can actually run — sized so it gets used rather than shelved.

Updated June 2026· 6 steps· Prints to 2 pages

How to use this

The goal is proportionate governance — enough structure to manage real risk, light enough that a small team keeps it current. An elaborate framework no one follows is worse than a simple one everyone does, because it creates a paper record of controls you are not actually running. Work the six steps in order. The first three stand up the system; the last three keep it honest as tools and laws change.

One principle runs underneath all of it: AI changes the workflow, not the legal duties. Anti-discrimination law, consumer-protection law, privacy obligations, contract commitments, and the duty of competence apply the same way whether a decision is made by a person, a spreadsheet, or a model. “The vendor’s algorithm did it” is not a defense. Governance exists so the company can answer for what its tools do.

The six steps

  1. Inventory — find where AI is actually used.

    You cannot govern what you have not found, and almost every inventory comes back larger than expected. Look in three places. First, tools you bought as AI — the resume screener, the chatbot, the forecasting model. Second, and more easily missed, AI features quietly switched on inside tools you already license: the summarizer in your help desk, the “smart” ranking in your applicant-tracking system, the assistant baked into your office suite or CRM. Third, shadow AI — staff using consumer chatbots on personal accounts to draft, code, analyze, or decide, often with company or customer data pasted in. A short survey plus a look at the software in use beats a perfect audit. Capture what each use does, what data goes in, and what decision comes out.

  2. Risk-tier each use.

    Not every use deserves the same scrutiny; concentrate effort where the consequences land. A workable three-tier cut: High — AI that makes or materially shapes consequential decisions about people: hiring, promotion, discipline, pay, lending or credit, insurance, housing, benefits eligibility, and clinical or healthcare decisions. Medium — customer-facing uses (chatbots, recommendations, automated communications) and anything touching regulated or sensitive data. Lower — internal productivity with a human between the output and any real-world action: drafting, brainstorming, summarizing, code assistance. Tier on what the tool affects, not how advanced it sounds. A simple model that screens applicants is higher risk than a sophisticated one that suggests meeting times.

  3. Assign an owner and an approval gate.

    Every AI use should have a named business owner accountable for it, and every new tool should pass through one intake point before launch. A one-page intake form — what it does, what data it uses, what decisions it influences, which tier, what could go wrong — beats nothing, and beats an elaborate workflow no one completes. Route higher-tier and consumer-facing uses to a small cross-functional review (legal, IT or security, and the business owner; HR for anything touching employment decisions). Most low-tier uses can clear on the form alone. The point of the gate is not to slow the business; it is to make sure someone looked before a model started making decisions about people.

  1. Set proportionate controls per tier.

    Controls should scale with the tier, not blanket every use. The table below is a starting point, not a standard. For high-risk uses, the load-bearing controls are meaningful human oversight (a person with the authority and the information to override, not a rubber stamp), pre-deployment testing for accuracy and for disparate impact across protected groups, documentation of how the tool was validated and is monitored, and real vendor diligence. Several emerging laws appear to be converging on a similar list for consequential AI — impact assessments, notice to affected people, and human review — so this work tends to do double duty, though you should confirm what any given regime actually requires. Lower-tier uses may need little more than an acceptable-use rule and a reminder not to paste sensitive data into consumer tools. Pair this step with a clear AI use policy and, for purchased tools, the vendor-contract review.

  2. Monitor and reassess.

    AI governance is not a one-time project. Models drift, vendors push updates that change behavior or quietly add features, new shadow uses appear, and a tool that was low-risk can climb a tier the moment someone wires its output into a real decision. Re-run the inventory on a set cadence — many teams find a light quarterly check plus an annual deeper review workable — and re-tier anything that changed. Keep a short log of high-risk uses, their owners, and their last review date. When a tool causes a near-miss or a complaint, treat it as a signal to revisit the tier and the controls, not just the incident.

  3. Track the legal landscape.

    The law here is moving fast, fragmenting by jurisdiction, and far from settled — so the discipline is to watch named developments and confirm current status, effective dates, scope, and applicability before relying on any of them. Watch, among others, the Colorado AI Act and similar state efforts addressing duties around high-risk or consequential AI (assessments, notice, and oversight); the EU AI Act for any company with EU operations, users, or data; sector and state rules touching employment AI (for example, NYC Local Law 144 on automated employment decision tools, and Illinois measures on AI video interviews and biometric data); and FTC scrutiny of deceptive or unsubstantiated AI claims and of harms from automated decisions. Treat every item here as a pointer to check, not a statement of what currently applies to you. Whether a given rule is in force, how it defines its terms, and whether your use falls inside it are fact- and date-specific questions for current counsel.

Controls by risk tier

TierTypical usesProportionate controls
HighHiring, promotion, pay, credit, insurance, benefits, healthcare — decisions about peopleCross-functional approval; human oversight with real override; pre-deployment and ongoing testing for accuracy and disparate impact; documented validation; vendor diligence; notice where required
MediumCustomer-facing AI; uses touching regulated or sensitive dataIntake review; accuracy and content checks; disclosure where users should know; data-handling and security terms confirmed; periodic monitoring
LowerInternal drafting, summarizing, brainstorming, code assistance with a human in the loopAcceptable-use rule; no sensitive data in consumer tools; named owner; spot checks

Treat the rows as a baseline to adapt, not a compliance checklist. The right controls depend on the specific use, your industry, the data involved, and the current law in your jurisdictions — all of which a lean program should revisit on a schedule rather than set once. This is general information, not legal advice.

Start with discovery

Most companies are already running more AI than their inventory shows — features switched on inside tools they already license, plus shadow AI on personal accounts. The first governance win is rarely a new policy; it is finding where AI is already making or shaping decisions about people, because that is where the duties already attach.