Acuity AI Advisory

AI Governance FAQ

What does an AI governance framework include?

Quick answer

A complete AI governance framework includes: an AI use policy (permitted uses, prohibited uses, verification requirements), an AI inventory (every system in use, classified by risk tier), a governance structure (who is responsible for what), a risk assessment process, oversight mechanisms (how AI decisions are monitored), an incident reporting process, and an audit trail. For organisations subject to the EU AI Act, the framework must also include technical documentation, conformity assessment records (for high-risk systems), and human oversight mechanisms for automated decisions.

The seven components of an AI governance framework

A robust AI governance framework has seven core components. First, an AI use policy: a clear written statement of what AI use is permitted, what is prohibited, what verification is required before AI outputs are relied on, and who is responsible for compliance. Second, an AI inventory: a register of every AI system in use, including AI embedded in software platforms, classified by risk tier. Third, a governance structure: named individuals accountable for AI governance at board, senior management, and operational levels. Fourth, a risk assessment process: systematic evaluation of each AI system against the organisation's risk appetite and regulatory obligations. Fifth, oversight mechanisms: active monitoring of AI outputs and decisions, including the ability to detect and correct errors. Sixth, an incident reporting process: a clear procedure for identifying, escalating, and responding to AI failures. Seventh, an audit trail: documentation of governance activity that can be produced to regulators, auditors, and other stakeholders.

What the EU AI Act requires of governance frameworks

For organisations deploying high-risk AI systems under the EU AI Act, the governance framework must go further. The Act requires technical documentation that describes the system's design, development, testing, and performance characteristics. It requires a conformity assessment — a structured evaluation that the system meets the Act's requirements — before the system is placed into service. It requires human oversight mechanisms: qualified individuals who can understand, monitor, and intervene in the system's operation. It requires logging and audit trail requirements that go beyond general best practice. And it requires organisations to register their high-risk systems in the EU AI system database. These are not optional enhancements to a governance framework — they are legal prerequisites for operating high-risk AI legally from August 2026.

Acuity AI designs and implements AI governance frameworks for Irish organisations across all sectors. See our AI governance services.