How AI Compliance and Governance Works: A Step-by-Step Explanation
Learn how AI compliance and governance programs work: policy mapping, model auditing, output monitoring, audit trails, and what makes governance programs fail.
The Process, Step by Step
1. AI inventory and risk classification. Every AI tool, model, and automated decision system in use gets documented: what it does, what data it processes, what decisions it influences or makes, who uses it, and what the consequence of a wrong decision is. Risk classification assigns each system to a tier based on decision consequence. Tier 1 (highest risk): AI making decisions that directly affect people's rights, finances, or significant business outcomes. Examples: automated credit decisioning, resume screening that filters candidates before human review, AI-generated medical triage. Tier 2: AI assisting decisions that humans review and approve. Examples: AI-drafted customer emails, pricing recommendations a manager approves, lead scoring that routes to a sales rep. Tier 3 (lowest risk): AI for internal productivity tasks with human review of all outputs. Examples: AI summarizing meeting notes, GitHub Copilot generating boilerplate code, Claude drafting internal Slack messages. Expect a tier distribution of roughly 10 percent Tier 1, 30 percent Tier 2, and 60 percent Tier 3 for a typical mid-market business.
2. Policy gap analysis. Each AI system's behavior gets mapped against existing policies. This is where AI tools prove useful for the governance work itself: feeding policy documents and AI output samples to a language model and asking it to identify where the AI's outputs conflict with, violate, or fall outside the scope of current policies. The gap analysis produces a prioritized list of policy updates needed, AI system modifications needed, and systems that should be discontinued or restricted. A realistic gap analysis for a 200-person company surfaces 15 to 30 discrete gaps, of which 5 to 10 are material enough to require policy rewrites rather than clarifications.
3. Policy development and documentation. Gaps identified in step 2 become new policy content. AI-specific policies address: acceptable use (what AI can and cannot be used for in your organization), data handling requirements (what data may be processed by AI, what must stay internal), disclosure requirements (when must you tell customers an AI was involved in a decision), and approval workflows (which AI uses require pre-approval, which require post-review). Policies that are too vague to enforce will not be enforced. "Employees should use AI responsibly" is not a policy. "Employees may not paste customer PII into public-tier ChatGPT, Claude.ai, or Gemini, and must use the enterprise API tier for any customer data processing" is a policy.
4. Monitoring infrastructure setup. Monitoring means logging AI inputs and outputs systematically, then reviewing a sample against policy criteria. For high-risk AI applications, 100 percent of outputs may be logged and a percentage reviewed. For lower-risk applications, statistical sampling (reviewing 5 to 10 percent of outputs) is typically sufficient to detect systematic problems. The monitoring system needs to capture: what the AI was asked, what it produced, who invoked it, when, and any downstream action taken based on the output. Tools that work well here include Datadog for LLM observability, LangSmith for prompt and response logging, Arize for production model monitoring, and custom logging built into your AI integration services implementation. Budget $15,000 to $60,000 per year for monitoring infrastructure depending on volume.
5. Exception and approval workflow design. Some AI uses require pre-approval: using an AI model on customer PII, deploying AI in a customer-facing decision context, or using an AI tool that wasn't on the approved vendor list. The approval workflow defines who reviews the request, what information they need, what the criteria for approval are, and how exceptions are documented. Workflows that route every minor request through a lengthy approval process create pressure to bypass governance entirely. Risk-proportionate workflows route only material new uses to formal review. A working pattern: Tier 3 use cases get a 48-hour async review by a single approver. Tier 2 requires sign-off from a named reviewer plus a named business owner. Tier 1 goes to a cross-functional committee that meets biweekly.
6. Audit trail implementation. An audit trail logs every consequential AI decision with enough information to reconstruct what happened: the input to the AI, the AI's output, any human review, and the final action taken. For AI systems that influence credit decisions, hiring decisions, or pricing, the audit trail is not optional. It's the mechanism that allows you to demonstrate compliance to regulators, to investigate complaints, and to identify systematic errors. Audit logs must be tamper-evident, retained per your legal requirements (typically 3 to 7 years depending on jurisdiction and industry), and searchable. Retention costs scale with volume. Plan for $0.023 per GB per month on S3 Standard, dropping to $0.004 on Glacier for older logs.
7. Quarterly review and policy update cycle. AI tools change. Models update. New tools get adopted. Legal requirements evolve. A governance program without a regular review cycle becomes stale and eventually stops reflecting the actual state of AI usage in the organization. Quarterly reviews cover: new AI tools adopted since the last review, changes to existing tools that affect risk classification, regulatory developments that require policy updates, and review of monitoring findings and whether any systematic issues need to be addressed. A good quarterly review takes 4 to 8 hours of the governance owner's time plus 1 hour from each tier owner. Shorter than that and you're rubber-stamping. Longer and the cadence is too slow.
Where Things Go Wrong
Compliance theater: documented but not enforced. The most common failure mode. The governance program produces a policy document, a risk register, and an acceptable use policy. These get signed off by leadership and filed in SharePoint. Nobody changes how AI tools are used. Nobody reviews AI outputs against the policy criteria. The first time an AI-related incident occurs, the written policy provides false comfort while the actual risk goes unmanaged. Real governance means the monitoring happens, the reviews happen, and findings are acted on. A simple test: pull the monitoring logs from the past 30 days. If there are fewer than 5 flagged items or nobody can tell you what happened to the flagged items, the program is theater.
Monitoring that flags too much and gets ignored. Overly sensitive monitoring systems that flag a high percentage of AI outputs quickly train reviewers to treat flags as noise. When everything is flagged, nothing is. Calibrating monitoring thresholds to flag genuinely problematic outputs, not trivially imperfect ones, requires iteration. Start conservative, review the flagged items for the first month, and recalibrate based on what the false positive rate looks like in practice. A healthy flag rate for AI customer communications is roughly 2 to 5 percent of outputs. Below 1 percent and you're missing things. Above 10 percent and reviewers will stop engaging seriously.
No process when AI makes a compliance error. Every governance program needs an incident response procedure for the scenario where AI produces a compliance violation. What happens when a customer complains that an AI decision was biased? When an AI communication violated a regulatory requirement? When AI output disclosed confidential information? The procedure needs to cover: immediate containment (stop the AI action from propagating further), investigation (pull the audit trail, understand what happened), remediation (correct the specific harm), and systemic fix (update the AI system or policy to prevent recurrence). Run a tabletop exercise at least annually. Pick a plausible scenario, time how long it takes your team to pull the audit trail, and fix the bottleneck before a real incident tests it.
Governance program not updated as AI capabilities expand. A governance program designed for your 2024 AI stack may not adequately address AI agents that can take autonomous actions (Claude Computer Use, OpenAI Operator), AI models with multimodal inputs, or AI used in new decision contexts adopted in 2026. Governance needs to be forward-looking, with a process for evaluating new AI capabilities and their risk implications before they're deployed, not after problems appear. Agentic AI in particular breaks most existing governance frameworks because the audit trail question shifts from "what did the AI produce" to "what did the AI do in a live system."
What the Output Looks Like
A completed AI compliance and governance program delivers: a documented AI inventory with risk classification for every system, an acceptable use policy and any required supplemental policies, a monitoring infrastructure with defined review cadences and escalation paths, an audit trail system for high-risk AI decisions, an exception and approval workflow, an incident response procedure, and a quarterly review process with defined owners and outputs. The program is a living system, not a one-time document. Total pages of documentation land around 30 to 60 for a mid-size company, not 300. If the output runs much longer, it will not be read, which means it will not be followed.
How to Evaluate Your Options
When choosing how to build a governance program, three paths exist, each with real tradeoffs. Option one is to buy a governance platform like Credo AI, Holistic AI, or Fairly AI, which range from $30,000 to $150,000 annually depending on scale. These platforms give you templated policies, monitoring tooling, and a regulatory tracker. The weakness is that they tend to produce generic output that doesn't map cleanly to your specific operations, and they still require internal ownership to actually run.
Option two is a consulting engagement with a firm like Deloitte, PwC, or a boutique AI governance shop. Engagements typically run $75,000 to $300,000 for an initial build plus retainer. You get a customized program and expert guidance, but you also get a deliverable that's as strong as your internal team's ability to operate it after the consultants leave. Plan for knowledge transfer carefully or the program decays within 12 months.
Option three is to build the program internally with targeted support for specific gaps. This is usually the right answer for companies with 50 to 500 employees. Cost is the governance owner's time plus $15,000 to $50,000 for monitoring infrastructure and optional external review. The tradeoff is longer time to completion (12 to 16 weeks instead of 6 to 8) in exchange for a program the internal team actually owns and can sustain. Our AI integration services and workflow automation work often includes governance scaffolding as part of broader AI deployments, which keeps the governance program aligned with how AI is actually used.
How Long It Takes
Phase 1: Discovery and inventory (Weeks 1 to 2). AI tool inventory, shadow usage assessment, and initial risk classification.
Phase 2: Gap analysis and policy development (Weeks 3 to 5). Policy mapping, gap identification, new policy drafting, and legal review.
Phase 3: Infrastructure and workflow build (Weeks 6 to 8). Monitoring system setup, audit trail implementation, and approval workflow design.
Phase 4: Launch and calibration (Weeks 9 to 10). Program launch, initial monitoring calibration, and team training.
Ongoing: Quarterly reviews, annual policy refresh, and incident response as needed.
Ten weeks from start to operational program is realistic for a mid-size organization with 3 to 5 high-risk AI applications. Organizations with more AI surface area, stricter regulatory environments, or more complex approval workflows take longer. A publicly traded financial services company should plan for 20 to 26 weeks. A 40-person startup with two AI use cases can compress the timeline to 6 weeks.
Frequently Asked Questions
Is AI governance required by law?
It depends on your industry, jurisdiction, and what AI is being used for. The EU AI Act creates binding requirements for AI systems used in high-risk contexts (credit decisions, hiring, essential services) and applies to any company serving EU customers regardless of where the company is based. The EEOC and CFPB have issued guidance applying existing anti-discrimination law to AI-assisted hiring and credit decisions in the US. State laws (Colorado's SB 205, California's SB 942, Illinois's AI Video Interview Act, New York City's Local Law 144) impose specific obligations on certain AI uses. Even where no specific AI regulation applies, general obligations around data privacy, consumer protection, and anti-discrimination law apply to AI decisions the same as human decisions. Legal review of your specific context is essential.
How do we handle AI tools that employees use on their own?
Through policy, visibility, and friction. The acceptable use policy establishes what AI tools are approved and what data may be processed by unapproved tools. Device management or browser controls can block access to unapproved AI services on company networks and devices. Tools like Nightfall, Harmonic, and Prompt Security specifically scan for sensitive data being pasted into consumer AI tools and block or alert in real time. Clear guidance on what counts as a violation and what the consequences are increases voluntary compliance. Shadow AI usage cannot be eliminated entirely, but it can be reduced to a manageable level and brought into governance through approved alternatives that meet employee needs.
How does governance differ between using an AI vendor's model versus running our own model?
When using a third-party model (OpenAI, Anthropic, Google), the governance question is primarily about how you're using the model and what data you're sending to it. Your vendor agreements, data processing addendums, and acceptable use policies matter here. Ensure you're on enterprise tiers with zero-retention agreements for anything touching customer data. When running your own model (self-hosted, fine-tuned, or custom-trained), you also carry responsibility for the model's behavior, its training data, and its outputs. Self-hosted models typically require more intensive monitoring because you can't rely on the vendor's safety systems as a backstop. Expect self-hosted governance to cost roughly 2x what vendor-model governance costs.
What does a governance audit look like?
A governance audit examines: whether the AI inventory is current and complete, whether monitoring is happening at the defined cadence and whether findings are acted on, whether the audit trail covers the required AI decisions at the required level of detail, whether exceptions are going through the approval workflow rather than bypassing it, and whether the quarterly review process is producing policy updates when needed. Audits can be conducted internally by a compliance function or externally by a third-party assessor. High-risk industries typically require external assessment. Audit costs run $20,000 to $75,000 for a mid-size company every 18 to 24 months.
What is the smallest viable governance program?
For a company with fewer than 50 employees and only Tier 3 AI uses, a viable minimum looks like: a one-page acceptable use policy, a shared spreadsheet inventory of AI tools in use, a quarterly 30-minute review meeting, and a documented process for escalating anything unusual to the founder or operations lead. Total time investment is under 20 hours per year. The trap is staying at this level after you add Tier 1 or Tier 2 AI uses. The moment AI starts making or materially influencing customer-facing decisions, you need the full framework.
How do we handle AI outputs that turn out to be wrong after the fact?
Through the incident response procedure. The key is separating the specific harm (fix this customer's issue now) from the systemic question (why did the AI produce this output, and what prevents it from happening again). Most incidents trace to one of four root causes: bad input data, a model update that changed behavior unexpectedly, a prompt that was underspecified for edge cases, or a gap between what the AI was evaluated on and how it's actually used in production. The audit trail is what lets you distinguish between these. Budget 4 to 12 hours of engineering time per material incident for investigation and fix, not counting the time to remediate the specific customer-facing harm.
Ready to put this into action?
We help businesses implement the strategies in these guides. Talk to our team.