Blog

AI Governance Framework Template (Copy and Adapt for Your Organization)

A practical AI governance framework template you can copy and adapt. Covers policy scope, risk tiers, model approval, audit schedules, and incident response.

Phos Team ·
AI Strategy Operations

Most organizations stall on AI governance because they try to design the framework from scratch.

The structure is not the hard part. The hard part is deciding what your risk tiers actually are, who owns each decision, and what the approval process looks like for your specific size and complexity.

This template gives you a complete starting structure. It is written for small to mid-market organizations — companies generating $5M to $100M in annual revenue — that need a working governance framework without enterprise bureaucracy.

Copy the sections. Adapt the placeholders. Remove what does not apply. Use it.


How to use this template

This document is organized as a complete AI governance framework. Each section includes:

  • The section itself — copy directly into your own policy document
  • Notes in brackets — instructions for what to fill in or decide for your organization

Remove the bracket notes before publishing your internal framework. The headings and structure are final; the content in brackets is a prompt to you, not part of the policy.

For context on what an AI governance framework is and why it matters, see what is AI governance and building an AI governance framework.


Template: AI Governance Framework

[Organization name] — AI Governance Framework Version: [1.0] — Effective date: [date] Owner: [Name, title] Review schedule: [Annual / Quarterly]


Section 1: Purpose and scope

1.1 Purpose

This framework establishes how [Organization name] evaluates, approves, deploys, monitors, and retires artificial intelligence tools and systems. It exists to ensure AI use is consistent with our values, legal obligations, and operational risk tolerance.

1.2 Scope

This framework applies to:

  • All AI tools used by employees, contractors, or vendors acting on behalf of [Organization name]
  • AI systems embedded in software purchased or subscribed to by [Organization name]
  • AI models or systems developed internally or commissioned from third parties
  • Automated decision-making systems that influence hiring, pricing, customer communications, or financial outcomes

This framework does not apply to:

  • [List specific exclusions, if any — e.g., basic spell-check, grammar tools, search autocomplete]

1.3 Definitions

  • AI tool: Any software system using machine learning, large language models, or automated decision logic to generate outputs, recommendations, or actions
  • High-risk AI use: AI applied to decisions with significant impact on people, finances, or legal compliance — defined in Section 3
  • AI owner: The employee responsible for a deployed AI tool’s performance and compliance
  • AI Steering Committee: [Committee name or names of individuals] responsible for framework governance

Section 2: Governance structure

2.1 AI Steering Committee

The AI Steering Committee is responsible for:

  • Approving or rejecting AI use cases above the defined risk threshold
  • Reviewing and updating this framework on the schedule defined in Section 6
  • Resolving disputes about AI risk classification
  • Receiving incident reports and authorizing responses

Members:

RoleNameResponsibilities
Committee chair[Name]Final approval authority for high-risk AI
Operations lead[Name]Workflow and process impact assessment
Legal / compliance[Name]Regulatory and liability review
IT / security[Name]Technical security and data handling review
[Department head][Name]Business unit representation

[Note: For smaller organizations, this committee may be two or three people. Include whoever owns legal risk, operational decisions, and technical security.]

2.2 AI owners

Every deployed AI tool must have a named AI owner. The AI owner is responsible for:

  • Maintaining the tool’s entry in the AI inventory (Section 5)
  • Monitoring the tool’s outputs for quality and accuracy
  • Reporting incidents or anomalies to the AI Steering Committee
  • Ensuring the tool is decommissioned when no longer needed

2.3 Escalation path

All AI-related concerns, incidents, or proposed new uses follow this escalation path:

  1. Employee identifies issue or proposes new use → reports to their AI owner or manager
  2. AI owner assesses risk tier (Section 3) → low-risk proceeds; medium and high risk escalate
  3. AI Steering Committee reviews medium and high-risk cases
  4. Committee chair makes final determination

Section 3: Risk tiers

All AI use cases are classified into one of three risk tiers before deployment.

Tier 1 — Low risk

AI tools that assist with internal productivity, drafting, or research with human review before any output is acted upon.

Examples: summarizing internal documents, drafting email responses for human review, generating internal reports for human verification.

Approval required: AI owner sign-off. No committee review required.

Tier 2 — Medium risk

AI tools that influence customer-facing communications, operational decisions, or financial outputs. Human review required before outputs are acted upon, but the AI output significantly shapes the final decision.

Examples: AI-generated customer communications sent after brief human review, AI-assisted pricing recommendations, AI-drafted contracts reviewed by a non-lawyer.

Approval required: AI owner + one committee member sign-off. Documented in AI inventory.

Tier 3 — High risk

AI tools that make or heavily influence decisions with significant consequences — hiring, termination, credit, legal compliance, medical, safety, or automated customer-facing decisions without human review.

Examples: resume screening that determines which candidates advance, automated loan underwriting, customer service bots operating without human review on financial matters.

Approval required: Full AI Steering Committee review and documented approval. Legal and compliance review required. Documented in AI inventory with quarterly monitoring.

[Note: Adjust these examples for your industry. Healthcare, financial services, and staffing organizations typically move more use cases into Tier 3.]


Section 4: Approval process

4.1 New AI tool request

Any employee proposing a new AI tool completes the AI Tool Request Form (Appendix A) and submits it to their AI owner.

The request form captures:

  • Tool name and vendor
  • Proposed use case and affected workflows
  • Data inputs (does the tool process customer data, employee data, financial data?)
  • Proposed AI owner
  • Initial risk tier assessment

4.2 Review timelines

TierExpected review time
Tier 13 business days
Tier 210 business days
Tier 320 business days

4.3 Vendor assessment

All AI tools processing [Organization name] data or customer data require vendor assessment before approval. The assessment covers:

  • Data processing location and jurisdiction
  • Data retention and deletion policies
  • Security certifications (SOC 2, ISO 27001, or equivalent)
  • Subprocessor list
  • Incident notification commitments

[Note: Use your existing vendor assessment process or create a simple checklist. For tools under $5,000/year with no customer data exposure, a simplified review may apply.]

4.4 Approval documentation

Every approved AI tool receives a signed approval record retained for [3 years / the duration of use + 2 years]. The record includes:

  • Tool name and version
  • Approved use case
  • Risk tier
  • Approval date and approving parties
  • Conditions or restrictions on use
  • Next review date

Section 5: AI inventory

[Organization name] maintains a current inventory of all approved AI tools. The inventory is owned by [Name/role] and reviewed [quarterly / annually].

Inventory fields per tool:

FieldDescription
Tool nameName and version
VendorVendor name and contact
Risk tier1, 2, or 3
Approved use caseDescription of approved uses
Data processedTypes of data the tool accesses
AI ownerNamed employee responsible
Approval dateDate of most recent approval
Next review dateScheduled next review
StatusActive / Under review / Decommissioned

[Note: A shared spreadsheet works for organizations with fewer than 20 AI tools. For larger inventories, consider a dedicated tool or your existing GRC platform.]


Section 6: Monitoring and review

6.1 Ongoing monitoring

AI owners are responsible for monitoring their tools on the following schedule:

TierMonitoring frequency
Tier 1As needed; annual review
Tier 2Monthly spot-check of outputs; semi-annual review
Tier 3Weekly output review; quarterly formal review

Monitoring should assess:

  • Output quality and accuracy
  • Any changes in tool behavior or vendor updates
  • Compliance with the approved use case
  • User feedback or complaints

6.2 Framework review

This framework is reviewed [annually / every 6 months] by the AI Steering Committee. Reviews are triggered earlier if:

  • A significant AI incident occurs
  • Regulatory guidance materially changes
  • The organization’s AI use expands significantly in scope or risk tier

6.3 Annual audit

[Organization name] conducts an annual AI audit covering:

  • Completeness and accuracy of the AI inventory
  • Compliance with Tier 2 and Tier 3 monitoring requirements
  • Open incidents and their resolution status
  • Framework gaps identified during the year

[Note: For small organizations, the annual audit can be a half-day internal review. The goal is a documented record that governance is active, not a formal third-party audit unless required by regulation.]


Section 7: Incident response

7.1 What constitutes an AI incident

An AI incident is any event where an AI tool produces outputs that:

  • Cause harm or potential harm to a customer, employee, or third party
  • Violate applicable law or regulation
  • Result in a material error with financial or reputational impact
  • Expose confidential data outside approved parameters
  • Operate outside the approved use case

7.2 Incident response steps

  1. Identify: Any employee who observes a potential AI incident reports it immediately to their AI owner
  2. Contain: AI owner assesses severity and, if warranted, suspends the tool pending review
  3. Notify: AI owner notifies the AI Steering Committee within [24 hours] of a medium or high severity incident
  4. Investigate: Committee determines root cause, affected scope, and remediation steps
  5. Remediate: AI owner implements changes or decommissions the tool as directed
  6. Document: Full incident report filed in the AI incident log within [10 business days]
  7. Review: Committee determines whether framework changes are needed

7.3 Severity levels

SeverityDefinitionResponse time
LowOutput quality issue, no external impactDocumented within 30 days
MediumCustomer or employee impact, containedCommittee notified within 24 hours
HighRegulatory, legal, or significant financial impactCommittee notified immediately; legal review required

Section 8: Employee responsibilities

All employees using AI tools are responsible for:

  • Using only approved AI tools for work purposes
  • Using approved tools only for their approved use cases
  • Not inputting confidential customer data, employee data, or proprietary business information into unapproved AI tools
  • Reviewing AI outputs before acting on them or sharing them externally
  • Reporting suspected AI incidents or policy violations to their manager or AI owner

Employees who knowingly circumvent this framework are subject to disciplinary action up to and including termination.


Section 9: Prohibited uses

The following uses of AI are prohibited at [Organization name] regardless of tier or approval:

  • Using AI to create deceptive content intended to mislead customers, regulators, or the public
  • Using AI to discriminate against protected classes in hiring, lending, or service delivery
  • Using AI to surveil employees without legally required notice and consent
  • Using AI tools that process personal data in jurisdictions where such processing is prohibited
  • Sharing outputs from confidential business processes with AI tools whose data retention cannot be verified

[Note: Add industry-specific prohibitions here — e.g., for healthcare organizations, add HIPAA-specific restrictions; for financial services, add specific regulatory prohibitions.]


Appendix A: AI Tool Request Form

Requestor information

  • Name:
  • Department:
  • Date:
  • Manager:

Tool information

  • Tool name:
  • Vendor:
  • Estimated annual cost:
  • Link to vendor’s privacy policy / terms:

Proposed use

  • Describe how you plan to use this tool:
  • Which workflows will it affect?
  • Who else in your team will use it?

Data assessment

  • Will this tool process customer data? (Y/N)
  • Will this tool process employee data? (Y/N)
  • Will this tool process financial data? (Y/N)
  • Will this tool retain or train on data you input? (Y/N — check vendor terms)

Risk self-assessment

  • Proposed risk tier (1/2/3):
  • Reason for tier selection:

Proposed AI owner: [Name]


Appendix B: AI incident log template

FieldEntry
Incident ID[Auto-assigned or sequential]
Date identified
Tool involved
Reported by
SeverityLow / Medium / High
Description
Immediate action taken
Root cause
Remediation steps
Completed by
Completion date
Framework change requiredY/N
Sign-off[AI owner + Committee chair]


Adapting this template for your organization

A few practical notes on customization:

Size the committee to your organization. A $10M company does not need a six-person AI Steering Committee. Two or three people — whoever owns legal risk, operations, and IT — is enough. The goal is accountability, not bureaucracy.

Start with your existing AI use, not hypothetical future use. Before you publish this framework, inventory every AI tool your team already uses. Most organizations find 10–20 tools in active use before a formal program exists. Your first job is to retroactively classify and document those, then run new requests through the formal process.

Tier 3 is where you focus energy. Tier 1 tools are low risk enough that the main value of governance is visibility — knowing what you have. Tier 3 tools are where governance prevents real harm. Make sure your Tier 3 process is actually rigorous, not just more paperwork.

Review dates matter more than perfect policies. The most common governance failure is a framework that gets written, approved, and never reviewed. Build the review schedule into the document itself and put it on the calendar.

For help implementing AI governance at your organization, see AI governance best practices and the comprehensive AI governance guide.

If you want support building a governance program that fits your company size and industry, Phos AI Labs works with SMBs and mid-market organizations on practical AI governance alongside full implementation.


Further reading

Related articles

The fastest way to know whether we're the right fit, is a conversation.

STEP 1/2 · ABOUT YOU