openclaw/1kalin/afrexai-ai-governance

AI Governance Policy Builder

Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.

When to Use

• Writing or reviewing internal AI acceptable use policies
• Establishing AI governance committees or review boards
• Mapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)
• Evaluating vendor AI terms and liability clauses
• Preparing board-level AI governance reports

Governance Policy Framework

1. Acceptable Use Policy (AUP)

Every organization running AI needs a written AUP covering:

Permitted Uses

• List approved AI tools by department and function
• Define data classification tiers (public, internal, confidential, restricted)
• Map which data tiers can enter which AI systems
• Specify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)

Prohibited Uses

• Customer PII in non-SOC2 models without anonymization
• Autonomous financial decisions above $[threshold] without human review
• HR screening/scoring without bias audit documentation
• Any use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)

Shadow AI Detection | Signal | Risk Level | Action | |--------|-----------|--------| | API calls to unknown AI endpoints | HIGH | Block + investigate | | Browser extensions with AI features | MEDIUM | Audit + approve/deny | | Personal accounts on company devices | MEDIUM | Policy reminder + monitor | | Exported data to AI training sets | CRITICAL | Immediate review |

2. AI Model Selection & Procurement

Evaluation Scorecard (100 points)

| Criteria | Weight | What to Check | |----------|--------|---------------| | Data residency & sovereignty | 20 | Where is data processed? Stored? Can you choose region? | | Security certifications | 20 | SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP | | Model transparency | 15 | Training data provenance, bias testing, version control | | Contract terms | 15 | Data usage rights, indemnification, SLA, exit clauses | | Performance & cost | 15 | Latency, accuracy benchmarks, token pricing, rate limits | | Integration & support | 15 | API stability, documentation quality, support SLA |

Minimum score for production deployment: 70/100

Red Flags (automatic disqualification):

• Vendor trains on your data without opt-out
• No data processing agreement (DPA) available
• Indemnification excluded for AI outputs
• No incident response SLA

3. Data Handling & Classification

AI Data Flow Audit Template

For each AI integration, document:

1. Input data: What goes in? Classification tier? PII present?
2. Processing: Where? Which model? Hosted or API? Region?
3. Output data: What comes out? Stored where? Retention period?
4. Training: Does vendor use your data for training? Opt-out confirmed?
5. Logging: Are prompts/responses logged? Where? Who has access?
6. Deletion: Can you request data deletion? Verified how?

Data Minimization Checklist

• [ ] Only send minimum necessary data to AI systems
• [ ] Strip PII before processing where possible
• [ ] Use synthetic data for testing and development
• [ ] Implement input sanitization for prompt injection prevention
• [ ] Audit output for data leakage (model regurgitating training data)

4. Regulatory Compliance Mapping

EU AI Act (effective Aug 2025, enforcement Feb 2025)

| Risk Category | Examples | Requirements | |--------------|----------|-------------| | Unacceptable | Social scoring, real-time biometric ID (most cases) | Banned | | High-risk | HR screening, credit scoring, medical devices | Conformity assessment, human oversight, transparency | | Limited | Chatbots, deepfakes | Transparency obligations (disclose AI use) | | Minimal | Spam filters, game AI | No requirements |

NIST AI RMF (Risk Management Framework)

• Map: Identify AI systems in use
• Measure: Quantify risks per system
• Manage: Implement controls proportional to risk
• Govern: Establish oversight structure and accountability

ISO 42001 (AI Management System)

• Useful for organizations wanting certified AI governance
• Aligns with ISO 27001 (already have it? Easier path)
• Covers: AI policy, risk assessment, objectives, competence, documentation

5. AI Governance Committee Structure

Recommended Composition

• Chair: CTO or Chief AI Officer
• Legal: 1 representative (contracts, compliance)
• Security: CISO or delegate (data protection, incident response)
• Business: 1-2 department heads (use case prioritization)
• Ethics: External advisor or designated internal role
• Finance: CFO delegate (budget, ROI tracking)

Meeting Cadence

• Monthly: Review new AI use cases, vendor changes, incidents
• Quarterly: Policy updates, compliance audit, budget review
• Annually: Full governance framework review, board report

Decision Authority | Decision | Authority Level | |----------|----------------| | New AI tool (< $5K/year) | Department head + security review | | New AI tool (> $5K/year) | Governance committee approval | | Customer-facing AI | Committee + legal + CEO sign-off | | AI incident response | Security lead (immediate) → Committee (48h review) |

6. Vendor Contract Checklist

Before signing any AI vendor contract, confirm:

• [ ] Data processing agreement (DPA) signed
• [ ] Your data is NOT used for model training (or explicit opt-out confirmed)
• [ ] Data residency requirements met (specify regions)
• [ ] Indemnification clause covers AI-generated output liability
• [ ] SLA includes uptime, latency, and support response time
• [ ] Exit clause: data export format, deletion timeline, transition support
• [ ] Security certifications current and verified (not expired)
• [ ] Incident notification timeline specified (72h or less)
• [ ] Subprocessor list provided with change notification rights
• [ ] Insurance coverage for AI-specific risks confirmed
• [ ] Price lock or cap on increases for contract duration
• [ ] Right to audit (or audit report access)

7. Board Reporting Template

Quarterly AI Governance Report

AI GOVERNANCE REPORT — Q[X] [YEAR]

1. AI PORTFOLIO SUMMARY
   - Active AI systems: [count]
   - New deployments this quarter: [count]
   - Retired/replaced: [count]
   - Total AI spend: $[amount] (vs budget: $[amount])

2. RISK DASHBOARD
   - High-risk systems: [count] — all compliant: [Y/N]
   - Open incidents: [count] — resolved this quarter: [count]
   - Shadow AI detections: [count] — remediated: [count]
   - Compliance gaps: [list]

3. VALUE DELIVERED
   - Hours saved: [estimate]
   - Revenue attributed to AI: $[amount]
   - Cost reduction: $[amount]
   - Customer satisfaction impact: [metric]

4. KEY DECISIONS NEEDED
   - [Decision 1: context + recommendation]
   - [Decision 2: context + recommendation]

5. NEXT QUARTER PRIORITIES
   - [Priority 1]
   - [Priority 2]

8. Incident Response for AI Systems

AI-Specific Incident Categories

| Category | Example | Response Time | |----------|---------|---------------| | Data breach via AI | Model leaks PII in output | Immediate — invoke security IR plan | | Hallucination causing harm | Wrong medical/legal/financial advice acted on | 4h — document, notify affected parties | | Bias detected | Discriminatory output in hiring/lending | 24h — suspend system, audit, remediate | | Prompt injection | Attacker manipulates AI behavior | Immediate — block vector, patch | | Cost overrun | Runaway API calls | 4h — rate limit, investigate, cap | | Vendor incident | Provider breach or outage | Per vendor SLA — activate backup |

Post-Incident Review Template

1. What happened (factual timeline)
2. Impact (who/what affected, cost, duration)
3. Root cause (not blame — systems thinking)
4. Fixes applied (immediate + permanent)
5. Policy/process changes needed
6. Board notification required? (Y/N + rationale)

Cost of NOT Having AI Governance

| Company Size | Annual Risk Without Governance | |-------------|-------------------------------| | 15-50 employees | $50K-$200K (shadow AI waste, compliance fines) | | 50-200 employees | $200K-$800K (data incidents, vendor lock-in, redundant tools) | | 200-1000 employees | $800K-$3M (regulatory penalties, IP exposure, audit failures) | | 1000+ employees | $3M-$15M+ (class action, regulatory enforcement, reputational damage) |

90-Day Implementation Roadmap

Month 1: Foundation

• Draft acceptable use policy
• Inventory all AI systems in use (including shadow AI)
• Classify data flowing through each system
• Identify governance committee members

Month 2: Controls

• Finalize and distribute AUP
• Implement vendor evaluation scorecard for new purchases
• Set up AI incident response procedures
• Begin regulatory compliance mapping

Month 3: Operationalize

• First governance committee meeting
• Deliver first board report
• Establish monitoring for shadow AI
• Schedule quarterly policy review cycle

---

Built by AfrexAI — AI operations infrastructure for mid-market companies.

Get the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/

Calculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/

Set up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/

Need all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7