AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Board & Executive Governance
BRD · Board & Executive GovernanceBRD-002Medium effort

AI Governance Committee Charter and Decision Rights

Establish a cross-functional AI governance committee with a formal charter defining its mandate, composition, decision rights, quorum requirements, escalation paths, and reporting obligations to the board.

Objective

Ensure AI governance decisions are made by a formally chartered body with defined authority, accountability, and board-level reporting lines, rather than ad hoc by individual business units or technology teams.

Maturity Levels

1

Initial

AI governance decisions are made informally by technology or product leadership with no cross-functional oversight body.

2

Developing

An informal AI governance working group meets periodically, but it has no formal charter, defined decision rights, or board reporting obligation.

3

Defined

A formally chartered AI governance committee exists with documented composition, decision rights, quorum requirements, and meeting cadence. It reports to the board or a board committee at least annually.

4

Managed

The committee's decisions are logged and accessible to internal audit. Escalation paths are tested. The committee reviews all high-risk AI deployments before go-live and reviews material AI incidents within 30 days.

5

Optimizing

The committee's charter is reviewed annually and updated to reflect material changes in AI capability, regulation, or organizational structure. External members or advisors participate in at least one committee meeting per year.

Evidence Requirements

What an auditor or assessor would expect to see for this control.

  • Formal committee charter approved by the board or a board committee, including mandate, composition, decision rights, quorum, cadence, escalation path, and reporting obligations.
  • Committee meeting minutes for the past 12 months showing attendance, decisions made, and issues escalated.
  • Annual board or audit committee report from the AI governance committee.

Implementation Notes

Key steps

  • Draft a committee charter covering:

    • Mandate: The committee's purpose, authority, and relationship to the board and executive leadership.
    • Composition: Required members (typically: Chief AI Officer or equivalent, Chief Risk Officer, General Counsel, CISO, Chief Data Officer, business unit representatives) and any external advisors.
    • Decision rights: A RACI matrix defining which AI governance decisions the committee approves, which it recommends for board approval, and which it reviews after the fact.
    • Quorum: Minimum membership required for a valid decision.
    • Meeting cadence: Minimum frequency (quarterly recommended) and conditions for an extraordinary meeting.
    • Escalation path: Defined triggers for escalating issues to the board or audit committee.
    • Reporting: What the committee reports to the board, how often, and in what format.

  • Distinguish this committee from the Board-Level AI Safety Committee (BRD-003). This committee is the operational governance body; the board committee provides fiduciary oversight.

  • Register the committee in the organization's governance document hierarchy alongside the audit committee charter, risk committee charter, and similar instruments.

  • Conduct a tabletop exercise in the first year to test escalation paths and decision-right boundaries.

Absorbing the ethics committee gap

Many organizations have a separate AI ethics committee. If one exists, the charter should either absorb it (defining ethics review as a function of this committee) or define the interface between the two bodies, including when ethics review is a prerequisite for committee approval.

Example Implementation

AI Governance Committee Charter (excerpt)

1. Mandate The AI Governance Committee (the Committee) is responsible for enterprise-wide oversight of AI strategy, risk, and compliance. It has authority to approve or reject AI system deployments classified as high-risk and to recommend AI governance policy to the Board Risk Committee.

2. Composition Required members: Chief AI Officer (Chair), Chief Risk Officer, General Counsel, CISO, Chief Data Officer, Head of Internal Audit (observer). Business unit representatives rotate quarterly.

3. Decision rights

Decision typeCommittee authority
High-risk AI system deploymentApprove / reject
Material change to AI risk appetiteRecommend to Board
AI governance policy updatesApprove
Vendor AI safety commitment sign-offApprove
Post-incident governance reviewReview and direct remediation

4. Quorum: Four members including the Chair and at least one of: CRO, GC, or CISO.

5. Meeting cadence: Quarterly ordinary meetings; extraordinary meeting within 5 business days of a Severity 1 AI incident.

6. Reporting: Quarterly summary to Board Risk Committee; annual governance report to full Board.

Control Details

Control ID
BRD-002
Typical owner
Chief AI Officer / General Counsel / Chief Risk Officer
Implementation effort
Medium effort
Agent-relevant
No

Tags

AI governance committeedecision rightscorporate governanceAI ethics committeeRACI

Mapped Regulations

ISO/IEC 42001:2023 – Information Technology – Artificial Intelligence – Management SystemNIST AI 600-1 Generative AI Profile

Related Controls

HOC-007Board AI Risk Reporting and Escalation ThresholdsBRD-003Board-Level AI Safety Committee CharterBRD-001Director AI Literacy and Competency AssessmentBRD-005AI Governance Maturity Assessment

Related Playbook

How do we disclose AI governance maturity to investors and regulators?Who owns AI governance within the organization?How do we build an AI governance program from scratch?What do we do when an AI system causes harm or fails?How do we govern AI models from preview release through retirement?How do we build and maintain an AI model registry?What does audit-ready AI documentation look like in practice?How do we report AI risk to the board and audit committee?How do we build director-level AI literacy for effective board oversight?How does the EU AI Act affect our global operations?How do we govern AI agents that take autonomous actions?How do we perform an AI risk assessment?What does meaningful human oversight look like for high-risk AI decisions?How are we managing third-party AI risks?How do we build and maintain a multi-framework AI risk register?How do we map AI compliance obligations across multiple jurisdictions?What are our obligations under emerging AI regulations?How do we ensure third-party AI vendors meet our standards?How do we apply a three lines of defense model to AI risk?