AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-07-08

DAMA UK Case Study Makes the Case for Purchase Order Gateways and 10/20/70 Investment to Fix AI Governance's People Problem

What happened

DAMA UK, the UK chapter of the global data management professional body, published Case Study: Data Governance in the AI Era on July 4, 2026, offering practical implementation guidance for enterprise AI governance programs. The case study advocates constructing audit trails from the first day of AI deployment to ensure traceable and defensible automated decisions, and recommends that Data Protection Officers collaborate formally with AI governance teams to satisfy transparency obligations under automated decision-making rules. It endorses adoption of both the NIST AI Risk Management Framework and ISO/IEC 42001:2023 as complementary risk management structures. The 10/20/70 model proposed in the study allocates only 10 percent of AI investment to technology, 20 percent to data infrastructure, and 70 percent to people and process, including C-suite AI literacy programs. Critically, the study introduces the Purchase Order Gateway as a governance enforcement mechanism, requiring projects to obtain governance approval before funding is released, converting AI governance from a post-deployment audit function into a pre-deployment control.

Why it matters

  • ·The Purchase Order Gateway model directly addresses regulatory exposure by making governance compliance a financial prerequisite, closing the common gap where AI systems are deployed before risk assessments or DPO reviews are completed, which creates retrospective liability under GDPR Article 22 and emerging AI-specific rules.
  • ·The 10/20/70 allocation model exposes a structural operational risk: organizations that over-invest in AI technology relative to people and process controls are likely to fail governance audits not because frameworks are absent but because no one owns, understands, or applies them consistently.
  • ·Formalizing DPO collaboration with AI governance teams is increasingly a regulatory expectation, not a best practice, as ICO guidance, the EU AI Act, and automated decision-making obligations under data protection law all require demonstrable accountability linkages between data privacy and AI deployment decisions.

Governance controls affected

What to do now

  • Audit your current AI project intake process to determine whether governance and DPO review gates exist before funding is approved, and implement a Purchase Order Gateway model if they do not.
  • Review your audit trail design for all active AI systems to confirm that decision logs are created at the point of deployment, not retrofitted after the fact, and that they meet tamper-evidence requirements.
  • Conduct a resource allocation review to assess whether your AI governance budget reflects a 70 percent weighting toward people and process, and identify underfunded areas such as reviewer training, governance ownership, and executive literacy.
  • Map your current governance program against both NIST AI RMF and ISO 42001 to identify framework gaps, and assign ownership for closing those gaps with a defined timeline.
  • Establish a formal collaboration protocol between your DPO and AI governance function, including shared review responsibilities for any AI system making or materially influencing decisions about individuals.

What to watch next

UK organizations should monitor ICO enforcement activity related to automated decision-making transparency, as the ICO's existing AI and data protection guidance creates an enforcement pathway that DAMA UK's recommendations are designed to address proactively. ISO 42001 certification activity is accelerating globally, and organizations that delay framework adoption risk being behind procurement and contractual requirements as enterprise buyers begin requiring certification as a vendor condition. Further DAMA UK guidance or sector-specific elaborations of the 10/20/70 model may follow, and compliance teams should track whether the Purchase Order Gateway concept surfaces in formal regulatory guidance or procurement standards from UK government bodies.

Related Coverage

Research2026-06-13

Practitioner Scorecard Maps Enterprise AI Governance Controls to NIST AI RMF and ISO 42001, Filling a Board Reporting Gap

CCG Catalyst has published a practitioner guide structuring enterprise AI governance programs around policy content, human-in-the-loop standards, validation, monitoring, roles, and committee reporting. The guide provides a board-style scorecard approach and explicitly maps control expectations to the NIST AI Risk Management Framework and ISO/IEC 42001. It is designed for compliance, risk, and audit teams that need operating metrics rather than high-level principles.

Research2026-07-06

IBM IBV Framework Exposes the Accountability and Auditability Gap Holding Enterprise AI Governance Programs Back

The IBM Institute for Business Value has published 'The Enterprise Guide to AI Governance,' a practitioner-facing report that identifies leadership accountability, multidisciplinary team structures, and explainable and auditable AI outputs as the core implementation challenges facing enterprise compliance programs globally. The report provides structured recommendations for building governance infrastructure capable of supporting both regulatory requirements and responsible human-AI collaboration. It is directed at executives and governance professionals across industries deploying AI at material scale.

Research2026-07-04

Telefonica's Dual-Committee AI Governance Model Sets Implementation Benchmark for EU AI Act Compliance

The AI Company Data Initiative has published a case study report documenting how Telefonica structured its AI governance program, including a tiered employee training curriculum and a dual-committee model pairing monthly operational steering with quarterly strategic management reviews. The report is framed explicitly around EU AI Act compliance obligations. It provides compliance teams with a named-enterprise reference architecture for governance committee design and mandatory ethical awareness training.