DAMA UK Case Study Makes the Case for Purchase Order Gateways and 10/20/70 Investment to Fix AI Governance's People Problem
What happened
DAMA UK, the UK chapter of the global data management professional body, published Case Study: Data Governance in the AI Era on July 4, 2026, offering practical implementation guidance for enterprise AI governance programs. The case study advocates constructing audit trails from the first day of AI deployment to ensure traceable and defensible automated decisions, and recommends that Data Protection Officers collaborate formally with AI governance teams to satisfy transparency obligations under automated decision-making rules. It endorses adoption of both the NIST AI Risk Management Framework and ISO/IEC 42001:2023 as complementary risk management structures. The 10/20/70 model proposed in the study allocates only 10 percent of AI investment to technology, 20 percent to data infrastructure, and 70 percent to people and process, including C-suite AI literacy programs. Critically, the study introduces the Purchase Order Gateway as a governance enforcement mechanism, requiring projects to obtain governance approval before funding is released, converting AI governance from a post-deployment audit function into a pre-deployment control.
Why it matters
- ·The Purchase Order Gateway model directly addresses regulatory exposure by making governance compliance a financial prerequisite, closing the common gap where AI systems are deployed before risk assessments or DPO reviews are completed, which creates retrospective liability under GDPR Article 22 and emerging AI-specific rules.
- ·The 10/20/70 allocation model exposes a structural operational risk: organizations that over-invest in AI technology relative to people and process controls are likely to fail governance audits not because frameworks are absent but because no one owns, understands, or applies them consistently.
- ·Formalizing DPO collaboration with AI governance teams is increasingly a regulatory expectation, not a best practice, as ICO guidance, the EU AI Act, and automated decision-making obligations under data protection law all require demonstrable accountability linkages between data privacy and AI deployment decisions.
Governance controls affected
What to do now
- ☐Audit your current AI project intake process to determine whether governance and DPO review gates exist before funding is approved, and implement a Purchase Order Gateway model if they do not.
- ☐Review your audit trail design for all active AI systems to confirm that decision logs are created at the point of deployment, not retrofitted after the fact, and that they meet tamper-evidence requirements.
- ☐Conduct a resource allocation review to assess whether your AI governance budget reflects a 70 percent weighting toward people and process, and identify underfunded areas such as reviewer training, governance ownership, and executive literacy.
- ☐Map your current governance program against both NIST AI RMF and ISO 42001 to identify framework gaps, and assign ownership for closing those gaps with a defined timeline.
- ☐Establish a formal collaboration protocol between your DPO and AI governance function, including shared review responsibilities for any AI system making or materially influencing decisions about individuals.
What to watch next
UK organizations should monitor ICO enforcement activity related to automated decision-making transparency, as the ICO's existing AI and data protection guidance creates an enforcement pathway that DAMA UK's recommendations are designed to address proactively. ISO 42001 certification activity is accelerating globally, and organizations that delay framework adoption risk being behind procurement and contractual requirements as enterprise buyers begin requiring certification as a vendor condition. Further DAMA UK guidance or sector-specific elaborations of the 10/20/70 model may follow, and compliance teams should track whether the Purchase Order Gateway concept surfaces in formal regulatory guidance or procurement standards from UK government bodies.
