AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-07-08

DDMI's Two-Step AI Approval Model Shows How GRC Tooling Can Operationalize Guardrails at Enterprise Scale

What happened

DDMI published AI Governance in Action: Practical Insights from a Data-Driven Enterprise on July 1, 2026, detailing how the organization built a formalized AI governance operating model. The framework centers on a two-step approval sequence: proposed AI use cases first pass an internal screen assessing business soundness and ethical boundaries, then proceed to an Architecture Review Committee and Architecture Review Board for independent scrutiny. A GRC tool serves as the system of record for all AI initiatives, providing structured guardrails across legal compliance, cybersecurity, human accountability, and post-deployment monitoring. The case study is notable for its specificity: DDMI names the institutional structures, the sequencing of controls, and the role of the GRC platform in enforcing consistency across the portfolio. Framed for a US enterprise context, the model is designed to align AI usage with applicable federal and state law while preserving identifiable human responsibility for AI-driven outcomes.

Why it matters

  • ·Regulators across US jurisdictions and internationally are increasingly asking enterprises to demonstrate structured AI approval workflows; DDMI's two-step model provides a defensible, documented pattern that compliance teams can benchmark against existing programs or cite when responding to regulatory inquiries.
  • ·Embedding AI guardrails inside a GRC tool rather than managing them as standalone policies creates an auditable, version-controlled record of AI initiative approvals, significantly reducing the documentation gap that commonly surfaces during internal audits and external examinations.
  • ·The explicit assignment of human accountability at each approval stage directly addresses the accountability gap that regulators and litigants have targeted in recent AI-related enforcement actions and litigation, making the model relevant to legal, risk, and compliance functions simultaneously.

Governance controls affected

What to do now

  • Map your current AI intake process against DDMI's two-step model to identify whether your organization performs both a use-case soundness screen and an ethical limits review before committee submission.
  • Confirm that your GRC tool (or designated system of record) captures AI initiative approvals with sufficient metadata to reconstruct the rationale for approval or rejection during an audit.
  • Assign named human owners to each approved AI use case in your inventory and document that assignment within your GRC platform to satisfy human accountability requirements under emerging state and federal standards.
  • Review your Architecture Review Board or equivalent governance body's charter to verify it has explicit authority and defined criteria for AI-specific review, separate from general technology approval.
  • Schedule a gap assessment comparing your existing AI guardrail categories against the four dimensions DDMI uses: legal compliance, security, human accountability, and continuous monitoring.

What to watch next

As more named enterprises publish concrete AI governance operating models, regulators and standard-setters are likely to treat these case studies as informal benchmarks when assessing the adequacy of peer programs. Compliance teams should monitor whether US federal agencies, particularly through OMB or sector-specific regulators, begin referencing practitioner case studies in examination guidance or safe harbor criteria. Separately, the integration of AI approval workflows into GRC platforms is an emerging procurement and audit focus area; upcoming ISO 42001 certification cycles and state-level AI risk assessment requirements may begin specifying what a qualifying system of record must capture.

Related Coverage

Research2026-06-16

Enterprise Case Study Exposes the Hardest Part of AI Governance: Who Approves What, and When

A Dataversity case study published June 10, 2026 documents how a data-driven enterprise built a functional AI governance program by extending its existing data governance structures, formalizing decision rights, and implementing a use-case-level approval workflow. The case study details cross-functional oversight arrangements and a continuous monitoring program that compliance teams at peer organizations can adapt as a staged rollout model. It offers one of the more concrete practitioner-level blueprints available for organizations still designing their operating model.

Corporate Policy2026-07-08

Protiviti's AI Governance Guide Surfaces a Structural Gap: Most Enterprises Still Lack Formal Intake, Inventory, and Committee Controls

Protiviti has published a comprehensive AI governance guide covering executive accountability, committee structures, and scalable AI model intake processes for enterprise organizations. The guide synthesizes foundational governance practices into an FAQ-style reference for compliance and risk teams building or maturing their programs. It is aimed at US-based enterprises navigating the absence of a single prescriptive federal AI standard.

Corporate Policy2026-07-01

Databricks Enterprise AI Governance Guide Puts Risk Classification and PII Controls at the Center of Program Design

Databricks published a practitioner-oriented guide outlining best practices for enterprise AI governance, recommending that organizations inventory and classify AI use cases by risk level before applying controls. The guide emphasizes cross-functional role assignment, built-in safeguards for personally identifiable information, and proactive monitoring across the AI system lifecycle. It targets enterprise compliance teams building or maturing AI governance programs on data and model platforms.