AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-07-12

Ten-Step Enterprise AI Governance Framework from Fisher Phillips Puts Governance Committees, Bias Audits, and Vendor Due Diligence at the Center

What happened

Fisher Phillips published AI Governance 101: The First 10 Steps Your Business Should Take on September 20, 2025, offering a structured ten-step framework for US-based enterprises beginning or maturing their AI governance programs. The guide covers the formation of cross-functional AI governance committees, formal documentation of approved and prohibited use cases, implementation of bias-detection and fairness protocols, and the establishment of vendor audit processes requiring evidence of diverse training datasets. It also mandates annual employee training on governance policies and periodic internal audits of AI systems in production. The guide does not cite a single regulatory trigger but is designed to help organizations stay ahead of proliferating US state-level requirements and align with emerging best practices. Its timing coincides with growing regulatory activity across multiple jurisdictions, including the Colorado AI Act SB205 and the NIST Artificial Intelligence Risk Management Framework Playbook, both of which share structural overlap with several of the guide's recommended steps.

Why it matters

  • ·Organizations lacking a formal governance committee and documented use-case policy may struggle to demonstrate reasonable care if challenged under state AI statutes such as the Colorado AI Act SB205 or bias-related claims before the FTC AI Enforcement Policy, which increasingly scrutinizes inadequate algorithmic oversight.
  • ·The guide's vendor audit requirements, specifically demanding evidence of diverse training datasets, operationalize a due diligence standard that compliance teams must now build into procurement contracts and third-party risk assessments, creating a concrete gap for any organization without vendor-specific AI risk clauses.
  • ·Annual employee training mandates described in the guide set an expectation benchmark that regulators and plaintiffs' counsel may reference when assessing whether an organization took adequate precautions, raising the organizational risk profile for firms that rely solely on informal or ad hoc AI awareness efforts.

Governance controls affected

What to do now

  • Assess whether your organization has a formally chartered AI governance committee with documented decision rights, membership, and escalation paths, and close that gap before the next board risk review cycle.
  • Review all AI vendor contracts to confirm they include a clause requiring vendors to provide evidence of diverse and representative training datasets, and add this requirement to the standard procurement template.
  • Map your current AI inventory against a defined use-case policy that explicitly classifies approved, restricted, and prohibited applications, and obtain sign-off from legal and compliance on that classification.
  • Schedule or confirm that annual AI governance training for employees is on the compliance calendar, includes scenario-based content for high-risk use cases, and generates completion records that can be produced in an audit.
  • Establish a periodic audit cadence for AI systems in production, specifying audit scope, frequency, responsible function, and documentation standards so results can be used to demonstrate ongoing due diligence.

What to watch next

Compliance teams should monitor whether state legislatures in Texas, Colorado, and other active jurisdictions incorporate governance committee and vendor audit requirements as affirmative defenses or safe harbor conditions in forthcoming AI legislation, which would elevate the Fisher Phillips framework from best practice to legal baseline. The Commerce Department Evaluation of State AI Laws is expected to produce findings that may influence federal preemption debates, and its conclusions could reset which state-level obligations enterprises must track. Enforcement patterns from the FTC and state attorneys general in employment discrimination and consumer protection matters involving AI will also serve as a proxy for how rigorously the committee-formation and bias-audit steps in guides like this one will be tested in adversarial proceedings.

Related Coverage

Research2026-06-26

Board Oversight Gaps Exposed: Diligent's AI Governance Guide Maps Three Lines of Defense, Fairness Audits, and EU AI Act Alignment for Directors and Audit Leaders

Diligent has published a practitioner-focused guide titled 'AI Governance: A Guide for Boards, Risk and Audit Leaders' that outlines how organizations should structure board oversight of AI, apply a three-lines-of-defense model, conduct fairness and bias audits, and assess third-party AI risk. The guide explicitly maps recommendations to the EU AI Act, NIST AI RMF, and OECD AI Principles. It provides concrete steps for defining leadership accountability and establishing cross-functional AI ethics committees.

Research2026-07-09

Multi-Tiered AI Governance Committees Tested at Scale: Banco Bradesco and TELUS Case Studies Reveal What Works

The AI Company Data Initiative published a case study report in March 2026 documenting how Banco Bradesco and TELUS implemented structured AI governance models featuring strategic steering committees, quarterly review cycles, and mandatory human-rights-based safeguards. The report provides implementation-level detail on separating strategic and operational governance layers and embedding human rights considerations into AI lifecycle management. Compliance teams can use the findings as a benchmark for their own governance architecture.

Corporate Policy2026-07-07

OneTrust's AI Governance Committee Framework Sets a Practical Bar for Agentic AI Controls, Including Traceability and Least-Privilege Requirements

OneTrust has published a detailed account of how it built its own AI Governance Committee, including a structured 'buy versus build' decision framework for third-party AI tools and specific controls for agentic AI systems. The guidance requires decision control restrictions, full traceability of autonomous actions, and least-privilege data governance for any AI that operates with meaningful autonomy. The publication functions as a practitioner implementation guide that compliance teams at other enterprises can benchmark against their own programs.