Proper design and implementation of AI requires tight alignment with the governance life cycle core principle. And of the 37 core principles, it is the single most important one. Here’s why. Without effective governance, it is virtually impossible to comply with the life cycle core principles. Think about how many times you’ve read and heard about ensuring trustworthy AI. (The link provides a number of definitions for what that means.) There’s no argument that it’s critical. Without a trustworthy application, it is difficult to deploy and maintain. I’ll go even further. It’s doomed to fail. What infuses trustworthiness into AI is above all else governance. And there’s more. Mitigating risk is top of mind for any company designing and deploying AI. Enter NIST AI Risk Management Framework (RMF). It provides a solid guide for doing just that. (You can read more about the legal importance of NIST here.) A deep dive into the RMF reveals that governance is the single most important principle for enabling compliance.

Aligning the company’s AI design and implementation with the core principles is all about achieving and maintaining bullet-proof governance. In this post I want to take a closer look at how to get there. Think of this as a starting point upon which additional improvements can be bolted on. (BTW: if you haven’t read through the original life cycle core principles post, click on the link before reading further.)

1. Professionalize: AI governance should be way more than just about being able to check the compliance box. It should be a distinct and essential strategic function within the company, hence the “professionalize” moniker. It means putting and keeping in place a dedicated AI governance role, teams, committees, and cross-functional task forces. Assign a single point of ownership. Who? Legal is one option.
2. Identify the Foundational Role of Frameworks, Standards, and Policies: There is no single ‘AI law’ in the U.S. and there isn’t going to be any for a long time; nothing like the EU AI Act in any event. In the meantime, companies should think about basing their AI governance strategy on standards and well-known best practices. For example, SOC 2, NIST AI RMF, principles found in the EU AI Act, and ISO 42001. This is not an exhaustive list.
3. Comprehensive AI Risk Management: Solid AI governance involves continuously managing the risks throughout the entire AI system life cycle and doing so based on policies, procedures, and processes. If it’s not written, it doesn’t exist. These all work together to identify, map, measure, and manage AI risks, identify misuse or abuse cases at all stages (from design to decommissioning), and assess potential impacts. The strategy looks at outcomes such as financial loss, HR violations, regulatory violations, reputational harm, etc. Again, not an exhaustive list.
4. Oversight and Continuous Improvement: Effective AI governance requires clear accountability, oversight, roles, and responsibilities for AI systems within the company, from board-level involvement to specific management responsibilities. Policies, procedures and processes should not be static. They should aim to improve AI system alignment with the core principles, adopting a continuous improvement mindset. Testing, auditing, red-teaming, independent evaluations, and vulnerability assessments are put in place, which is part of the third step (above).
5. Cross-Functional Approach: This effort pulls in all business functions. The department that takes on ownership acts as the coordinator, ensuring collaboration between the various business functions. And all the core principles are important, though it’s to be expected that not all of them will be at the center of attention all the time. The coordinator should continually assess which ones will be focused on. This will depend on what issues are most pressing. For example, if privacy or security take center stage, maybe IT takes lead on specific tasks. Keeping it dynamic is key.

The common denominator here is establishing and maintaining a deliberate, formal, structured control and management over AI systems. Doing so helps ensure these systems align with the core principles and achieve desired outcomes. No or bad governance leads to the same thing. A doomed roll out. And possibly worse.

With that, let’s take a look at what qualifies as unreasonable governance. This is not an exhaustive list, but you can see it’s essentially a misalignment with the five points above.

• Disproportionate Risk Response – Applying inadequate governance practices to “high-risk” AI systems or excessive controls to low-risk AI applications.
• Inadequate Assessment & Monitoring – Treating risk evaluation as one-time events rather than continuous processes throughout the AI lifecycle. Note: This ties in to adopting a continuous improvement mindset.
• Weak Accountability Structures – Lacking clear roles, responsibilities, and authority to halt dangerous AI deployments when necessary.
• Cultural & Strategic Misalignment – Treating the AI governance principle as a mere compliance, check-the-box exercise  rather than as a strategic priority.