The AI Oversight Program
The board-level discipline of defining what must be governed in AI, and who is accountable for it. This is the Center's core intellectual work.
The board-level discipline of defining what must be governed in AI, and who is accountable for it. This is the Center's core intellectual work.
Forming an AI committee is not a governance program, and a control placed on a model is not oversight. The AI Oversight Program is the institutional capability that lets a Governing Body make timely, trusted decisions about AI, finding the informed balance of risk and reward. It defines what must be governed and who is accountable for it. It does not prescribe how any particular system is built or operated; that remains the work of management.
The Program is built on five pillars and fourteen domains, expressed through the AI Governance Maturity Model. Its structure is mapped to authoritative sources: the NIST AI Risk Management Framework, ISO/IEC 42001, ISO/IEC 38507, the EU AI Act, and the Caremark standard of director oversight.
Each pillar carries a plain-language name and a constitutional role. Together they describe the full scope of what a board must be able to govern as its organization adopts AI.
Every control in the Maturity Model is mapped to the authoritative sources that define the standard of care for AI oversight. The Center maps by source type, by jurisdiction, and by industry. The examples below are illustrative; the full mapping is broader.
The Caremark doctrine (1996), Marchand v. Barnhill (2019), and the Boeing and McDonald's derivative decisions establishing the board's duty to oversee mission-critical risk.
The EU AI Act, the Colorado AI Act, and New York City Local Law 144, among the enacted AI-specific statutes now taking effect across jurisdictions.
SEC, FTC, EEOC, and CFPB guidance and enforcement; Federal Reserve and OCC model-risk expectations; and NAIC, FDA, and FCC sector guidance.
NIST AI RMF, ISO/IEC 42001, ISO/IEC 38507, the OECD AI Principles, COSO, COBIT, and the IIA Global Internal Audit Standards.
The Maturity Model turns the five pillars into something an organization can measure. It expresses the fourteen domains as seventy-six controls and two hundred fifty-seven diagnostic statements, and places an organization on a five-level maturity scale across each dimension of the Program.
Each domain resolves into specific controls, and each control into diagnostic statements a board or auditor can test against evidence rather than assertion.
The model places each dimension of the Program on a five-level scale, describing the distance between ad hoc activity and a fully assured, continuously improving oversight program.
The model tailors its diagnostics to whether an organization develops AI systems (Builders) or deploys systems built by others (Buyers). Most organizations are Buyers, and their obligations differ.
When a regulator, a court, or an auditor asks the question, the Program must be able to show the answer. The standard is met when three things are true at once: the Governing Body had what it needed to decide, the Program is real rather than ceremonial, and the chain from policy to practice to assurance is traceable.
A mature Program is not a brake. It is what allows a board to make faster, risk-informed decisions backed by evidence, without sacrificing accountability. That is why oversight governance enables AI adoption rather than constraining it.
The Program overview is open. The full control framework, the diagnostic statements, and the Maturity Model are proprietary, and reach practitioners through the Center's co-branded publications and its training for boards, audit executives, and risk leaders.