Governance is the program, not the committee.

Forming an AI committee is not a governance program, and a control placed on a model is not oversight. The AI Oversight Program is the institutional capability that lets a Governing Body make timely, trusted decisions about AI, finding the informed balance of risk and reward. It defines what must be governed and who is accountable for it. It does not prescribe how any particular system is built or operated; that remains the work of management.

The Program is built on five pillars and fourteen domains, expressed through the AI Governance Maturity Model. Its structure is mapped to authoritative sources: the NIST AI Risk Management Framework, ISO/IEC 42001, ISO/IEC 38507, the EU AI Act, and the Caremark standard of director oversight.

Five pillars. Fourteen domains. One defensible standard of care.

Each pillar carries a plain-language name and a constitutional role. Together they describe the full scope of what a board must be able to govern as its organization adopts AI.

5 Pillars
14 Domains
76 Controls
Mapped to authoritative sources NIST AI RMF · ISO 42001 · ISO 38507 · EU AI Act · Caremark
The AI Oversight Program: five pillars, fourteen domains, seventy-six controls. The five pillars are Agile Governance (the constitution), Risk-Informed System (the guardrails), AI Trust and Assurance (the evidence), Risk-Based Strategy and Execution (the strategic alignment), and Risk Escalation and Disclosure (the voice).
The architecture a board governs through. Five pillars and fourteen domains define what must be governed and who is accountable, with implementation left to the operational layers. The program is the governance.
I
Agile Governance
The Constitution
  • AI Governance Program and Policy Framework
  • AI Governance Structure, Oversight, and Resources
  • Governance Program Assurance and Continuous Learning
II
Risk-Informed System
The Guardrails
  • AI Risk Methodology, Scope, and Tolerance
  • Risk Intelligence and Threat Landscape
III
AI Trust and Assurance
The Evidence
  • AI Model Risk and Agentic Lifecycle Oversight
  • AI Data Governance Oversight
  • AI Transparency, Explainability, and Human Oversight
  • AI Security and Resilience Assurance
IV
Risk-Based Strategy and Execution
The Strategic Alignment
  • Risk-Informed Strategy, Resources, and Organizational Readiness
  • AI Value Realization and Operational Resilience Oversight
  • Third-Party AI and Supply Chain Governance
V
Risk Escalation and Disclosure
The Voice
  • AI Risk Escalation and Disclosure Protocols
  • Validation of Escalation and Governance Effectiveness

Grounded in law, regulation, case law, and standards.

Every control in the Maturity Model is mapped to the authoritative sources that define the standard of care for AI oversight. The Center maps by source type, by jurisdiction, and by industry. The examples below are illustrative; the full mapping is broader.

Case Law

The Caremark doctrine (1996), Marchand v. Barnhill (2019), and the Boeing and McDonald's derivative decisions establishing the board's duty to oversee mission-critical risk.

Laws & Acts

The EU AI Act, the Colorado AI Act, and New York City Local Law 144, among the enacted AI-specific statutes now taking effect across jurisdictions.

Regulatory Guidance

SEC, FTC, EEOC, and CFPB guidance and enforcement; Federal Reserve and OCC model-risk expectations; and NAIC, FDA, and FCC sector guidance.

Standards & Frameworks

NIST AI RMF, ISO/IEC 42001, ISO/IEC 38507, the OECD AI Principles, COSO, COBIT, and the IIA Global Internal Audit Standards.

Mapped by jurisdiction
United States (federal) U.S. states European Union United Kingdom Canada Australia China
Mapped by industry
Financial services Insurance Healthcare Telecommunications Employment & HR Critical infrastructure

The AI Governance Maturity Model.

The Maturity Model turns the five pillars into something an organization can measure. It expresses the fourteen domains as seventy-six controls and two hundred fifty-seven diagnostic statements, and places an organization on a five-level maturity scale across each dimension of the Program.

76 controls, 257 diagnostics

Each domain resolves into specific controls, and each control into diagnostic statements a board or auditor can test against evidence rather than assertion.

Five maturity levels

The model places each dimension of the Program on a five-level scale, describing the distance between ad hoc activity and a fully assured, continuously improving oversight program.

Builders and Buyers

The model tailors its diagnostics to whether an organization develops AI systems (Builders) or deploys systems built by others (Buyers). Most organizations are Buyers, and their obligations differ.

The five pillars exist to satisfy a single test.

The Informed Decision Standard

Can the organization demonstrate, in evidence, that it made an informed decision about AI risk?

When a regulator, a court, or an auditor asks the question, the Program must be able to show the answer. The standard is met when three things are true at once: the Governing Body had what it needed to decide, the Program is real rather than ceremonial, and the chain from policy to practice to assurance is traceable.

The Outcome

Decision Velocity

A mature Program is not a brake. It is what allows a board to make faster, risk-informed decisions backed by evidence, without sacrificing accountability. That is why oversight governance enables AI adoption rather than constraining it.

Work with the Program.

The Program overview is open. The full control framework, the diagnostic statements, and the Maturity Model are proprietary, and reach practitioners through the Center's co-branded publications and its training for boards, audit executives, and risk leaders.