AI Governance · Two Separate Problems

AI Governance

Governing how people use AI tools is fundamentally different from governing how autonomous agents operate. These are two separate problems that require two separate frameworks.

The critical distinction: AI usage governance addresses how your people use AI tools in their daily work. Agent governance addresses how autonomous agents operate with meaningful autonomy. Conflating these two leads to governance frameworks that solve neither problem.

Layer 1

AI Usage Governance

How your people use AI tools in their daily work. Most organizations have no visibility into this. Someone pasted customer data into ChatGPT today. Your leadership team has no idea.

The Reality of Shadow AI

Your employees are using AI tools right now. ChatGPT, Claude, Gemini, Copilot. They are copying code into these tools. Pasting customer conversations. Asking for help with strategy. Your compliance, legal, and security teams have no visibility. This is shadow AI, and it is happening everywhere.

Data Leakage Risk

Once data enters a public AI tool, it is no longer private. It trains future models. It could be seen by competitors. It violates customer confidentiality agreements. The question is not whether your organization has leaked data into AI tools. The question is how much.

The Productivity Paradox

AI tools increase productivity. But without governance, they increase risk faster. Your best people are using these tools most. They are also the ones with access to your most sensitive information. Productivity and risk are moving in the same direction.

The AI Usage Policy (One Page, Four Questions)

A governance policy does not need to be complex. It needs to be clear. Answer these four questions, document the answers, and you have a policy:

1. What Tools Are Approved?

You cannot ban AI usage. You can clarify which tools are sanctioned, which are permitted with restrictions, and which are prohibited. Example: ChatGPT approved for brainstorming. Claude approved for code review. No external tools for customer data.

2. What Data Can/Cannot Go In?

Classify your data. Public information can go into any tool. Internal strategy should not. Customer data, financial information, and source code require tool-specific review. Employee personal data: never.

3. What Outputs Require Human Review?

AI outputs are not facts. They are approximations. Code from AI tools requires code review. Marketing copy from AI tools requires human review. Technical documentation requires fact-checking. Define what requires verification before it ships.

4. Who Do You Ask When Unsure?

Policies create edge cases. Your security team should be the escalation point for questions about data sensitivity. Make them available. Make it easy for employees to ask before they make a mistake, not after.

AI Usage Maturity Model

Maturity is not about company size. A 50-person company can be at Integrated. A 5,000-person company can be at Ad Hoc. Maturity depends on decisions you make, not headcount you have.

Stage Reality What You Need
Ad Hoc Individual employees using AI tools on their own. No coordination. Invisible to leadership.
  • AI usage policy (one page)
  • Tool inventory (what are people actually using?)
  • Data classification framework
Sanctioned Company has approved specific AI tools. Teams are using them consistently. Some governance exists.
  • Expanded policy (tool-by-tool guidance)
  • Output review standards
  • Usage tracking and audit logs
Integrated AI tools are embedded in core workflows. Decisions are made faster. Productivity has increased.
  • Dependency risk assessment (what breaks if tools go down?)
  • Fallback procedures
  • Skills taxonomy (what skills does AI replace vs. augment?)
AI-First Every process starts with the AI question. Work architecture is designed around AI-human collaboration from the beginning.
  • Work architecture map (how is work distributed between AI and humans?)
  • Human-AI collaboration standards
  • Continuous governance and evolution process
Layer 2

AI Agent Governance

How autonomous agents operate in your organization. This is a fundamentally different governance problem. Agents make decisions with meaningful autonomy. Those decisions impact your people.

Tool vs. Automation vs. Agent

The distinctions matter. They require different governance approaches:

A Tool

Something a human uses. GitHub Copilot suggests code. The developer decides whether to accept, reject, or modify. The human has full agency. Humans can be trained on tools quickly.

An Automation

Executes predefined logic without human input. If (condition), then (action). A workflow automation that closes completed Jira tickets. A process that moves emails to folders based on keywords. Zero agency.

An Agent

Makes decisions with meaningful autonomy. An agent that schedules meetings evaluates participant calendars, meeting duration, and project timelines to find optimal times. It makes a decision without predefined rules for every scenario. This is an agent.

Agent Risk Classification

Not all agents are equally risky. Classify agents by their impact on people. Impact determines governance intensity.

Tier Definition Examples Governance
Tier 1: Operational Low people impact. Operational efficiency only. Email classification. Log analysis. Report generation. Meeting scheduling. Standard IT oversight. Quarterly performance review.
Tier 2: People-Adjacent Moderate people impact. Decisions affect workflow but not employment. Project resource allocation. Customer prioritization. Help desk triage. Monthly output review. Human override mandatory. Semi-annual bias check. Audit trail required.
Tier 3: People-Critical High people impact. Decisions affect employment, compensation, or evaluation. Hiring scoring. Performance evaluation. Compensation adjustment. Promotion ranking. Full lifecycle management. Quarterly bias audits. Human-in-the-loop mandatory. Regulatory compliance required.

Agent Lifecycle Management

Agents must be managed throughout their entire lifecycle. This is not a one-time setup. It is continuous governance.

Stage 1

Scoping

Define what the agent will do. Classify its risk tier. Identify stakeholders. Document assumptions about data quality, fairness, and safety. Establish baseline metrics.

Stage 2

Onboarding

Test the agent against real-world scenarios. Verify it meets safety and fairness criteria. Build feedback loops. Train users on the agent. Establish human oversight protocols.

Stage 3

Monitoring

Track agent performance and decisions. Watch for drift (is it behaving differently than expected?). Monitor for bias. Collect user feedback. Maintain audit logs.

Stage 4

Performance Review

Regular audits of agent decisions. Are fairness assumptions holding? Is accuracy consistent across demographic groups? Are edge cases being handled correctly? Escalate problems.

Stage 5

Escalation / Override

Humans must be able to override agent decisions. Escalation paths must be clear. When an agent makes a decision that could harm someone, escalation should be automatic, not optional.

Stage 6

Evolution / Retirement

As new data comes in, agents may need to be retrained. Business requirements change. Agents may become obsolete. Have a plan to retire agents safely. Archive historical decisions.

Bias Monitoring Framework

Agents perpetuate bias. This is not theoretical. It is documented. Monitoring is not optional.

Tier Audit Cadence Fairness Testing Audit Logging Auditor Remediation SLA
Tier 1 Annual Performance by user role Decision metadata only IT/Operations 6 months
Tier 2 Semi-annual Performance by demographic group (if available) Full decision context logged Internal compliance 3 months
Tier 3 Quarterly Fairness testing across protected classes. Disparate impact analysis. Full audit trail. Every decision. Every override. External auditor (legal/compliance required) 30 days

Regulatory Awareness

Agent governance is not optional. It is regulated. Know your obligations.

EU AI Act

High-risk AI systems require risk assessment, transparency, and human oversight. Hiring and HR systems are explicitly high-risk. Non-compliance carries significant fines.

GDPR Article 22

Individuals have the right to not be subject to automated decision-making that produces legal effects. Humans must be able to review and override agent decisions.

NYC Local Law 144

Employment-related AI systems must be audited for bias. Employers must notify candidates when AI is used in hiring. Audit results must be published.

NIST AI Risk Management Framework & ISO/IEC 42001

Voluntary frameworks that set standards for AI risk management, transparency, and accountability. Increasingly expected by investors and customers.

Govern AI usage and AI agents as two separate challenges. Your people are using AI tools today. That requires a policy. Your agents, if you have them, require a lifecycle. The governance frameworks are different. The stakes are different. Treat them differently.

Explore Further

Related Topics

Framework & Principles

The five core values and eight principles that underpin AI governance. Start here if you are building governance from scratch.

Read the framework →

Jobs & AI

The honest conversation about how AI affects employment. Governance without understanding job impact misses half the picture.

Read the jobs conversation →

Self-Assessment

Score your organization across the five values. Understand your governance maturity and gaps.

Take the assessment →