AI Governance Policy Builder
by @1kalin
Framework to establish AI governance, assess AI maturity, manage algorithmic risks, conduct impact assessments, classify AI system risk, and ensure regulator...
clawhub install afrexai-ai-governanceπ About This Skill
AI Governance Policy Builder
Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.
When to Use
Governance Policy Framework
1. Acceptable Use Policy (AUP)
Every organization running AI needs a written AUP covering:
Permitted Uses
Prohibited Uses
Shadow AI Detection | Signal | Risk Level | Action | |--------|-----------|--------| | API calls to unknown AI endpoints | HIGH | Block + investigate | | Browser extensions with AI features | MEDIUM | Audit + approve/deny | | Personal accounts on company devices | MEDIUM | Policy reminder + monitor | | Exported data to AI training sets | CRITICAL | Immediate review |
2. AI Model Selection & Procurement
Evaluation Scorecard (100 points)
| Criteria | Weight | What to Check | |----------|--------|---------------| | Data residency & sovereignty | 20 | Where is data processed? Stored? Can you choose region? | | Security certifications | 20 | SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP | | Model transparency | 15 | Training data provenance, bias testing, version control | | Contract terms | 15 | Data usage rights, indemnification, SLA, exit clauses | | Performance & cost | 15 | Latency, accuracy benchmarks, token pricing, rate limits | | Integration & support | 15 | API stability, documentation quality, support SLA |
Minimum score for production deployment: 70/100
Red Flags (automatic disqualification):
3. Data Handling & Classification
AI Data Flow Audit Template
For each AI integration, document: 1. Input data: What goes in? Classification tier? PII present? 2. Processing: Where? Which model? Hosted or API? Region? 3. Output data: What comes out? Stored where? Retention period? 4. Training: Does vendor use your data for training? Opt-out confirmed? 5. Logging: Are prompts/responses logged? Where? Who has access? 6. Deletion: Can you request data deletion? Verified how?
Data Minimization Checklist
4. Regulatory Compliance Mapping
EU AI Act (effective Aug 2025, enforcement Feb 2025)
| Risk Category | Examples | Requirements | |--------------|----------|-------------| | Unacceptable | Social scoring, real-time biometric ID (most cases) | Banned | | High-risk | HR screening, credit scoring, medical devices | Conformity assessment, human oversight, transparency | | Limited | Chatbots, deepfakes | Transparency obligations (disclose AI use) | | Minimal | Spam filters, game AI | No requirements |
NIST AI RMF (Risk Management Framework)
ISO 42001 (AI Management System)
5. AI Governance Committee Structure
Recommended Composition
Meeting Cadence
Decision Authority | Decision | Authority Level | |----------|----------------| | New AI tool (< $5K/year) | Department head + security review | | New AI tool (> $5K/year) | Governance committee approval | | Customer-facing AI | Committee + legal + CEO sign-off | | AI incident response | Security lead (immediate) β Committee (48h review) |
6. Vendor Contract Checklist
Before signing any AI vendor contract, confirm:
7. Board Reporting Template
Quarterly AI Governance Report
AI GOVERNANCE REPORT β Q[X] [YEAR]1. AI PORTFOLIO SUMMARY
- Active AI systems: [count]
- New deployments this quarter: [count]
- Retired/replaced: [count]
- Total AI spend: $[amount] (vs budget: $[amount])
2. RISK DASHBOARD
- High-risk systems: [count] β all compliant: [Y/N]
- Open incidents: [count] β resolved this quarter: [count]
- Shadow AI detections: [count] β remediated: [count]
- Compliance gaps: [list]
3. VALUE DELIVERED
- Hours saved: [estimate]
- Revenue attributed to AI: $[amount]
- Cost reduction: $[amount]
- Customer satisfaction impact: [metric]
4. KEY DECISIONS NEEDED
- [Decision 1: context + recommendation]
- [Decision 2: context + recommendation]
5. NEXT QUARTER PRIORITIES
- [Priority 1]
- [Priority 2]
8. Incident Response for AI Systems
AI-Specific Incident Categories
| Category | Example | Response Time | |----------|---------|---------------| | Data breach via AI | Model leaks PII in output | Immediate β invoke security IR plan | | Hallucination causing harm | Wrong medical/legal/financial advice acted on | 4h β document, notify affected parties | | Bias detected | Discriminatory output in hiring/lending | 24h β suspend system, audit, remediate | | Prompt injection | Attacker manipulates AI behavior | Immediate β block vector, patch | | Cost overrun | Runaway API calls | 4h β rate limit, investigate, cap | | Vendor incident | Provider breach or outage | Per vendor SLA β activate backup |
Post-Incident Review Template 1. What happened (factual timeline) 2. Impact (who/what affected, cost, duration) 3. Root cause (not blame β systems thinking) 4. Fixes applied (immediate + permanent) 5. Policy/process changes needed 6. Board notification required? (Y/N + rationale)
Cost of NOT Having AI Governance
| Company Size | Annual Risk Without Governance | |-------------|-------------------------------| | 15-50 employees | $50K-$200K (shadow AI waste, compliance fines) | | 50-200 employees | $200K-$800K (data incidents, vendor lock-in, redundant tools) | | 200-1000 employees | $800K-$3M (regulatory penalties, IP exposure, audit failures) | | 1000+ employees | $3M-$15M+ (class action, regulatory enforcement, reputational damage) |
90-Day Implementation Roadmap
Month 1: Foundation
Month 2: Controls
Month 3: Operationalize
*Built by AfrexAI β AI operations infrastructure for mid-market companies.*
Get the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/
Calculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/
Set up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/
Need all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7