The same pattern shows up in most large organisations. A working group forms, a responsible-AI policy is drafted and approved, a committee starts meeting each quarter, and a statement goes up on the website. Meanwhile the models already in production keep running, mostly unwatched, doing things nobody has checked against the purpose they were approved for.
The policy was never the hard part. Writing down that AI should be fair, safe, and accountable takes a few weeks, and most organisations manage it well enough. The hard part is making a live system behave that way every day, under load, as it is retrained and pointed at new data. That work only begins once the document is signed, which is precisely where most programmes run out of momentum.
Governance that lives only in a document is not governing anything.
Nobody turned the policy into a control
A policy that reads well to a board rarely tells an engineer what to build. “Ensure appropriate human oversight” is a sound principle, but someone still has to decide where the human sits in the workflow, what they can see, what they are able to stop, and what gets logged when they step in. When that translation never happens, the policy and the system drift apart from the first day, not through bad intent but because no one in the room speaks both languages well enough to turn a principle into a control that actually runs.
The system keeps changing after sign-off
A policy sits still while the model it governs does not. Models get retrained, fine-tuned, pointed at new data, and quietly reused for purposes no one assessed. Governance written as a one-time artifact cannot keep pace with any of that, and to be worth anything it has to operate continuously inside the system, catching drift and scope creep as they happen and routing them to whoever owns the decision. Otherwise the controls end up describing a system that stopped existing months ago.
The evidence only exists once someone asks
When a regulator, an auditor, or the board finally asks how a given model is governed, the honest answer in most organisations is a scramble. The decisions were real enough, but they happened in meetings and chat threads, and nobody recorded why a model was approved, what it was tested against, or who signed it off. Reconstructing that trail after the fact is slow, expensive, and never quite convincing, whereas capturing it as the decisions are made costs almost nothing and holds up far better.
What governance that operates looks like
Governance that works is anchored to specific use cases rather than to a single abstract idea of “AI”. Each use case carries a stated purpose, an accountable owner, and a risk threshold, and it is classified, assessed, and gated before it ships. The controls that result are concrete enough for an engineer to build and clear enough for a director to defend, with human oversight designed into the workflow rather than bolted on afterwards. The evidence then accumulates on its own as the work happens, timestamped and already mapped to the risk language the board uses.
There is a simple test for which kind you have. Governance that runs inside the system, notices what changes, and produces its own evidence is doing the job. Governance that lives in a binder is decoration, however well written. We built the practice around that difference, so if it is the working kind you need, talk to us.