Module 3: Governance & Risk Management · BoK I.B

Tailoring governance: six differentiators

There is no universal AI governance design. Six organisational factors drive the differences → company size, maturity, industry/sector, products & services, objectives and risk tolerance. The exam asks for all six.

There is no universal AI governance design. Six organisational factors drive the differences, and the exam asks for all six.

Company size → correlates with the number, scope and variety of AI systems and available resources. Smaller firms combine AI duties with privacy or legal functions and extend existing screening tools → larger firms create AI-specific offices and detailed ML and GenAI processes.
Maturity → correlates with the organisation's ability to build sufficient infrastructure for managing the risks AI introduces.
Industry / sector → highly regulated sectors (healthcare, insurance, banking) already fold AI into existing compliance and receive regulator guidance on AI-specific risk.
Products & services → the amount of AI embedded in offerings drives the scope of governance; oversight must be proportional to the complexity and impact of the AI.
Objectives → strategic choices to develop, incorporate or merely use AI should be structured around the risks each entails; tie potential uses to desired outcomes (profit, quality of service, work culture).
Risk tolerance → AI may ease some risks but almost certainly introduces new ones; risk assessments give only a relative score, so the organisation must judge fit with its position, values and plans.

← The four roles: developers, providers, deployers, users Life cycle policies and the use case assessment →