Governance cadence
Frameworks such as the NIST AI Risk Management Framework and ISO/IEC 42001 point toward ongoing governance, monitoring and improvement. The practical question is how to turn that into a rhythm teams can actually run.
AI governance often starts with a burst of energy: a policy, a steering committee, a risk taxonomy, a vendor questionnaire, a training session. Then ordinary work takes over. New tools appear. Employees try new workflows. A vendor changes terms. A pilot moves into production without a clear owner. A team discovers that an output is useful, but only after extra human checking.
The organisation still has governance on paper. What it lacks is an operating rhythm.
A useful AI governance system should answer a simple question every month: what changed, what is being used, what needs a decision, and what evidence do we have that controls are working?
Why a monthly rhythm matters
AI use moves faster than annual policy cycles. Waiting for a yearly review means the real operating model is shaped by informal decisions: which tools people adopt, which prompts they reuse, which outputs managers accept, and which exceptions become normal.
A monthly rhythm does not need to be heavy. For many professional organisations, a 60 to 90 minute review is enough if the inputs are prepared. The value is continuity: small corrections before small risks become unmanaged practice.
The five things to review every month
1. Active AI use cases
Keep a short register of active and proposed AI use cases. It should not be a bureaucratic museum. It should show what teams are actually doing.
For each use case, record:
- business owner;
- tool or model used;
- data types involved;
- whether outputs affect clients, employees, patients, customers or material decisions;
- human review point;
- current status: idea, pilot, approved, paused, retired.
The register makes AI adoption visible. Without it, governance depends on rumours and individual memory.
2. Tool and vendor changes
AI vendors change features, retention settings, model options, enterprise controls and contractual terms. A tool that was acceptable for brainstorming may become connected to internal data. A free tool may become embedded in daily work without procurement review.
The monthly question is: did any tool, data flow or vendor condition change enough to require review?
3. Incidents, near misses and friction
Not every governance signal is a formal incident. Useful signals include:
- inaccurate output caught before use;
- confidential information almost pasted into the wrong tool;
- unclear ownership of an AI-generated deliverable;
- team confusion about whether a use case is allowed;
- client or employee questions about AI use;
- manual workarounds that show a policy is impractical.
A mature organisation treats these as learning inputs, not blame events.
4. Training and AI literacy needs
EU AI Act Article 4 has made AI literacy a governance requirement, but the deeper point is operational. Teams need different literacy depending on their role.
A monthly review should ask:
- Which teams started using AI this month?
- Which roles need practical guidance?
- Which questions keep recurring?
- Which examples should be added to the policy or playbook?
Training should evolve from real work, not generic slide decks.
5. Decisions for leadership
Not every issue belongs in a committee. But some decisions need senior ownership:
- approving or pausing a higher-risk use case;
- deciding whether to buy an enterprise AI tool;
- accepting residual risk;
- changing policy categories;
- allocating budget for training, security or workflow redesign;
- deciding what to disclose to clients or partners.
The governance rhythm should surface these decisions clearly: what is the decision, who owns it, what evidence is available, and by when must it be made?
A simple monthly agenda
A practical agenda can fit on one page:
- New AI use cases and status changes.
- Vendor/tool changes and procurement questions.
- Incidents, near misses and user friction.
- Training, literacy and policy updates.
- Decisions required from leadership.
- Actions, owners and deadlines.
What good evidence looks like
Good governance evidence is not a large binder. It is a traceable record showing that the organisation knows what is being used and how decisions are made.
Useful evidence includes:
- a current use-case register;
- vendor review notes;
- training attendance and role-based materials;
- documented human review standards;
- incident and near-miss log;
- decision notes from the monthly review;
- updated policy examples.
This is where governance becomes defensible. Not because every risk disappears, but because the organisation can show a reasonable, repeated process.
The operating test
Ask one question: if a regulator, client, board member or employee asked how AI is controlled, could you show the last three monthly reviews?
If the answer is yes, governance is alive. If the answer is no, the organisation may only have a policy.
The difference matters. AI adoption will continue with or without formal governance. The monthly rhythm is how responsible adoption stays connected to real work.