AI Governance Implementation: A Practical 90-Day Roadmap for Enterprise Organisations

Why most AI governance programmes stall

AI governance programmes fail in consistent ways. The most common failure mode is scope paralysis: the programme is designed comprehensively — covering all AI systems, all risk types, all frameworks, all stakeholders — and the comprehensiveness makes it impossible to start. Every element depends on every other element. The inventory cannot be finalised without the risk classification framework. The risk classification framework cannot be finalised without regulatory mapping. The regulatory mapping cannot be finalised without legal review. Six months after the programme was launched, the inventory has not been completed and the organisation is no more governed than when it started.

The antidote to scope paralysis is a minimum viable governance programme — the smallest set of governance elements that provides meaningful protection and satisfies the regulatory expectations most likely to be tested in the near term. The 90-day roadmap delivers minimum viable governance. Everything beyond that is important and should be planned, but it should not block the immediate programme.

Days 1-30: Discovery

The Discovery phase has one output: an AI system inventory that is complete enough to be useful. Not perfect — complete AI inventories take longer than 30 days in large organisations. But complete enough to identify the highest-risk systems and the biggest governance gaps. The discovery methodology combines technology scanning (reviewing software licences, cloud spending, and IT asset registers for AI products), business unit interviews (asking department heads what tools they use), vendor contract review (checking which existing contracts include AI features), and financial analysis (reviewing expense and procurement data for AI tool purchases).

By Day 30, the organisation should have a working inventory of its AI systems — with each system classified as high, medium, or low risk using a simple framework. High risk: used in decisions that significantly affect employees, customers, or the public, in regulated activities, or with significant operational dependence. Medium risk: used in significant internal processes but with limited external impact. Low risk: productivity tools, internal tools with limited decision-making impact.

Days 31-60: Foundation

The Foundation phase builds governance controls for the high-risk systems identified in Discovery. For each high-risk system: document the system's purpose, the decisions it influences, the data it processes, and the accountability for its governance. Conduct a basic risk assessment using the organisation's existing risk methodology, adapted for AI. Identify and implement the minimum controls — human oversight mechanisms, monitoring arrangements, documentation of the governance decisions made. Name an owner. These steps do not need to be elaborate — they need to be real. A one-page risk assessment that is actually used is more valuable than a comprehensive AI risk framework document that is not.