AI governance framework
What is an AI governance framework?
Most AI governance frameworks tell you how to use AI safely. Very few tell you which AI investments deserve your money. The best frameworks do both.
The short answer
An AI governance framework is the set of policies, roles, and decision rules an organisation uses to direct, control, and account for its AI. A complete framework covers two jobs: risk and compliance, the rules that keep AI safe, ethical, and legal, and investment governance, deciding which AI bets get funded, held, or killed based on evidence of value. Most frameworks cover the first and neglect the second, which is why so much AI spend produces no return.
- It defines who decides, on what evidence, and against which thresholds, for every AI initiative.
- It spans two domains: risk/compliance (safe, legal, ethical AI) and investment governance (which bets get capital).
- Established references include the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act.
- A framework that governs risk but not funding still lets money flow to bets that never pay off.
The two halves of AI governance
Ask ten leaders to define an AI governance framework and most describe risk controls: bias testing, data privacy, model documentation, human oversight, regulatory compliance. That half matters, and mature references like the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act codify it well.
But risk governance answers “is this AI safe and legal?” It never answers “is this AI worth funding?” Those are different questions with different owners. A model can be perfectly compliant and still be a waste of capital. A complete framework governs both the safety of AI and the allocation of money to it.
Why the funding half is usually missing
The numbers show what happens when only the risk half exists. MIT’s NANDA initiative found 95% of enterprise generative-AI pilots produce no measurable P&L impact, and McKinsey’s 2025 survey found that while 88% of organisations use AI, only 39% see any enterprise EBIT impact. Compliance was rarely the thing that failed; the bet itself was.
When a framework has no mechanism to compare bets, demand evidence before capital, or kill underperformers, money flows to the loudest internal champion rather than the highest-value opportunity. Governance that only manages risk quietly guarantees waste.
What a complete AI governance framework includes
A framework that governs both safety and spend has a recognisable structure:
- Principles: the outcomes AI must serve, and the risks it must not create.
- Roles and accountability: who owns each AI bet, and who signs off on funding, holding, or killing it.
- Risk controls: the NIST/ISO/EU-aligned checks for safety, fairness, privacy, and compliance.
- Investment criteria: how every bet is scored on value, evidence, adoption, risk, and time-to-impact.
- Evidence requirements: the proof a bet must show before it earns significant capital.
- Fund / fix / kill thresholds: pre-agreed rules that make stopping a routine decision, not a fight.
Frameworks set the rules. Portfolio governance picks the bets.
This is the distinction most guidance misses. A governance framework defines the rules of the game, the roles, controls, and criteria. Portfolio governance is the framework running: the ongoing act of comparing every AI bet on one page and moving capital to the few that will pay off.
The two need each other. Rules with no funding discipline let waste through; funding decisions with no rules are indefensible to a board or regulator. Gartner expects over 40% of agentic AI projects to be canceled by the end of 2027; a framework that priced those bets on evidence up front would have avoided most of that spend.
How Exponentially.ai operationalises the framework
Our AI Bets Audit is the investment half of a governance framework you can run in two weeks. We map your live and proposed AI bets into one portfolio, score them on a common framework, pretotype the highest-stakes ones for real behavioural evidence, and hand the board a defensible fund / fix / kill decision for each, sitting alongside whatever NIST- or ISO-aligned risk controls you already run.
It draws on the same method, pretotyping, created at Google and taught at Stanford, that we have applied across 4,000+ enterprise experiments for teams like Tabcorp, AGL, and RACQ.
Sources
- 95% of enterprise generative-AI pilots produce no measurable P&L impact. MIT NANDA, State of AI in Business 2025
- 88% of organisations use AI, but only 39% report any enterprise-level EBIT impact. McKinsey, The State of AI 2025
- Over 40% of agentic AI projects will be canceled by the end of 2027, due to unclear business value. Gartner, 2025