Not Too Much, Not Too Little: The Goldilocks Guide to AI Governance

When I mention "governance" to leaders, I often see them flinch.?

I get it—the word conjures up images of endless processes, suffocating oversight, and innovation grinding to a halt under the weight of bureaucracy.?

But here's what I've learned in my years of digital transformation: Really good governance is what allows transformation to happen.

When I reflect on why transformations succeed or fail, it often comes down to how organizations set up their decision-making, accountability, and transparency. The key is finding that perfect balance among the three.

To get it “just right,” we turn to Goldilocks. ??

My co-author Katia Walsh has this great saying: “Structure without flexibility is bureaucracy. Flexibility without structure is chaos.” Successful transformational governance needs both in just the right measure.

Let’s take a look at how to create generative AI governance so that it hits this sweet spot.??

Three Essential Elements for Success?

Three pillars create the structure for effective AI governance:

1. The AI Steering Committee??

Think of this as your command center. Your steering committee takes the high-level AI strategy and brings it to life. They:?

?? Maintain and refresh the strategy

?? Run crucial quarterly reviews in your six-quarter walk

?? Ensure alignment with business objectives

Your steering committee is most powerful in their ability to break down departmental silos, enabling transparent information to flow smoothly. Through this approach, they coordinate AI adoption across your entire organization.

The ideal committee combines executive sponsors, AI and data experts, technology specialists, ethics and compliance officers, department representatives, and legal advisors. While you need representation from legal, compliance, risk, and security, be careful—their role isn't just to shut things down or say no. The steering committee must protect against risks while preparing your organization for transformation. Look for members who can put guardrails and safeguards in place that enable you to say yes.

2. The Audit & Policy Evolution Process??

AI moves fast, and your governance needs to keep up the pace. You want to be continuously aligning everything you're doing with your governance along three key dimensions:

• Your generative AI Initiatives. Use regular audits as feedback loops—what isn't working? If you're finding roadblocks that don't allow you to move forward quickly, especially in innovation, really understand: What are these roadblocks trying to prevent? What risks are you trying to mitigate? Then adapt your governance to enable progress while maintaining proper protection.
• Your Organizational Goals. Look at all the feedback you've gotten at least quarterly, even if it's just a quick check. How do your policies and governance need to evolve to support where you're headed? The transparency and accountability in these reviews is key.
• Your Regulatory Requirements. Ensure stakeholders are involved in these policy audits and evolution. As regulations around AI continue to emerge, your governance framework needs to adapt while still enabling innovation.

3. The AI Ombudsman??

This will become one of the most important roles in generative AI governance. This individual will be your organization's AI conscience—one person, completely independent, making sure you're using generative AI responsibly and building trust with everyone involved. This person reports directly to your CEO, president, or board. Not to legal, not to strategy. This independence is critical for building real trust and confidence.

Why does this matter right now? As we navigate AI adoption, organizations need:?

?? A trusted voice that speaks across department lines

?? Clear paths for resolving AI-related concerns

?? Real accountability that builds confidence

?? Transparency that enables faster innovation

We're already seeing tech companies embrace this model. Microsoft has an Office of Responsible AI, and Salesforce has created an Office for Responsible and Ethical Use of AI. As scrutiny of AI use increases, having this dedicated role becomes increasingly important for building trust and enabling responsible innovation.

Making It Work: The Goldilocks Approach in Practice

Success with AI governance comes down to finding a delicate balance. Here's what I've seen work:

• Clear Mandate and Authority: Your AI Steering Committee needs real power to make decisions. I've seen too many organizations dip their toes halfway in, limiting their committee to just discussing guidelines while keeping strategy decisions elsewhere. That's a recipe for disconnection. Instead, give them clear scope and authority to drive both strategy and implementation.

• The Right Cadence of Connection: How often should your committee meet? Here's my rule of thumb: Match your meeting frequency to your decision-making needs. If you're making strategic decisions quarterly, quarterly meetings might work. But given how fast AI is moving, I recommend meeting more frequently—perhaps monthly or even biweekly. The key is staying ahead of changes rather than constantly playing catch-up.

• Documentation and Transparency: If it's not written down, it doesn't exist. Document the inputs that go into decisions and what the decisions are, and then communicate that constantly out to your various stakeholders. This transparency builds trust and ensures everyone knows how governance is evolving to support transformation.

If this information was helpful, there’s plenty more!?

?? Sign up for updates and early access to my upcoming book, co-authored with Katia Walsh, which is all about creating a winning generative AI strategy.

?? Catch my most recent webinars:

• “Unlocking The Power of Generative AI.” I explain how to set up a generative AI “playground,” three ways to elevate your leadership with step-by-step instructions, and the broad outlines of creating a strategy. Get the recording and slides here.

• “Developing a Winning Generative AI Strategy for Competitive Advantage.” I walk through the steps needed to create a cohesive AI strategy that will last. Get the recording and slides here.?

Your Turn?

How does your organization approach AI governance? Are you leaning toward too much structure, too much flexibility, or have you found that Goldilocks sweet spot?