AI governance framework.

Operating model · 21 May 2026

By the LLM CFO team

Most "AI governance frameworks" are policy documents in slide form. The version that survives an audit and a CFO review has five layers, sits on top of an enforcement plane, and ships in 90 days. This is that version.

The five layers

A working AI governance framework has exactly five layers. Adding more turns it into a brochure. Skipping any one of them leaves a gap an auditor or a surprise invoice will find.

Layer 1 — Principles

A short, signed-off statement of what the company believes about AI use: human oversight, transparency, safety, accountability. One page. Reviewed annually. The point is not novelty — the point is to have something every subsequent control traces back to.

Layer 2 — Policy

Approved providers. Approved models per job. Blocked use cases. Data classification rules (what can leave your perimeter, what cannot). Approval thresholds for premium tiers. Policy is short; it must fit on a single screen and be enforceable at the gateway.

Layer 3 — Controls

The enforcement layer. An AI gateway that refuses out-of-policy calls. Quotas (soft and hard) per workload. Redaction and PII filters. Per-request approval workflow for premium models. This is the only layer where governance stops being theatre.

Layer 4 — Attribution

Every request tagged with feature, team, environment, customer or workspace, and workload at the time the request is made. Untagged spend goes to a default bucket with a named owner. Without attribution none of the other layers can answer the basic question of who is spending what.

Layer 5 — Audit and reconciliation

A monthly close that reconciles internal cost estimates to the provider invoice. Recurring deltas trigger a fix. Approval logs, policy exception logs, and quota events are exportable. The framework is verifiable, not just stated.

How the layers map to existing standards

You do not need to invent a framework from scratch. The five layers map cleanly to the standards regulators and procurement teams already recognise:

• NIST AI RMF — "Govern, Map, Measure, Manage" maps onto principles, policy, controls, and audit.
• ISO/IEC 42001 — the AI management system standard; closest peer to the framework above.
• EU AI Act obligations — risk classification lives at the policy layer; technical documentation and post-market monitoring live at the audit layer.
• FinOps Foundation principles — informs the attribution and audit layers specifically.

If you already operate one of these, the AI governance framework should plug into it — not replace it.

The 90-day plan

Most companies can stand this up in a quarter if they do it in this order. Skipping the order is the most common failure mode.

Days 0–15: Map the surface

• Inventory current AI providers, models, and top spend by workload.
• Identify the top three workloads driving the bill.
• Stand up a one-page principles statement (Layer 1).

Days 15–30: Tag everything

• Wire request-level attribution (feature, team, environment, model, workload) — Layer 4.
• Untagged calls go to a default bucket with a named owner.
• You should now be able to answer "where did last week's spend go" without guessing.

Days 30–60: Enforce

• Stand up the gateway (Layer 3).
• Publish the one-page policy: approved providers, models per job, blocked use cases (Layer 2).
• Wire soft and hard quotas. Soft pages the team; hard degrades to a cheaper model or refuses new requests.
• Add an approval workflow for premium reasoning models and new providers.

Days 60–90: Close the loop

• Run the first monthly reconciliation: internal cost estimate vs the provider invoice (Layer 5).
• Publish the delta with a one-paragraph explanation.
• Document the reconciliation runbook so finance can run it monthly without you.
• Schedule the quarterly review of principles and policy.

RACI: who owns each layer

• Principles — executive sponsor (CTO or CFO) owns; board approves.
• Policy — AI council (finance + engineering + security) owns.
• Controls — engineering platform team owns the gateway; security owns redaction and DLP.
• Attribution — platform team owns the implementation; finance owns the taxonomy.
• Audit — finance owns; internal audit reviews; external auditor consumes.

What to skip

Most failed governance programs share three habits worth not copying:

• Starting with a 40-page policy. Nobody reads it, no system enforces it, and it ages out in a quarter.
• Buying a model-risk platform before a gateway. You get evidence without enforcement — great for the regulator, useless for the bill.
• Defining attribution off-line in a spreadsheet. If tags are not attached at request time, the data is irreparably noisy by the time it reaches finance.

Related

• What is AI governance? — the definition page.
• AI governance for finance leaders — the pillar guide.
• Agent spend guardrails — runtime controls for agent workloads.
• AI FinOps — the financial operating model the framework plugs into.
• LLM cost monitoring — the analytics half of audit.