Writing an AI governance committee charter

Charters matter for three practical reasons: accountability, enforceability, and defensibility.

Accountability. Without a charter, the committee has no defined composition. Anyone can be added or removed without consequence. Decisions can be made without the roles that should be represented. The charter specifies who must participate in a valid decision — and the absence of a required role creates a documented gap rather than an invisible one.

Enforceability.Without a charter, the committee's decisions are aspirational. There is no defined consequence for a team that proceeds with an AI deployment without committee clearance — because there is no document establishing that clearance is required. The charter is the instrument that makes the governance process mandatory, not optional.

Defensibility.A regulator or auditor examining an AI governance record will ask: who approved this, and did they have the authority to do so? Without a charter, the answer is a description of informal practice. With a charter, the answer is a reference to a document that establishes the committee's mandate and confirms that the approval was made by the required people under the required conditions.

The authority section of the charter defines what the committee can decide, what it must escalate, and what happens if an AI deployment proceeds without its approval.

What the committee can approve: New AI system deployments that fall within defined risk tiers (typically tier 2 — medium risk — and below); conditional approvals for systems with identified control gaps; restricted-pilot dispositions for systems requiring limited-scale validation; scope expansions within approved AI systems.

What the committee must escalate: High-risk AI systems (tier 3 — customer-facing, regulated data, consequential decisions); systems with unresolvable committee disagreements; AI deployments that require board-level awareness for regulatory or reputational reasons; AI incidents with potential regulatory notification obligations.

What happens without committee approval: The charter must state explicitly what the consequence is of deploying an AI system without committee clearance. This is not optional language — without it, the committee has no enforcement mechanism.

The composition section defines which roles must be represented on the committee. The minimum required representation for a functional AI governance committee:

• CISO or delegate: Security authority. Responsible for the security review findings and the assessment of residual risk. The security voice in deployment decisions.
• Data Protection Officer or delegate: Privacy authority. Responsible for data protection impact assessments, GDPR compliance, and data subject rights implications. Required for any AI system that processes personal data.
• Business representative: The owner of the business case for the AI deployment. Responsible for articulating the operational purpose and accepting residual risk on behalf of the business unit.
• Legal counsel or delegate: Legal authority. Required for AI systems with regulatory exposure, customer-facing deployments, and any system where liability implications of failure need to be assessed.

The charter should specify who fills each role, who the approved delegates are, and the process for replacing a committee member when the role changes hands. Committee membership is role-based, not person-based — the charter should make this explicit.

The quorum requirement specifies the minimum membership that must be present for a committee decision to be valid. Without a quorum provision, a committee can approve a high-risk AI deployment with two people present — and that approval may not reflect adequate consideration of the relevant risks.

Quorum is the most commonly omitted element in AI governance committee charters. Its absence means there is no defined minimum for a valid decision — and in practice, decisions get made with whoever is available, rather than whoever the governance structure requires.

A reasonable quorum structure: for tier 1 (low risk) decisions, a majority of the committee including the CISO or delegate. For tier 2 (medium risk) decisions, a majority including the CISO and DPO or their delegates. For tier 3 (high risk) decisions, full committee plus legal counsel.

The charter must also address what happens when quorum cannot be reached. Options: the decision is deferred to the next scheduled meeting, an emergency procedure allows asynchronous approval from the required members, or the decision automatically escalates to the next authority level.

The decision types section maps each category of decision to the required quorum and approval threshold. Common decision types for an AI governance committee:

• New AI deployment: Approval to deploy a new AI system to production. Requires full review and disposition record as input.
• Conditional approval: Approval to deploy with named conditions attached. Requires identification of each condition, its owner, its deadline, and the verification mechanism.
• Restricted pilot: Approval to deploy within a defined limited scope as a precondition to full production clearance.
• Scope expansion: Approval to expand an approved AI system to new use cases, data classes, or user populations not covered by the original approval.
• Risk acceptance: Explicit acceptance of a named residual risk by a named acceptor with defined conditions. The highest-weight decision type.
• Re-assessment trigger evaluation: Determination of whether a triggered event requires a full re-assessment or a lighter-touch review.

The escalation paths section defines what triggers escalation beyond the committee, and who receives the escalation. Mandatory escalation triggers:

• Any tier 3 (high risk, customer-facing, regulated data) AI deployment.
• Any decision where the committee cannot reach agreement and the disagreement involves a material safety or legal concern.
• Any AI incident that may require regulatory notification.
• Any AI deployment that has board-level strategic, reputational, or liability implications.

The escalation path should specify the receiving authority — typically the CISO for escalations that remain within security governance, the board or audit committee for escalations with regulatory or strategic implications — and the expected response timeframe.

The review cadence section defines when the committee meets, what standing agenda items appear at each meeting, and the process for convening emergency sessions.

A functional cadence for an enterprise AI governance committee:

• Monthly meeting: Review of pending AI deployments, re-assessment triggers that fired since the last meeting, and open conditions from prior conditional approvals.
• Quarterly review: Assessment of the full AI system inventory — which systems are active, which have pending conditions, which re-assessment triggers are overdue.
• Annual charter review: The charter itself should be reviewed annually and updated to reflect lessons learned, regulatory changes, and organisational changes.
• Emergency session: Triggered by AI incidents with potential regulatory notification obligations or any AI deployment decision that cannot wait for the next scheduled meeting.

A complete AI governance committee charter should contain the following elements in the following order:

1. Purpose statement: What the committee exists to do and the governance principles it operates under.
2. Scope: Which AI systems, deployments, and decisions fall within the committee's mandate.
3. Authority: What the committee can approve, what it must escalate, and the consequence of bypassing the committee.
4. Composition: Required roles, named members and delegates, and the process for membership changes.
5. Quorum: Minimum attendance for each decision type, and the process when quorum cannot be reached.
6. Decision types and approval thresholds: Each decision category with its required quorum and documentation.
7. Escalation paths: Triggers and receiving authorities for escalations beyond the committee.
8. Review cadence: Meeting schedule, standing agenda, emergency session process.
9. Record-keeping: How committee decisions are documented, where records are maintained, and the retention period.
10. Charter review: When and how the charter itself is reviewed and updated.

For the evidence pack structure that the committee works with in making deployment decisions, see The anatomy of an AI evidence pack.