AI Governance Committee Charter

Charter Purpose

Mission mamp; Authority

The AI Governance Committee (AGC) is a standing cross-functional body responsible for overseeing the responsible adoption, use, and risk management of artificial intelligence systems across the organization. The committee holds approval authority for AI tool adoption, policy development, and escalation decisions involving AI-related risk.

Governing Principle

The AGC exists to enable AI adoption, not obstruct it. Its role is to ensure that speed is matched with accountability, and that business value from AI is delivered without creating unmanageable risk or harm to people inside or outside the organization.

Membership

Committee Composition

The AGC is composed of five permanent members representing Legal, Security, HR, Product, and IT. The AI Governance Lead serves as chair. Additional subject matter experts may be invited to specific meetings as non-voting participants.

Legal

General Counsel or Delegate

Legal Representative

Regulatory compliance and liability review Contract and DPA oversight IP and data rights guidance Escalation triage for legal exposure

Security

CISO or Delegate

Security Representative

Vendor security review sign-off Access control and integration standards Incident classification and response Security controls for approved tools

HR

CHRO or Delegate

HR Representative

Employee data protection oversight Workforce impact assessment Training and change management AI in HR processes review

Product

VP Product or Delegate

Product Representative

AI in product roadmap coordination Customer-facing AI feature review Use case prioritization input User impact and ethics liaison

IT

CTO or IT Director

IT Representative

Infrastructure and integration review API and access provisioning Tool registry maintenance Technical feasibility assessment

Chair

AI Governance Lead

Committee Chair

Agenda setting and facilitation Policy drafting and maintenance Intake and registry management Reporting to executive leadership

Operating Cadence

Meeting Schedule

Meeting Type	Frequency	Duration	Required Attendees	Standing Agenda
Monthly Full Committee	First Tuesday of each month	60 minutes	All five representatives + Chair	Tool intake reviews, policy updates, incident review, metrics review, open items
Quarterly Executive Brief	End of each quarter	30 minutes	Chair + C-suite sponsor	AI risk posture summary, approved/denied tools, incidents, upcoming policy changes
Ad Hoc: Incident Review	Within 48 hours of Medium+ incident	45 minutes	Chair, CISO, Legal + affected function	Incident timeline, impact assessment, remediation decisions, communication plan
Ad Hoc: Expedited Tool Review	As needed, with 5-day notice	30 minutes	Chair + relevant reviewers	Business case, risk summary, security findings, decision
Annual Policy Review	Each January	90 minutes	All members	Full policy library review, framework updates, lessons learned, roadmap for year

Quorum for a decision at monthly meetings requires at least four of five representatives. Decisions are made by simple majority. The Chair holds a tiebreaking vote. All decisions are recorded in the meeting log maintained by the Chair.

Approval Workflow

How Decisions Get Made

The following workflow applies to all AI tool approvals, policy changes, and risk exception requests submitted to the AGC.

1

Submission

Business unit or employee submits a request via the AI intake form. Chair acknowledges receipt within 2 business days and assigns a tracking number.

Owner: SubmitterSLA: 2 days

2

Triage and Classification

Chair reviews submission and assigns risk tier. Low-risk requests proceed to abbreviated two-reviewer track. Medium and above go to full committee.

Owner: ChairSLA: 3 business days

3

Assigned Review

Security and Legal complete their domain reviews in parallel. Findings are submitted to the Chair at least 3 business days before the relevant committee meeting.

Owner: CISO + LegalSLA: 7 business days

4

Committee Decision

Full committee reviews findings at monthly meeting. Votes to Approve, Approve with Conditions, Request More Information, or Deny. All outcomes are documented.

Owner: Full CommitteeNext monthly meeting

5

Communication and Registry

Chair communicates decision to submitter within 2 business days. Approved tools are added to the registry. Denied requests receive a written rationale and may be resubmitted after 90 days.

Owner: ChairSLA: 2 business days post-decision

Escalation Rules

Escalation Framework

Not all decisions can wait for the monthly meeting. The following escalation tiers define when and how issues are elevated above the standard workflow.

Tier 1

Standard

All routine tool requests and policy questions. Handled through standard monthly workflow. No escalation required. Chair resolves or tables to next meeting.

Tier 2

Expedited

Time-sensitive business requests or Medium-severity incidents requiring decision within 10 business days. Chair convenes an ad hoc session with relevant members. VP-level business sponsor required to initiate expedited track.

Tier 3

Urgent

High-severity incidents, active data exposure, or regulatory inquiry. Chair, CISO, and General Counsel convene within 24 hours. Chair notifies C-suite sponsor same day. Committee may suspend tool access pending review without full quorum.

Tier 4

Critical

Critical incidents with regulatory, legal, or reputational consequences. CISO and General Counsel brief CEO within 4 hours. Board notification within 24 hours. External counsel and, if applicable, regulatory disclosure obligations assessed immediately. AGC transitions to incident command posture until resolved.