Roles & Responsibilities Matrix

Tier 1 GOVERN

ISO A.3 NIST GV-2

What This Requires

Define clear roles and responsibilities for AI governance across business, technology, legal, and security functions. Use RACI or similar framework to assign accountability for policy, risk, compliance, and incident response.

Why It Matters

Ambiguous accountability leads to gaps (nobody owns AI security) or conflicts (multiple teams claiming authority). A matrix prevents finger-pointing during incidents and ensures coverage of all governance activities.

How To Implement

Identify Key Roles

List stakeholders: AI Governance Lead, CISO, CTO, Legal, Compliance, Data Science Manager, Engineering Leads, Business Unit Owners. Add roles as needed (Ethics Board, Privacy Officer).

Map Activities to RACI

For each governance activity (policy approval, risk assessment, vendor eval, incident response, audit), assign Responsible, Accountable, Consulted, Informed. Ensure each activity has exactly one Accountable owner.

Document Escalation Paths

Define how decisions escalate (e.g., Engineer → Team Lead → Director → VP → Executive Committee). Include timeframes for escalation (48 hours for high-risk decisions).

Communicate & Train

Publish matrix to internal wiki. Conduct role-specific onboarding for new hires in governance roles. Review annually during policy refresh.

Evidence & Audit

RACI matrix document with all governance activities mapped
Organizational chart showing reporting lines for AI governance
Escalation procedure document
Training records for governance roles
Meeting minutes showing governance activities aligned to roles

Related Controls

AI Acceptable Use Policy AI Risk Appetite Statement AI Incident Response