RACI Roles & Responsibilities Matrix
Purpose
Defines roles and responsibilities across all AI governance activities using RACI assignments.
Related Controls
1. Purpose
Explain why clear role definition is critical for AI governance.
This matrix defines who is Responsible, Accountable, Consulted, and Informed for each AI governance activity at [ORGANIZATION NAME]. Clear role assignment prevents gaps in oversight, eliminates duplicated effort, and ensures every AI governance task has a single accountable owner.
R = Responsible (does the work) | A = Accountable (owns the outcome) | C = Consulted (provides input) | I = Informed (kept updated)
Document Owner: [ROLE TITLE]
Last Updated: [DATE]
2. Governance Roles
Define each role referenced in the RACI matrix with responsibilities and required skills.
| Role | Description | Typical Title |
|---|---|---|
| AI Governance Committee | Cross-functional body that sets AI strategy, approves policies, and oversees risk | Committee (CTO, CISO, Legal, Business) |
| AI Program Lead | Day-to-day coordination of AI governance activities | Director of AI / AI Program Manager |
| AI System Owner | Business owner of a specific AI system; accountable for its outcomes | Product Manager / Business Unit Lead |
| ML Engineer | Develops, trains, and maintains AI models | ML Engineer / Data Scientist |
| Security Team | Assesses and mitigates AI-specific security risks | AppSec Engineer / Security Analyst |
| Legal/Privacy | Ensures regulatory compliance and data protection | Privacy Officer / Legal Counsel |
| Operations | Deploys, monitors, and maintains AI systems in production | DevOps / MLOps Engineer |
3. RACI Matrix
Map each governance activity to role assignments. Every row must have exactly one A.
| Activity | AI Gov Committee | AI Program Lead | System Owner | ML Engineer | Security | Legal/Privacy | Operations |
|---|---|---|---|---|---|---|---|
| AI Policy Development | A | R | C | I | C | C | I |
| Risk Appetite Setting | A | R | C | I | C | C | I |
| New AI System Approval | A | R | R | C | C | C | I |
| Vendor Evaluation | I | A | R | C | R | C | I |
| Risk Assessment | I | A | R | C | R | C | I |
| Model Development | I | I | A | R | C | I | I |
| Security Testing | I | I | I | C | A/R | I | I |
| Deployment Approval | I | A | R | C | R | I | C |
| Production Monitoring | I | I | A | C | C | I | R |
| Incident Response | I | A | C | C | R | C | R |
| Compliance Reporting | A | R | C | I | C | R | I |
| Annual Review | A | R | C | C | C | C | C |
4. Escalation Paths
Define how disagreements and gaps in the RACI are resolved.
Escalation Rules
- Missing Accountable: If no individual is accountable for an AI governance task, the AI Program Lead assumes interim accountability and escalates to the AI Governance Committee within 5 business days
- Conflicting Responsibilities: When two roles disagree on approach, the Accountable party makes the final decision. If the Accountable party is conflicted, escalate to the AI Governance Committee
- Resource Gaps: If the Responsible party lacks capacity, the Accountable party must either reallocate resources or escalate to the AI Governance Committee for prioritization
Review Schedule
This RACI matrix is reviewed semi-annually and updated whenever organizational structure changes, new AI systems are deployed, or new roles are created.