Governance Framework

AI Governance Framework
for Mid-Market SaaS

A principles-based governance framework for PE-backed software companies navigating AI adoption.

1. Purpose & How to Use This Framework

Purpose

This framework provides a structured approach to AI governance for mid-market SaaS companies operating between $10M and $500M ARR. It is designed with particular relevance for PE-backed organizations navigating the pressure to adopt AI quickly while protecting the operational integrity and enterprise value that acquirers and investors scrutinize most closely. Governance here is not a compliance checkbox or a risk management tax on your engineering team. It is the infrastructure that lets you move faster with confidence — clear ownership, known risk tolerances, and repeatable controls that hold up when the board, a prospective acquirer, or a regulator asks how you govern AI in your business.

How to Use This Framework

This framework can be adopted as a complete governance program or used selectively by domain depending on where your organization has the most immediate exposure. If you are standing up governance from scratch, working through the domains in order provides a logical build sequence — policy and program management first, then risk, compliance, ethics, explainability, and vendor governance. If you already have partial governance in place, each domain is fully self-contained and can be read, assessed, and implemented independently without requiring the others.

Every domain follows the same seven-component structure to make adoption consistent and assessment straightforward: a Domain Statement that defines scope and intent; a Governing Principle that anchors the domain to a durable standard; a Maturity Model with five levels from ad hoc to optimized; a RACI Table assigning accountability across typical mid-market roles; Governance Indicators that signal whether controls are operating effectively; Industry Alignment mapping the domain to relevant frameworks (NIST AI RMF, ISO/IEC 42001, EU AI Act); and a PE Due Diligence Signal translating each domain into language and evidence that surfaces in M&A and growth equity processes. The number of RACI activities and governance indicators varies by domain — some domains have more distinct accountability surfaces than others — but the seven-component structure is consistent throughout.

Establish Your Baseline

Before working through the domains, the fastest way to establish your current state is to complete the JustKeenAI AI Readiness Assessment at assess.justkeenai.com. The assessment covers six dimensions of AI readiness; your Governance & Risk dimension scores map directly to maturity levels across all six domains, giving you a prioritized starting point rather than a blank slate.

Your Assessment Question	Framework Domain
"Does your company have a formal AI governance policy?"	Domain 1: AI Policy & Program Management
"How are AI-related risks (bias, hallucination, data privacy, regulatory) managed?"	Domain 2: AI Risk Management
"Are there regulatory or compliance requirements in your industry affecting AI deployment?"	Domain 3: Regulatory & Compliance Readiness
"Does your company have an AI ethics framework?"	Domain 4: AI Ethics & Responsible Use
"How prepared is your organization to explain AI-driven decisions?"	Domain 5: Explainability & Audit
"How does your organization govern AI vendors, sub-processors, and supply chain dependencies?"	Domain 6: AI Vendor & Supply Chain Governance

2. Governing Principles

These seven principles underpin every domain in this framework. They are not aspirational values — they are the load-bearing assumptions that determine whether a governance control is real or cosmetic. When in doubt about a governance decision, test it against the applicable principle first.

Principle 1

Human accountability is non-delegable.

An AI system cannot be the accountable party. Every AI capability has a named human owner — a person with a title, a reporting line, and explicit responsibility for what the system does and the decisions it influences.

Why this matters: When an acquirer asks "who is responsible for this AI system?" the answer must be a person, not a team name or a model version. Diffuse or absent accountability is one of the most common findings in AI-related due diligence gaps.

Principle 2

Evidence over policy.

A governance control that cannot produce evidence of enforcement is a governance gap, not a governance control. The question is never "do you have a policy?" — it is "what evidence exists that the policy is followed?"

Why this matters: Policies that exist only in documents do not survive due diligence. Auditors and acquirers ask for training records, scan results, audit logs, and incident reports. A well-written policy with no evidence trail is worse than acknowledged absence, because it suggests the organization doesn't know the difference.

Principle 3

Governance scales with blast radius.

The rigor of oversight is proportional to what the AI system can do, spend, or break. A copilot suggestion that a human reviews before acting gets lighter governance than an agent with production write access or the ability to send communications on behalf of the company.

Why this matters: Over-governing low-risk tools kills adoption and drives shadow AI. Under-governing high-risk agents creates liability that doesn't surface until something goes wrong. Right-sizing oversight requires knowing the blast radius before deploying.

Principle 4

Shadow AI is a governance failure, not a user failure.

When employees adopt unsanctioned AI tools, the governance program has failed to provide a viable sanctioned path. The right response is not punishment — it is discovery, followed by either enablement or risk-justified prohibition with a supported alternative.

Why this matters: Prohibition without alternatives produces hidden risk, not safer behavior. The fastest way to reduce shadow AI is to give people sanctioned tools that are at least as capable as what they found on their own, with clear guardrails that don't require them to think hard about compliance.

Principle 5

AI incidents are distinct from cyber incidents.

Model hallucination, bias drift, prompt injection, agent misbehavior, and output toxicity require their own response playbooks. Cyber incident response plans are built for different failure modes and different stakeholders.

Why this matters: A cyber IR plan does not cover "our AI recommended a harmful action to a customer" or "our agent sent 10,000 emails before anyone noticed." Different failure modes require different ownership, different escalation paths, and different post-incident analysis. Conflating them produces slow, confused responses.

Principle 6

Vendor governance is supply chain governance.

AI providers — model APIs, fine-tuning platforms, inference infrastructure — are critical operational dependencies, not interchangeable SaaS utilities. Concentration risk, data residency, model versioning, and contractual exit provisions for AI vendors carry different risk profiles than typical software procurement.

Why this matters: A company whose entire AI capability runs through a single provider has a single-vendor dependency at the infrastructure layer. That is a board-level risk in any PE portfolio company, and it is the kind of risk that appears as a finding in a quality-of-earnings review if not proactively documented and managed.

Principle 7

Governance enables velocity.

The purpose of this framework is not to slow AI adoption — it is to make adoption sustainable. A well-governed AI program moves faster because teams have clear boundaries, approved tools, known risk tolerances, and incident playbooks ready before they need them.

Why this matters: Ungoverned AI programs do not move faster; they move faster until the first significant incident, then they stall while leadership decides what to do. The companies that will compound AI advantage over time are the ones that build governance infrastructure early, not the ones that sprint without guardrails and then stop to clean up.

3. Governance Domains

Each domain follows the same seven-component structure: Domain Statement, Governing Principle, Maturity Model, RACI Table, Governance Indicators, Industry Alignment, and PE Due Diligence Signal. Domains 1 and 2 are available below. Domains 3–6 are available with an Insider membership.

3.1 AI Policy & Program Management

Assessment link: "Does your company have a formal AI governance policy?"

Domain Statement

This domain covers the foundational policy infrastructure that makes every other governance domain enforceable. AI Policy & Program Management defines the organizational scope of AI governance, establishes acceptable-use boundaries across all AI systems, codifies approval workflows for new AI tool adoption, and sets a review cadence that keeps policy current as the technology and regulatory landscape evolve. Critically, this domain explicitly addresses shadow AI — tools adopted outside IT procurement — because an AI governance program that only covers sanctioned tools has a large, invisible blind spot.

Governing Principle

This domain enforces Principle 2: Evidence over policy. A governance control that cannot produce evidence of enforcement is a governance gap, not a governance control. The question is never "do you have a policy?" — it is "what evidence exists that the policy is followed?" Every component of Domain 1 is designed to generate auditable evidence, not just documentation.

Maturity Model

Level	Description
1 — Absent	No AI governance policy exists; the organization has not formally discussed who is responsible for AI oversight, and individual teams or employees are making AI adoption decisions entirely at their own discretion with no central visibility.
2 — Acknowledged	AI governance has been recognized as a need at the leadership level, but no formal policy has been drafted, no owner has been designated, and no budget or timeline has been committed to closing the gap.
3 — Informal	Informal guidelines exist — typically a Slack channel, a Confluence wiki page, or an all-hands slide — but they are not enforced, have no designated owner, have not been reviewed since they were created, and most employees are unaware they exist.
4 — Formal	A written AI governance policy exists with a named owner, an explicit version number and effective date, org-wide communication of the formal versioned policy document (not an informal guideline or one-time awareness communication), a defined approval workflow for new AI tools, and a scheduled annual review cycle with an assigned reviewer.
5 — Optimized	The policy is actively enforced with documented evidence: training completion rates are tracked, shadow AI discovery scans run quarterly with findings logged, the approval workflow produces an audit trail for every tool request, policy violations result in documented follow-up, and the review cycle incorporates feedback from engineering, legal, and security before each version is published.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
Draft AI governance policy	CTO	CEO	CISO, Legal, CHRO	Board
Maintain AI inventory (sanctioned + shadow)	CISO	CTO	Engineering leads	CEO
Annual policy review cycle	CTO	CEO	All C-suite	Board, PE sponsor
AI tool approval workflow	CTO	CTO	CISO, Procurement	Engineering leads
Employee training on AI policy	CHRO	CEO	CTO, Legal	Board
Shadow AI discovery scans	CISO	CTO	Engineering leads	CEO

Governance Indicators

Published AI governance policy with a version history showing at least one completed review cycle
AI tool inventory (sanctioned and shadow) with a documented last-refreshed date no older than 90 days
Shadow AI discovery scan results logged on a quarterly cadence, with disposition documented for each finding (approved, prohibited, or under review)
Policy training completion rates by department, with records showing who completed training and when
AI tool approval workflow audit log showing all requests, reviewers, and outcomes
Named policy owner with a title, reporting line, and explicit accountability documented in the policy itself

Industry Alignment

This domain maps to the NIST AI RMF GOVERN function, which establishes the organizational practices, culture, and processes necessary for responsible AI risk management. It also aligns with ISO/IEC 42001 Clause 5 (Leadership and AI Policy), which requires top management to establish an AI policy that is appropriate to the organization’s context, provides a framework for setting AI objectives, and is communicated and made available to relevant stakeholders.

PE Due Diligence Signal

An acquirer asks: "Can you show us your AI governance policy and tell us how you enforce it?" A governance posture that still has too many gaps sounds like a CTO opening a shared Confluence page last edited eight months ago, acknowledging that few engineers know it exists, and explaining that there is no formal enforcement mechanism — the acquirer notes a governance gap and flags it as a finding. A well-governed, risk-mitigated posture sounds like a CTO producing a versioned policy document with a review history, pulling up a dashboard showing training completion rates by department, sharing a quarterly shadow AI scan report with three tools flagged and dispositioned, and walking through the last five entries in the tool approval workflow audit log. The acquirer sees a governance program that has been exercised, not just written — and that distinction carries material weight in both the risk assessment and the negotiations.

3.2 AI Risk Management

Assessment link: "How are AI-related risks (bias, hallucination, data privacy, regulatory) managed?"

Domain Statement

This domain establishes the proactive infrastructure for identifying, assessing, and mitigating risks that are specific to AI systems — including model bias and fairness failures, hallucinated outputs that propagate into decisions or customer communications, data privacy exposure from model training or inference, adversarial manipulation through prompt injection or jailbreaking, and operational failures from agentic systems with real-world authority. These risk categories require a dedicated framework and cross-functional ownership; they cannot be adequately addressed by folding them into existing IT or cyber risk programs. This domain requires board-level visibility because the blast radius of a significant AI incident — reputational, regulatory, financial, or operational — can be material to enterprise value.

Governing Principle

This domain enforces Principle 3: Governance scales with blast radius. The rigor of AI risk oversight is proportional to what each system can do, spend, or break — and the core operational concept of this domain is blast-radius scoping: documenting the scope, privileges, and kill-switch ownership of every deployed AI agent. Principle 5 (AI incidents are distinct from cyber incidents) is also directly applicable here, particularly at maturity levels 4 and 5 where dedicated incident response playbooks and tabletop exercises are required.

Maturity Model

Level	Description
1 — Unmanaged	AI risks are not actively managed; the organization has no inventory of AI-specific risk categories, no process for assessing the risk of AI deployments before they go live, and no incident history because incidents are not distinguished from general IT failures.
2 — Acknowledged	AI-specific risks such as hallucination, bias, and data exposure have been identified and discussed at the leadership level, but there is no formal risk register, no assigned ownership, and no systematic process for assessing or mitigating them before or after deployment.
3 — Siloed	Individual engineering or product teams manage AI risks within their own systems on an ad hoc basis, producing inconsistent documentation and review practices across the organization, with no cross-functional framework to aggregate findings, no shared taxonomy, and no escalation path to leadership.
4 — Cross-functional	A formal AI risk framework is in place with a shared risk register, defined risk categories, regular cross-functional review sessions (at minimum quarterly), assigned risk owners, and a documented escalation path to the CTO and CEO for high-severity findings.
5 — Board-visible	The AI risk program operates with full organizational integration: the board receives a regular AI risk summary, every deployed AI agent has documented blast-radius scoping and a named kill-switch owner, adversarial testing (prompt injection, red-teaming) runs on a defined cadence with findings logged, a tabletop exercise has been completed in the last 12 months for an AI-specific incident scenario, and quantified risk metrics (e.g., hallucination rate, bias delta, incident count) are tracked over time.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
AI risk register maintenance	CTO	CEO	CISO, Legal	Board
Agent blast-radius documentation	Engineering leads	CTO	CISO	CEO
Prompt injection / adversarial testing	CISO	CTO	Engineering leads	CEO, Board
AI incident tabletop exercises	CTO	CEO	CISO, Legal, Comms	Board
AI-specific incident response plan	CISO	CTO	Legal, Comms	CEO, Board
Bias and hallucination rate monitoring	Engineering leads	CTO	Product	CEO

Governance Indicators

AI risk register with named risk owners, severity ratings, mitigation status, and a documented review cadence no less frequent than quarterly
Blast-radius documentation for every deployed AI agent, specifying the systems it can read or write to, the communications it can send, the maximum spend or action authority it holds, and the name and title of its kill-switch owner
Adversarial testing log showing prompt injection and red-team exercise cadence, scenarios tested, and findings with disposition
AI-specific incident response plan that is distinct from the cyber IR playbook, with its own escalation paths, role assignments, and communication templates
Tabletop exercise record showing an AI-specific scenario has been run in the last 12 months, with findings and follow-up actions documented
Quantified AI risk metrics tracked over time (e.g., hallucination rate per model, bias evaluation results, incident count by category)

Industry Alignment

This domain maps to the NIST AI RMF MAP and MEASURE functions, which together cover the identification of AI risks in context and the analysis and monitoring of those risks over the AI system lifecycle. It also aligns with the EU AI Act’s risk classification system (unacceptable, high, limited, minimal), which requires organizations deploying or integrating AI in the EU to assess risk tier before deployment and apply proportional conformity and monitoring requirements for high-risk applications.

PE Due Diligence Signal

The clearest signal in this domain is what happens when an acquirer asks the CTO to walk through every deployed AI agent: its purpose, what systems it can access, what it can do autonomously, and who owns its kill switch. A governance posture with too many gaps sounds like a pause followed by a partial list pulled from memory, with no documentation on agent scope and no certainty about what third-party APIs or internal systems each agent can reach — that pause is itself a finding. A well-governed posture sounds like a pre-built document produced in minutes, not hours, listing every agent, its blast radius (read vs. write access, communication authority, spend limits), its last security review date, and its named kill-switch owner by title. If that document doesn’t exist, the risk posture is undocumented — and undocumented risk is priced by acquirers as if it’s the worst case.

The framework continues with four additional governance domains: Domain 3 (Regulatory & Compliance Readiness), Domain 4 (AI Ethics & Responsible Use), Domain 5 (Explainability & Audit), and Domain 6 (AI Vendor & Supply Chain Governance) — each with full maturity models, RACI tables, governance indicators, and PE due diligence signals. The gated section also includes the four-quarter Implementation Roadmap, PE Value Creation & Due Diligence guidance, and the Industry Alignment Reference table mapping all six domains to NIST AI RMF, EU AI Act, and ISO/IEC 42001.

3.3 Regulatory & Compliance Readiness

Assessment link: "Are there regulatory or compliance requirements in your industry affecting AI deployment?"

Domain Statement

This domain covers the systematic mapping of applicable AI-specific regulations to current systems, gap analysis against those requirements, remediation tracking with documented timelines, and proactive monitoring of emerging regulatory changes before they become deployment blockers. The key word is proactive. Compliance in AI governance is not a point-in-time certification exercise — it is a continuous posture maintained across the organization’s full AI portfolio, updated as both the regulatory landscape and the company’s AI capabilities evolve. In regulated verticals such as financial services, healthcare, and insurance, the gap between "we are aware of these requirements" and "we have mapped them to our product capabilities with documented remediation status" is the gap between a deployment-ready AI program and one that is perpetually at risk of being stalled by the compliance team.

Governing Principle

This domain enforces Principle 7: Governance enables velocity. Proactive compliance removes blockers before they stall deployment. The organizations that move fastest through regulated environments are not the ones who ask legal for approval after a feature ships — they are the ones who identified the applicable regulatory requirements before the sprint started, mapped them to design decisions early, and maintained a remediation log that legal can sign off on without a six-week discovery process.

Maturity Model

Level	Description
1 — Unassessed	The regulatory implications of AI have not been assessed; the organization has not identified which regulations apply to its AI systems, and engineering and product teams are making AI deployment decisions without legal or compliance input on regulatory requirements.
2 — Aware	The organization is aware that regulatory requirements exist and has identified the general landscape (e.g., "GDPR applies to us," "the EU AI Act is coming"), but no formal compliance work has started — there is no gap analysis, no named owner, and no timeline for addressing requirements.
3 — Partial	Compliance requirements have been partially addressed in some areas, typically where a specific customer request or audit finding forced the issue, but coverage is inconsistent across AI capabilities and markets, and no single view exists of which requirements are met, in progress, or unaddressed.
4 — Mapped	Regulatory requirements are mapped to AI capabilities across the portfolio; most identified gaps have been remediated with documented evidence; a compliance review cycle is in place; and a process exists for ingesting new regulatory developments and assessing their impact on deployed systems.
5 — Proactive	The organization maintains a living regulatory applicability matrix updated on a defined cadence, with full gap analysis and remediation tracking tied to specific AI features and markets; a regulatory change monitoring process with assigned ownership produces documented impact assessments for new requirements within a defined SLA; and compliance posture is reported to the board on a regular basis.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
Regulatory landscape scan	Legal	CEO	CTO, CISO	Board, PE sponsor
Compliance gap analysis	Legal	CTO	Engineering leads, CISO	CEO
Remediation tracking	CTO	CEO	Legal	Board
Regulatory change monitoring	Legal	Legal*	CTO, CISO	CEO, Board

*Legal serves as both Responsible and Accountable for regulatory change monitoring, reflecting the specialized expertise required. Board-level reporting to CEO and Board (Informed) provides external oversight.

Governance Indicators

Regulatory applicability matrix identifying which regulations apply to which AI features and markets, with a documented last-reviewed date
Gap analysis with remediation status, named owner, and target completion date for each open item
Compliance review cadence documented and operating at a minimum semi-annual frequency, with meeting records and sign-off
Regulatory change alert process with a defined response SLA, assignment workflow, and log of changes assessed in the last 12 months
Board-level compliance summary included in regular AI governance reporting

Industry Alignment

This domain maps to the NIST AI RMF GOVERN function (legal and regulatory compliance obligations) and the MANAGE function (response to identified AI risks including regulatory gaps). It also aligns with EU AI Act conformity assessment requirements for high-risk AI systems, state-level AI legislation (Colorado SB 205, Illinois BIPA, and emerging state frameworks), and SOC 2 AI-specific controls emerging in Type II audits for SaaS companies with AI features that process customer data.

PE Due Diligence Signal

The question that surfaces most often in PE due diligence for AI-enabled SaaS is deceptively simple: "Does your company know which of its AI features would be classified as high-risk under the EU AI Act?" A governance posture with too many gaps sounds like a pause and a promise to get back to the questioner — signaling that the company has never mapped its AI capabilities to the risk classification framework at all. A well-governed posture sounds like a one-page applicability matrix produced on the spot: here are our AI features, here is how each is classified, here are the ones that required conformity assessment work, and here is the status of that work. If the company sells into financial services, healthcare, or insurance, the follow-up question is just as pointed: "Are AI compliance requirements mapped to product capabilities?" Acquirers pricing a regulated SaaS business need to know whether the compliance program is embedded in the product roadmap or bolted on at the last minute — because the latter creates material post-close risk that shows up in purchase price adjustments.

3.4 AI Ethics & Responsible Use

Assessment link: "Does your company have a published or internal AI ethics framework?"

Domain Statement

This domain covers the documented principles governing fairness, transparency, and accountability in AI systems deployed or developed by the organization. The critical distinction is between aspirational and operational: an ethics framework that lives in a slide deck presented at an all-hands and never referenced again is decoration, not governance. This domain moves beyond declarations to the enforcement mechanisms, testing protocols, and external accountability structures that make principles real — bias testing by AI feature, acceptable use policies with training completion tracking, and customer-facing disclosure practices that match what the technology actually does. An ethics framework that has been tested carries more governance weight than one that has merely been published.

Governing Principle

This domain enforces Principle 1: Human accountability is non-delegable. An AI system cannot be the accountable party. Every AI capability has a named human owner — a person with a title, a reporting line, and explicit responsibility for what the system does and the decisions it influences. In the ethics domain, this principle applies with particular force: when an AI system produces a biased outcome, makes a consequential recommendation, or fails in a way that harms a user, the question "who is responsible?" must have a human answer, and that answer must have been documented before the incident, not assigned after.

Maturity Model

Level	Description
1 — Absent	No AI ethics framework exists; the organization has not established principles governing how AI systems should be designed, evaluated, or deployed with respect to fairness, transparency, or accountability, and there is no documented ownership of ethics-related AI decisions.
2 — In Development	An AI ethics framework is under development — conversations have started, a draft may exist, or a working group has been formed — but nothing has been approved, communicated, or operationalized, and no testing or enforcement mechanisms are in place.
3 — Informal	Informal principles exist within engineering or product teams but have not been formally documented, reviewed by leadership, or enforced through any mechanism; coverage is inconsistent across teams and AI capabilities, and most employees could not articulate the organization’s AI ethics position.
4 — Documented	A documented AI ethics framework exists with a named owner, a defined version history, and internal communication to relevant stakeholders; an acceptable use policy for employees has been issued with documented training completion; and at least some AI features have designated accountability owners.
5 — Accountable	A published ethics framework — internal or external — is enforced through bias testing protocols with results logged by AI feature; acceptable use policy training completion rates are tracked by department; customer-facing AI disclosures accurately describe system behavior; and an external audit or third-party review has been completed in the last 24 months with findings documented and addressed.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
AI ethics framework development	CTO	CEO	CHRO, Legal, Product	Board
Bias testing protocols	Engineering leads	CTO	Data Science, Legal	CEO
Acceptable use policy for employees	CHRO	CEO	CTO, Legal	All employees
Customer-facing AI transparency	Product	CTO	Legal, Comms	CEO

Governance Indicators

Published AI ethics framework (internal or external) with version history and a documented last-review date
Bias testing results logged by AI feature, with methodology, evaluation cadence, and disposition of findings
Acceptable use policy issued and tracked, with training completion rates by department and a last-updated date
Customer-facing AI disclosure practices documented, with a review process to ensure disclosures remain accurate as models are updated or retrained
Named accountability owner for each AI system that makes or influences consequential decisions

Industry Alignment

This domain maps to NIST AI RMF GOVERN 1.2, which establishes organizational values, principles, and policies as the foundation for responsible AI risk management. It also aligns with the IEEE 7000 series on ethical considerations in autonomous systems design, and ISO 42001 Annex A (responsible AI objectives), which requires organizations to define and operationalize responsible AI objectives as part of their AI management system.

PE Due Diligence Signal

An ethics framework that has been tested is worth materially more than one that has been published. Acquirers have seen too many AI ethics slide decks that were written for a board presentation and never operationalized — no bias testing, no training records, no accountability assignments, no evidence that the principles were ever applied to a specific model or feature decision. The question that separates governance theater from governance substance is this: "Can you show me the bias evaluation results for your three most consequential AI features?" A governance posture with too many gaps sounds like a link to a Notion page with principles and no test data — the framework is aspirational, not operational. A well-governed posture sounds like a table of evaluation runs by feature, methodology, pass/fail thresholds, and remediation history — that is evidence of enforcement. Enforced ethics governance reduces acquirer risk and signals that the organization has thought carefully about what it is accountable for, not just what it believes.

3.5 Explainability & Audit

Assessment link: "How prepared is your organization to explain AI-driven decisions to customers, regulators, or the board?"

Domain Statement

This domain covers the organization’s ability to explain AI-driven decisions to customers, regulators, and the board — supported by audit trails, decision documentation, and designated accountability for each AI system. Explainability is not a retrospective activity; it is built into AI systems by design, with methodology and rationale captured at deployment, not reconstructed after the fact. In regulated environments and in any context where AI influences consequential outcomes, the ability to produce a clear, accurate account of how a decision was reached is a business requirement, not a technical nicety.

Governing Principle

This domain enforces Principle 1: Human accountability is non-delegable. Every AI system that makes or influences a consequential decision must have a named human owner — and explainability is what makes that accountability real. An accountable owner who cannot explain how their system reached a decision is accountable in name only. Principle 2 (Evidence over policy) is also directly applicable here: either an audit trail exists that can support a complete account of an AI-driven decision, or it does not.

Maturity Model

Level	Description
1 — Absent	No explainability infrastructure exists; the organization has not considered how AI-driven decisions would be explained to customers, regulators, or the board, and no audit trails, decision logs, or accountability assignments are in place for any AI system.
2 — Conceptual	Leadership could describe the AI system’s general purpose and approach at a high level, but there is no formal documentation, no audit trail, no tooling, and no process for reconstructing the rationale behind a specific decision made by a deployed AI system.
3 — Partial	Documentation exists for some key AI features, typically where a customer escalation or compliance conversation forced the issue, but coverage is inconsistent across the AI portfolio, methodology documentation is incomplete, and there is no systematic process for maintaining explainability artifacts as models are updated or retrained.
4 — Systematic	Explainability requirements are defined and implemented by AI feature; decision rationale documentation is produced and maintained as part of each AI capability’s deployment and update process; audit trails are operational and queryable; and designated accountability is assigned to each AI system with a named owner.
5 — Board-Ready	Full audit trails are operational for every consequential AI system; decision documentation exists per feature and is updated when models change; designated accountability owners are named and documented per system; board-ready AI reporting templates are in use; and the organization can produce a complete, accurate explanation for any AI-driven decision within a defined response SLA.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
Explainability requirements by AI feature	Product	CTO	Legal, Engineering	CEO
Audit trail architecture	Engineering leads	CTO	CISO	Legal
Board-ready AI reporting	CTO	CEO	CFO	Board
Customer explainability — decision rationale	Product	CTO	Legal, Support	CEO

Governance Indicators

Audit trail coverage per AI feature, with a log confirming operational status and last-verified date
Explainability documentation per customer-facing AI decision, including methodology, inputs considered, and rationale format
Board reporting template for AI systems, with a defined cadence and documented delivery history
Designated accountability per AI system — named owner with title, reporting line, and explicit responsibility documented before deployment

Industry Alignment

This domain maps to EU AI Act Article 13 (transparency obligations for high-risk AI systems), which requires that high-risk AI systems be designed to allow deployers to interpret and explain outputs. It also aligns with NIST AI RMF MEASURE 2.6–2.8 (interpretability and explainability), which calls for systematic documentation of how AI outputs are generated and how decisions can be explained to affected parties. In financial services, FCRA and ECOA impose explanation requirements for credit decisions influenced by AI, making audit trail completeness a direct compliance obligation.

PE Due Diligence Signal

"Can you explain to a regulator how this AI feature made that decision?" A governance posture with too many gaps sounds like needing an engineer to reverse-engineer logs, query raw model outputs, and reconstruct the decision context from scratch — a process that takes days, not minutes, and may not produce a complete answer. Acquirers in regulated verticals — financial services, healthcare, insurance — treat unexplainable AI decisions as a liability that lands in the purchase price adjustment. A well-governed posture sounds like pulling up a structured decision record within minutes: the inputs the model considered, the output it produced, the rationale it applied, and the name of the human accountable for that system. If that record doesn’t exist by design, it cannot be produced on demand — and "we can probably reconstruct it" is not the same as an audit trail.

3.6 AI Vendor & Supply Chain Governance

Assessment link: "How does your organization govern AI vendors, sub-processors, and supply chain dependencies?"

Domain Statement

This domain covers the management of third-party AI providers, sub-processors, and model dependencies — including data handling practices, contractual protections, exit provisions, and concentration risk. AI vendors — model API providers, fine-tuning platforms, inference infrastructure, and AI-enabled SaaS tools that process customer data — are critical operational dependencies, not interchangeable software subscriptions. This domain treats AI vendor governance as supply chain governance: with the same rigor, visibility, and risk management discipline applied to any other single point of failure in the company’s operational infrastructure.

Governing Principle

This domain enforces Principle 6: Vendor governance is supply chain governance. AI providers are critical operational dependencies, not interchangeable SaaS utilities. Concentration risk, data residency, model versioning, and contractual exit provisions for AI vendors carry different risk profiles than typical software procurement — and the consequences of discovering that gap during a diligence process are materially worse than discovering it during a governance review.

Maturity Model

Level	Description
1 — Invisible	The organization has no visibility into which AI vendors hold company or customer data; AI tool procurement has occurred across teams without central tracking, and there is no way to produce a complete picture of AI-related data exposure to third parties.
2 — Known	AI vendors are known at an inventory level but have not been formally assessed, risk-tiered, or tracked; no contractual review has been conducted specifically for AI data handling provisions, and there is no owner responsible for AI vendor governance.
3 — Tracked	An AI vendor list exists with basic information; some contractual protections are in place, typically inherited from standard software procurement processes rather than AI-specific review; data handling provisions have been reviewed in some cases but coverage is incomplete.
4 — Governed	A formal AI vendor register is maintained with security attestations, data handling documentation, exit provisions, and a defined review cadence; risk tiering assigns higher scrutiny to vendors with access to customer data or production systems; and a designated owner is responsible for keeping the register current.
5 — Resilient	Comprehensive vendor governance is in place with concentration risk analysis identifying single-provider dependencies; sub-processor tracking documents the full data flow for each AI vendor; AI-specific insurance endorsements are in force; the vendor register is reviewed on a defined cadence with documented outcomes; and the organization can produce a complete picture of its AI supply chain — including what customer data each vendor can access, under what terms, and what happens when the contract ends.

RACI Table

Activity	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
AI vendor register & risk tiering	CISO	CTO	Procurement, Legal	CEO
Vendor security attestation review	CISO	CTO	Legal	CTO
Data retention & exit provisions	Legal	CTO	CISO, Procurement	CEO
AI vendor concentration risk analysis	CTO	CEO	CFO, CISO	Board, PE sponsor
AI insurance program review	CFO	CEO	Legal, CISO	Board

Governance Indicators

AI vendor register with security attestations, risk tier assignments, and review dates for each vendor
Data sub-processor tracking per vendor, documenting what customer or company data is shared, under what terms, and where it is retained
Contractual exit clause enforcement log, confirming that AI-specific exit provisions exist and have been reviewed in active vendor contracts
Vendor concentration analysis mapping single-provider dependencies at the AI capability layer, with documented mitigation or acceptance decisions
AI-specific insurance endorsement confirmed — not generic cyber coverage, but coverage that addresses AI-related failure modes including model performance, data exposure, and third-party AI system failures

Industry Alignment

This domain maps to NIST AI RMF GOVERN 5, which addresses the governance of AI risks in the context of third-party relationships and supply chain dependencies. It also aligns with EU AI Act supply chain obligations for organizations that integrate AI components from third-party providers, and with ISO 27001 supplier relationship controls, which require systematic management of the security risks associated with supplier access to organizational information and systems.

PE Due Diligence Signal

Vendor concentration in the AI layer is the supply chain risk that most PE-backed companies have not priced — and it surfaces in diligence with a regularity that should alarm any company running ungoverned AI procurement. The questions are pointed: How many critical AI capabilities depend on a single vendor? What happens to customer data when an AI vendor contract ends? Does your AI insurance program specifically cover AI-related failure modes? A governance posture with too many gaps sounds like uncertainty about vendor dependencies, no documented exit procedures, data residency becoming a negotiation under time pressure, and insurance coverage that stops at generic cyber — concentration risk, data exposure risk, and coverage gaps carried simultaneously, all undocumented and invisible to the board. A well-governed posture sounds like a vendor register produced in minutes, a concentration analysis that has already been presented to the board, exit provisions reviewed and enforced per contract, and insurance endorsements that were reviewed by someone who understood what they were buying. The difference is discoverable in a quality-of-earnings review — and by then, the pricing implications are already set.

4. Implementation Roadmap

The four phases below are designed to be implemented sequentially — each phase produces the preconditions that make the next phase executable. Phase 1 deliverables (policy, inventory, RACI) are not bureaucratic overhead; they are the foundation without which risk management, compliance mapping, and ethics testing cannot be scoped or assigned. An organization that skips Phase 1 and goes directly to ethics testing or vendor governance will find that it cannot assign accountability, cannot scope a risk register, and cannot answer the first question in any diligence process. The pace at which an organization moves through these phases will depend on its size, complexity, and current governance maturity — this framework does not prescribe a timeline but does prescribe the sequence. These phases can be managed as a dedicated transformation program or integrated into an existing operational improvement cadence.

Phase	Focus	Domains	Key Deliverables	Board Checkpoint
Phase 1 — Foundation	Policy & inventory	1, 2	AI governance policy, AI tool inventory, risk register draft, RACI assignments across all domains	Present policy and RACI for board endorsement
Phase 2 — Risk & Compliance	Risk controls & regulatory mapping	2, 3, 6	Blast-radius documentation, regulatory applicability matrix, AI vendor register	Report risk posture and compliance gaps
Phase 3 — Ethics & Explainability	Testing & audit infrastructure	4, 5, 2	Ethics framework, audit trail architecture, first AI tabletop exercise	Present ethics framework; tabletop findings
Phase 4 — Maturity & Review	Ongoing cycle & reassessment	All	Annual governance review, board reporting cadence, reassessment via AI Readiness Assessment	Full governance maturity report

For organizations with more than 300 employees, consider divisional rollouts — piloting the framework in one business unit or product line before expanding company-wide. The coordination overhead of cross-functional RACI alignment and multi-division risk register maintenance is significant, and a successful divisional pilot produces the organizational evidence and internal champions that make broader adoption more effective.

5. PE Value Creation & Due Diligence

5.1 Due Diligence Readiness

Governance artifacts are data room items. Growth equity and M&A buyers increasingly include AI governance as a distinct diligence workstream — not as a proxy for cyber security, but as a standalone evaluation of how the company has thought about and managed the risks specific to AI adoption. The table below maps each governance domain to the typical diligence request and what a credible response looks like. Companies that have worked through this framework can answer these questions from existing documentation, not from first principles under time pressure.

Domain	Typical Diligence Request	What "Good" Looks Like
1. Policy & Program	"Show us your AI governance policy"	Versioned document, training records, shadow AI scan results
2. Risk Management	"What AI risks have you identified?"	Blast-radius documentation per deployed agent, active risk register with severity ratings, tabletop exercise results
3. Compliance	"How do you handle AI regulation?"	Applicability matrix with remediation tracker
4. Ethics	"Do you have an AI ethics framework?"	Published framework with bias testing evidence
5. Explainability	"Can you explain this AI decision?"	Audit trail per feature, board reporting template
6. Vendor Governance	"Who are your AI vendors?"	Vendor register with attestations, exit provisions, concentration analysis

5.2 Risk-Adjusted Valuation

Ungoverned AI creates valuation risk across four dimensions that acquirers and operating partners are increasingly able to identify and price. Regulatory exposure is the most visible: a company whose AI features have not been mapped to the EU AI Act’s risk classification framework, or whose compliance posture in a regulated vertical cannot be documented, is carrying a remediation liability that a buyer will quantify and reflect in the purchase price. Customer liability risk is adjacent but distinct — when an AI system causes harm and the company has no disclosure plan, no incident response playbook, and no documented accountability owner, the liability calculation becomes open-ended.

Key-person dependency is a subtler but equally material risk. AI systems built without documentation, blast-radius scoping, or formal ownership create organizational fragility: the capability exists only as long as the engineer who built it stays. In a quality-of-earnings review, an undocumented AI system that one engineer can explain and nobody else can is not an asset — it is a risk. Shadow AI compounds all of these problems: tools adopted outside IT procurement represent unknown data exposure, undisclosed vendor dependencies, and AI capabilities that cannot be governed because they were never inventoried. An acquirer who discovers shadow AI in due diligence is not looking at a governance gap — they are looking at evidence that the governance program was not real.

5.3 The Exit Narrative

Mature AI governance is not a compliance story — it is a value creation story. The company that comes to exit with a versioned governance policy, an active risk register, a vendor register with concentration analysis, and bias testing results by AI feature is telling a different story than the one that adopted AI fast and dealt with governance later. The governance program is evidence that the organization understood what it was building, built it responsibly, and created infrastructure that the next owner can rely on rather than rebuild. That is the story an operating partner tells the next buyer: this team did not just move fast with AI, they moved fast with judgment. They built the capability and the controls at the same time, which means the acquirer is buying operational excellence and management quality alongside the AI capability itself. Governance maturity at exit is not a checkbox — it is the difference between a feature on the pitch deck and a defensible claim about how the company is run.

6. Industry Alignment Reference

The table below maps each governance domain to relevant external frameworks and regulatory instruments. This is a directional reference, not a compliance matrix. The mappings identify the closest analogs in each framework rather than claiming exhaustive coverage — multiple sections of any given standard may be relevant to a single domain, and the reverse is also true. Organizations in regulated verticals — financial services, healthcare, insurance, government contracting — should conduct detailed compliance mapping with legal counsel before relying on this table for regulatory decision-making.

Domain	NIST AI RMF	EU AI Act	ISO/IEC 42001	Other
1. AI Policy & Program Management	GOVERN (organizational governance)	General provisions, Chapter I	Clause 5 (Leadership), Clause 5.2 (AI Policy)	—
2. AI Risk Management	MAP (context & risk framing), MEASURE (assessment)	Title III risk classification (Art. 6–7)	Clause 6 (Planning), Clause 8 (Operation)	—
3. Regulatory & Compliance	GOVERN (legal compliance), MANAGE (response)	Title III conformity assessment (Art. 43)	Clause 4 (Context of the organization)	SOC 2 AI controls; state AI laws (CO SB 205, IL BIPA)
4. AI Ethics & Responsible Use	GOVERN 1.2 (values and principles)	Art. 27 (fundamental rights impact assessment)	Annex A (AI objectives & controls)	IEEE 7000 (ethical design)
5. Explainability & Audit	MEASURE 2.6–2.8 (interpretability & transparency)	Art. 13 (transparency), Art. 14 (human oversight)	Clause 9 (Performance evaluation)	FCRA/ECOA (credit decision explanations)
6. Vendor & Supply Chain	GOVERN 5 (third-party risk)	Art. 25–28 (supply chain obligations)	—	ISO 27001 (supplier relationships)

The regulatory landscape for AI is evolving at a pace that makes any static reference table a starting point, not a destination. The EU AI Act implementation timeline, state-level legislation in the United States, and sector-specific regulatory guidance from financial regulators, healthcare agencies, and data protection authorities are all in active development. Semi-annual review of this mapping against Domain 3’s regulatory change monitoring process is recommended — the goal is to catch material shifts in applicability before they become deployment blockers or diligence findings.

Put This Framework to Work

Start with your governance baseline, or license the framework for portfolio-wide implementation.

Assess Your Governance Baseline → License the Framework →

AI Governance Frameworkfor Mid-Market SaaS

1. Purpose & How to Use This Framework

Purpose

How to Use This Framework

Establish Your Baseline

2. Governing Principles

3. Governance Domains

3.1 AI Policy & Program Management

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

3.2 AI Risk Management

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

Subscribe to Access the Full Framework

3.3 Regulatory & Compliance Readiness

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

3.4 AI Ethics & Responsible Use

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

3.5 Explainability & Audit

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

3.6 AI Vendor & Supply Chain Governance

Domain Statement

Governing Principle

Maturity Model

RACI Table

Governance Indicators

Industry Alignment

PE Due Diligence Signal

4. Implementation Roadmap

5. PE Value Creation & Due Diligence

5.1 Due Diligence Readiness

5.2 Risk-Adjusted Valuation

5.3 The Exit Narrative

6. Industry Alignment Reference

Put This Framework to Work

AI Governance Framework
for Mid-Market SaaS