Responsible AI governance

The Role of the Board

The board holds ultimate accountability for the organisation’s use of AI, making engagement a fiduciary duty rather than an optional oversight function. To govern effectively, boards must move beyond delegating AI strategy and decisions entirely to technical teams and instead provide high-level stewardship that aligns technology with organisational values, risk appetite, and long-term sustainability. Board members individually and collectively need to appreciate both the opportunities and the risks that technology presents.

This begins with rigorous strategic oversight, where directors challenge the narrative of inevitability and scrutinise the "why" behind every major AI initiative. Adoption must be driven by genuine strategic need and due diligence, not by FOMO or peer pressure. If a business case relies solely on the novelty of the technology or the fact that competitors are using it, the board has a duty to pause and demand a stronger, values-led justification.

Beyond strategy, directors must possess a functional literacy in AI risks to ask probing questions. They cannot absolve themselves of the need to understand what these technologies are and can or cannot do. While they need not be data scientists, they must understand the nuances of algorithmic bias, data privacy vulnerabilities, the potential for workforce deskilling, and the reputational dangers of "ethics-washing." A board that cannot distinguish between a vendor’s marketing claims and technical reality is ill-equipped to govern.

This literacy enables the board to act as ethical stewards, setting a tone from the top that prioritises human welfare and integrity over speed or cost-cutting. They must define the organisation’s red lines or areas where AI will not be used regardless of potential profit and ensure that clear accountability chains exist. Crucially, the board must ensure that the organisation’s legal defence strategy (compliance) does not become confused with its ethical framework (morality), recognising that compliance should be the floor and what is legal isn’t always ethical.

Boards should survey their composition, using a skills matrix to highlight weaknesses in its knowledge and skillset, feeding the output into recruitment efforts. Some boards have adopted the approach of actively seeking to appoint a digital lead or digital trustee to provide a focal point for board oversight (though of course the responsibility remains collective).

Ethical Principles

Ethical principles form the moral compass of an organisation’s AI strategy so they cannot be outsourced or adopted from a generic template. No external vendor or industry body can dictate what is ethical in a particular context, or in relation to particular communities; these principles must be intrinsically tied to an organisation’s unique mission and core values. Defining them requires an intentional, deliberate process under clear leadership and developed in consultation with staff and stakeholders. This ensures the principles are not abstract but a genuine reflection of the organisation’s collective conscience and operational reality.

But defining these principles is only the beginning. For ethical principles to be meaningful, they must be operationalised as the primary filter for decision making. They must be embedded in procurement, risk assessments, and performance reviews, possessing the authority to halt projects that violate core values. True responsible governance means that these self-defined principles are lived and defended, even when it is difficult or costly to do so. It is much easier said than done. 

Embedding AI governance in your organisation

Effective AI governance cannot exist as a standalone policy document or a siloed committee; it must be embedded into the very fabric of the organisation’s culture, operations, and decision-making processes. Embedding governance means creating an environment where responsible AI use is the default behaviour, not an afterthought, and where transparency, human oversight and control, and collaboration are integrated. It requires shifting from a mindset of "compliance at the end" to "responsibility by design," ensuring that ethical considerations are present at every stage of the AI lifecycle, from conception to decommissioning.

AI Leadership

Governance begins with clear leadership and defined structures that empower responsible decision making through collaboration and clear accountability. While the specific model will depend on the organisation's size and complexity, ranging from a formal AI Governance Committee to a lighter weight steering group, the fundamental requirement remains the same: cross-departmental input is non-negotiable. AI impacts too many areas to be managed by IT alone, so any chosen body should include representatives from legal, compliance, data science, HR, operations and ethics (where an organisation has these), alongside voices from the front line, that is those who might come into contact with AI platforms. For sports bodies, this should also include athlete or participant representation if possible and coaching staff to ensure decisions reflect the realities of performance and welfare. This diversity ensures that decisions are not made in a technical vacuum and that practical, human implications are central to the discussion. Regardless of its formal title, this group must have the explicit authority to pause, modify, or halt AI projects that fail to meet ethical or safety standards. Without this "stop power," governance becomes| merely advisory and ineffective.

To prevent the "diffusion of responsibility" where everyone assumes someone else is checking for errors, clear accountability chains must be established and communicated across the organisation. It must be explicitly documented who owns the risk, who is responsible for monitoring performance, and who has the final sign-off on deployment. When roles are ambiguous, risks are overlooked; when they are defined, accountability is actionable. By embedding these structures, leadership ensures that responsibility for AI is shared, visible, and enforceable, creating a resilient foundation for ethical use.

Organisational Culture

As we have already covered in the Risks, technology is never neutral as it reflects the culture of those who build, deploy, and use it. Therefore, a robust governance framework cannot exist in a vacuum - it needs an organisational culture that actively values critical thinking over blind efficiency and human judgement over algorithmic convenience.

Organisations must actively combat automation bias by fostering a culture where staff are encouraged to question algorithmic outputs. Leadership must model this by openly discussing AI limitations and errors, creating an environment where transparency about what the technology cannot do is valued as highly as what it can. This signals that human expertise is valued and remains paramount.

This culture of critical engagement must be underpinned by profound psychological safety. Staff must feel entirely secure in raising concerns about AI tools without fear of reprisal, ridicule, or being labelled as "resistant to change." If an employee notices a model behaving erratically, producing discriminatory results, or compromising data security, there must be clear and trusted whistleblower channels for reporting these issues.

A culture of silence can be one of greatest risks to AI safety as it allows errors to compound and harms to escalate unnoticed. A culture of open inquiry, on the other hand, where questioning the machine is encouraged and protected, acts as the strongest defence against systemic failure. This requires leaders to respond to concerns with support, curiosity and gratitude rather than defensiveness, reinforcing that the goal is responsible outcomes, not just rapid deployment.

Crucially, a responsible culture must rigorously protect workers’ rights and the integrity of consent. The introduction of AI often brings significant changes to workflows, performance monitoring, and data collection, creating a risk of "forced consent" where employees feel compelled to agree to new terms or surveillance measures simply to retain their employment or favourable standing. True governance rejects this coercion. It demands that the deployment of AI respects the autonomy of the workforce, ensuring that consent for data usage or new monitoring tools is informed, voluntary, and meaningful. This involves transparent dialogue with staff and their representatives before implementation, clearly explaining the implications of AI adoption on their roles and rights.

Ultimately, the organisation’s core values must serve as the primary filter for all AI adoption, superseding the pressure to move fast or cut costs. When faced with a choice between a faster, cheaper AI-driven solution and a slower, more human-centric alternative, the decision must be guided by which option better aligns with the organisation’s mission and ethical commitments. This means explicitly rejecting the notion that "capability equals permission." Just because a tool can automate a sensitive process or scrape vast amounts of data does not mean the organisation should allow it. By embedding these values into daily operations, the organisation ensures that AI serves its people and principles, rather than allowing the technology to dictate the terms of engagement or erode the human elements that define its purpose.

Training

Governance is only as strong as the people who enact it. A robust training strategy must follow a deliberate logical progression, prioritising ethical reasoning over technical mechanics. It must first establish the why, then determine the if, followed by the when, and finally the what and how. Without this hierarchy, organisations risk training staff to use tools efficiently without understanding whether they should be used at all, leading to uncritical adoption and unnecessary risk.

Why

If

When

What

How

Training must begin by grounding every employee or volunteer in the why: the ethical and business justification and purpose behind AI adoption. Before any tool is introduced, staff must understand the organisation’s values and the concept of "responsibility by design." This stage challenges employees to distinguish between genuine strategic value, such as enhancing safety or accessibility, and hollow drivers like hype, fear of missing out, or cost-cutting at the expense of quality. If the purpose cannot be clearly articulated in alignment with the mission, the process needs to stop. This foundational step ensures that the workforce views AI as a means to serve human values, not an end in itself.

Once the purpose is clear, the focus shifts to the if i.e. determining whether AI is actually necessary or appropriate. This stage cultivates restraint, empowering staff to challenge the assumption that AI is always the answer. Training must encourage critical evaluation of whether the risks such as bias, privacy erosion, or loss of human connection outweigh the benefits. It reinforces the principle that choosing not to deploy AI is a valid, often responsible, strategic decision. By normalising the question "Is this needed?", organisations prevent unnecessary exposure to risk and avoid solving problems with technology where human-centric processes are superior.

If AI is justified, training must then define the when: the specific boundaries of appropriate use. This involves developing the nuanced judgement to recognise contexts where AI is safe and effective versus where it is dangerous. Staff must learn to identify “non-negotiables” such as safeguarding, disciplinary decisions, or empathetic communication where AI is prohibited. They must also be able to recognise situational risks, such as handling sensitive data or operating in high-stakes environments where errors have severe consequences. The goal is to create a workforce that can instinctively distinguish between the green lines for AI assistance and the red lines for human-only execution.

Only after these ethical and contextual foundations are laid should training address the what and how: the technical execution. This final stage builds specific skills anchored in the previous three. It starts with foundational AI literacy for everyone, demystifying how models work, explaining probabilistic prediction, and highlighting limitations like hallucinations and bias. This ensures a shared language across the organisation. It then diverges into role-specific curricula: leadership learns governance and risk assessment; developers focus on secure coding and bias mitigation; and end users master prompt engineering, output verification, and data hygiene. By placing technical skills last, the organisation ensures that competence secondary to ethical judgement. But this of course only applies if ethics is part of an organisation’s values!

To establish this hierarchy, training must utilise scenario-based learning that forces staff to practice this decision-making flow in real-world contexts. Simulations should present ambiguous situations where the technical "how" is easy, but the ethical "if" or "when" is difficult. Continuous education is also vital; as the technology evolves, the organisation’s understanding of the "why" and "if" must remain sharp to prevent drift into uncritical adoption. The result is not just a workforce that can use AI, but one that can use it responsibly. 

Risk Assessment

The most effective approach for risk assessment for AI is to ensure a continuous, dynamic process integrated into the entire lifecycle of a project, not a static compliance checkbox completed before launch.

Traditional IT risk models are not suitable because they focus on system stability, whereas AI introduces unique probabilistic risks like bias, hallucination, and societal harm. A robust framework begins with rigorous impact assessments. Before any tool is adopted or built, organisations must conduct a holistic evaluation that goes beyond technical performance to ask: "What happens if this goes wrong?" and "Who is most likely to be harmed?" This assessment must scrutinise training data for historical biases, evaluate the necessity of data collection against privacy principles, and model potential failure modes. It requires input from legal, ethical, and operational experts to ensure that risks to fairness, workforce well-being, and reputation are weighed equally against efficiency gains. If this assessment reveals that risks outweigh benefits or that the purpose is not sufficiently justified, the project must be halted or fundamentally rescoped.

Once deployed, the focus shifts to continuous monitoring and vigilance. Unlike standard software, AI models are dynamic and can degrade over time through "model drift," where performance deteriorates as real-world data shifts away from the training set. A model that is accurate today may become biased or unreliable tomorrow without any code changes. Therefore, organisations must implement automated monitoring tools paired with regular human audits to detect deviations in performance, emerging biases, or security vulnerabilities like prompt injection. This phase also demands specific incident response planning. Organisations must have clear protocols to recall a model, communicate transparently with stakeholders, investigate root causes, and remedy harm. Given the speed at which AI errors can scale, a slow or vague response can exacerbate damage significantly.

Finally, responsible risk assessment must cover the end of the lifecycle: decommissioning. Governance cannot stop at deployment; it must include clear procedures for safely retiring systems. This involves the secure deletion of sensitive operational data, the archiving of model versions for future audit or legal purposes and managing workforce transitions for staff affected by the automation. Crucially, the intensity of the assessment must be proportional to the risk. Low-risk administrative tools may require a lighter touch, but high-stakes applications involving eligibility, discipline, or sensitive personal data demand the highest level of scrutiny, frequent re-assessment, and strict human oversight. By treating risk assessment as an ongoing, holistic conversation rather than a one-off event, organisations can adapt to evolving threats and maintain a posture of genuine resilience.

Policy Development

Developing organisational policies puts the organisation’s principles into actionable rules and therefore acts as the operational foundation of governance. This applies to AI as it does with any other tool or technology. For most organisations, after completing your due diligence and if you have decided that it is useful to deploy AI tools, the most important policy is an Acceptable Use Policy. This must be finalised and communicated before any AI tool is deployed. A robust Acceptable Use Policy moves beyond vague guidance to explicitly define permitted activities and establish firm red lines i.e. non-negotiable areas where AI use is strictly prohibited. These red lines should cover high-risk scenarios such as inputting sensitive data into public models, making final disciplinary decisions, conducting safeguarding assessments, or handling communications that require genuine empathy and moral judgment. By defining these absolute limits upfront, organisations remove ambiguity, empowering staff to make safe choices while ensuring critical human responsibilities are never outsourced to algorithms. They must also mandate transparency, requiring staff to disclose AI use in communications or decision-making processes where relevant.

The Acceptable Use Policy might also cover:

AI policies cannot exist in isolation - they must be fully aligned with existing organisational frameworks. New AI guidelines should be integrated into, or explicitly referenced by, current policies on data protection, IT security, HR, safeguarding, environmental/sustainability, fair work, ethical, equality and communications. This ensures consistency and prevents conflicting instructions that could leave staff unsure of their obligations. For instance, AI data handling rules must reinforce, not contradict, GDPR compliance procedures, and AI usage in recruitment must align with established equality and diversity policies. By integrating AI governance into the broader policy fabric, organisations create a cohesive standard of conduct rather than a fragmented set of rules.

Finally, AI policies must be treated as living documents rather than static orders. Given the rapid pace of technological change, a policy written today may be obsolete within months. Organisations must establish a formal review cycle to update protocols in response to new model capabilities, emerging security threats, regulatory shifts, and lessons learned from incidents. To be effective, these policies must be accessible and written in plain, jargon-free language and accompanied by practical guidance. When policies are clear, current, aligned, and established prior to deployment, they cease to be bureaucratic hurdles and become essential tools that enable responsible innovation while protecting the organisation, its staff and its stakeholders.

Proactive AI stewardship

Integrating AI governance into strategic planning isn't an afterthought; it's a fundamental pillar of sustainable growth. This discussion guide provides a structured approach for your leadership to embed regulatory and ethical considerations directly into your AI strategy.