Pillar I: AI Organization · § 06
Roles and responsibilities (RACI)
Hub-and-Spoke works only when every activity has unambiguous R/A/C/I assignments. A missing A means nothing ships. An overloaded R means nothing ships on time. This section publishes the master RACI for the ten AI activities matter most, and the role definitions behind it.
Context
Section titled “Context”Most governance failures we have seen in industry trace back to one root cause. Nobody names the single Accountable person for a given decision. We resolve the ambiguity up front. Every activity below has exactly one A. If two people think they own the decision, neither does.
Convention. R = Responsible (does the work). A = Accountable (owns the outcome). C = Consulted (input before decision). I = Informed (notified after decision).
RACI master
Section titled “RACI master”| Activity | AI Board | CoE | Steward (Squad) | Squad Eng | DPO / Legal | DevSecOps |
|---|---|---|---|---|---|---|
| Approve high-impact AI initiative | A | C | I | I | C | I |
| Classify use-case risk (6-step) | I | A | R | R | C | C |
| Approve prompt / production model | I | A | R | C | I | I |
| Ship AI feature | I | C | A | R | I | C |
| Resolve SEV3-4 incident | I | C | A | R | I | C |
| Resolve SEV1-2 incident | A | R | C | C | C | R |
| DPIA / personal-data handling | I | C | C | I | A | I |
| Vendor risk assessment | I | C | I | I | A | C |
| Internal red-team / pentest | I | C | I | C | I | A |
| Amend BAGF (minor / major) | A | R | C | I | C | I |
Role definitions
Section titled “Role definitions”- AI Governance Board. Owns risk appetite and the response to severe incidents. Does not intervene in day-to-day technical decisions.
- AI Center of Excellence (CoE). Owns the technical standards. Approves new production models. Runs the evaluation suite, prompt versioning, and the AI Gateway. The final technical authority for “is this allowed?”
- Data/AI Steward (per squad). The CoE’s presence inside each squad. Confirms every new AI feature passes the 6-step risk framework before release. First person paged when an AI incident hits the squad.
- Squad Engineering. Writes code, ships, runs the feature. Applies CoE standards. Does not change a standard unilaterally. Every change runs through the Steward.
- DPO / Legal. Owns DPIA, ROPA, vendor contracts, and the sub-processor list. Consulted on every initiative touching personal data.
- DevSecOps. Runs security controls, the internal red-team, and incident detection. Does not own AI models, but owns the security surface around them.