DE-4: Demonstrable Governance Posture — Practical Summary
What it is
DE-4 shows that AI governance is a living, repeatable practice — not just a static policy. An external reviewer should be able to reconstruct, from artefacts alone:
- who decided what,
- when they decided it,
- what evidence they relied on, and
- what actions followed.
It is the operational proof that the organisation actually runs its AI governance methodology.
Core Artefacts
- AI Governance Charter (GOV-01)
- Constitutes the AI Council and key roles.
- Defines decision rights, risk appetite, and escalation paths.
- Sets the formal cadence (e.g., monthly council, quarterly portfolio review, annual refresh).
- AI Council Decision Log (GOV-13)
- Time-ordered record of every governance decision.
- Captures: question presented, options, evidence considered, decision taken, rationale, and links to relevant artefacts (Risk Register entries, Use Cases, Modules).
- Must be auditable and complete enough that a third party can replay the decision.
- Quarterly Cadence Retrospective (GOV-15)
- Minutes of the periodic governance review.
- Covers: portfolio status, incidents and near-misses, ROAI, regulatory and policy changes, and the forward agenda.
- Demonstrates that governance is portfolio-wide, not only case-by-case.
- Annual Governance Effectiveness Review (GOV-16)
- Formal self-assessment of whether governance remains fit-for-purpose.
- Tests whether doctrine, methodology, and operations still match the organisation’s risk profile and regulatory context.
- Feeds into STR-07 Annual Charter Refresh, closing the loop.
Why DE-4 Matters
- Regulatory and counterparty assurance: Shows supervisors, major customers, and insurers that AI risk is governed through an active, traceable process rather than a shelf policy.
- Internal clarity and escalation: Makes it clear which decisions are settled, which are pending, and where to escalate. Reduces shadow AI and inconsistent guardrails.
- Defensibility after failure: When something goes wrong, DE-4 lets you answer, from records alone: What process applied? What did it decide? On what basis? This is central to post-incident scrutiny.
Relationship to Other Defensibility Elements
- DE-1 (Doctrinal Coherence): Defines what you believe about AI risk and value.
- DE-2 (Methodology Transparency): Defines how you say you will work — the frameworks and processes.
- DE-4 (Demonstrable Governance Posture): Proves you actually operate that doctrine and methodology, decision by decision, on the record.
- DE-3 (Operational Evidence): The artefacts generated as governance is applied to specific systems and workflows.
- DE-5 (Learning and Adaptation): How experience and incidents feed back into doctrine and methodology.
A programme can have coherent doctrine (DE-1) and a documented methodology (DE-2) yet still fail DE-4 if there is no consistent, auditable record of governance decisions and cadences. This is a common failure mode in supervisory reviews.
image pending
Diagram showing DE-4 as the bridge between methodology (DE-2) and operational evidence (DE-3) with feedback into doctrine (DE-1) and learning (DE-5).
To satisfy DE-4, you must be able to reconstruct any material AI-related decision from artefacts alone: who decided, on what evidence, under which mandate, and what happened next.