How this layer operates
Governance is the continuous discipline of producing, maintaining, and defending the evidence that the function's AI use is intentional, controlled, and accountable. It runs alongside Execution and Measurement at all times — not as an audit cycle that happens before deployments or after incidents, but as the operational layer that makes both deployments and incident response defensible at the moment they occur.
Governance is distinct from Strategy because Governance does not decide what the function aspires to; it defines what the function commits to maintaining no matter what aspiration is in play. Governance is distinct from Optimization because Optimization is forward-looking change management; Governance is the standing posture that survives both successful and failed optimization cycles. The continuous cadence is operational, not metaphoric: the policy, the controls, the Risk Register, and the audit posture must be current on any business day.
Governance artefacts include the AI Use Policy (GOV-02), the Risk Register (GOV-03), the Defensibility Posture Statement (DPS), the Delegation-Authority Register (GOV-14, required from Agentic Tier 3 upward), the Evidence Register (GOV-13), and the governance committee charter and minutes. The committee operates at the cadence its outputs require — typically monthly for material reviews, ad hoc for incidents.
A function operating without Governance can deploy AI; it cannot defend the deployment when scrutinised. Regulators ask the Governance layer's questions: who decided this, against what policy, with what evidence, supervised how, accountable to whom. A function without Governance must reconstruct answers each time; a function with Governance produces answers from the standing record.
Modules in this layer (18)
- CLI-01Foundational
Client Disclosure and Consent Guidelines
Client disclosure and informed consent framework for transparent AI use in legal engagements
- DAT-03Foundational
Vendor Data Protection Agreement Checklist
Canonical checklist for reviewing and negotiating AI vendor data protection agreements.
- GOV-01Foundational
Defensible AI Governance Framework
Establish the governance structure, policy suite, and risk register that make Legal AI defensible to boards and regulators.
- GOV-02Foundational
AI Use Policy
Define what AI use is permitted, prohibited, and supervised across the legal department — the operational policy that makes AI governance real.
- GOV-03operational
AI Risk Register
Apply the Risk Taxonomy 2026 to identify, score, and mitigate AI risks across nine canonical classes — the register that makes your governance defensible.
- GOV-04Foundational
Bias Testing & Monitoring Checklist
Pre-deployment bias test and continuous fairness monitoring checklist for legal AI systems
- GOV-05operational
AI Incident Response Playbook
Detect, classify, escalate, and resolve AI incidents across all nine Risk Taxonomy 2026 classes — the playbook that closes the governance loop.
- GOV-13Advanced
Evidence Register template
Per AI system × per Risk Taxonomy 2026 class: the contemporaneous proof the function holds — the operational substrate of Defensibility.
- GOV-14Advanced
Delegation-Authority Register template
Per Tier 3 and Tier 4 capability: the named record of what the system may decide, within what scope, with which human accountable.
- GOV-15operational
Governance Cadence template
Committee calendar mapped to AI Lifecycle stages — Concept intake through Sunset closure — with standing agenda, quorum, and gate evidence requirements.
- GOV-16Advanced
Materiality Calibration template
Per Tier 3+ capability: which decisions require Full HITL, Exception-triggered HITL, or Audit-only — calibrated quarterly as performance and regulatory context evolve.
- STR-07Foundational
AI Task Force Charter
Stand up the AI governance body that owns strategy, AI BoM oversight, and DPS production for the legal department.
- SUS-05operational
Annual AI Audit Template
The canonical annual governance audit instrument for deployed legal AI — validates compliance, bias, and performance across all active AI systems and produces the DPS annual evidence refresh.
- SUS-10operational
Capability Portfolio template
Every AI capability the function operates, classified by Lifecycle stage — the GC's situational awareness at a glance and the portfolio input for the Defensibility Posture Statement.
- VEN-01Foundational
Weighted Vendor Evaluation Scorecard
Canonical scorecard for selecting and governing legal AI vendors.
- VEN-02Foundational
Legal AI RFP Template
Structured RFP template for procuring legal AI solutions with defensible, risk-aware evaluation.
- VEN-03Foundational
Proof-of-Concept Testing Framework for Legal AI Vendors
Structured four-phase POC methodology to validate legal AI vendor claims through real-world workflow simulation
- VEN-04Foundational
Security & Compliance Checklist for Legal AI Vendors
Canonical security and compliance validation checklist for legal AI vendor evaluation and internal governance.