black and white metal frame

AI Governance

AI governance is the set of policies, oversight structures, and decision-making processes an organisation puts in place to use AI systems lawfully, safely, and with proper accountability. IOLIS provides practical AI governance advice to commercial organisations and regulated bodies using generative AI, third-party AI platforms, and more structured deployments involving automation and agentic tools.

What does AI governance involve?

AI governance covers the policies and oversight an organisation needs before, during, and after it deploys an AI tool. In practice, this usually means answering a small set of recurring questions: what is the tool being used for, what data does it touch, who is accountable for its output, and what happens when it gets something wrong. The ICO’s guidance on AI and data protection makes clear that existing UK GDPR obligations apply in full to AI systems, so governance is about building the structures that make those obligations workable in practice.

Our support typically includes:

  • AI acceptable use policies for staff and consultants, covering which tools may be used, for what purposes, and with what data
  • AI risk and impact assessments for individual tools or deployments, before and after go-live
  • AI governance frameworks setting out roles, responsibilities, and escalation routes
  • AI system registers recording what tools are in use, by whom, and for what purpose
  • Deployment sign-off processes so new tools are checked before they go into regular use
  • Incident response arrangements for when an AI system produces a harmful, biased, or incorrect output
  • Vendor and procurement review, checking what a third-party AI product actually does with your data before you commit to it
  • Board briefing material, translating technical AI risk into terms a board or senior team can act on
  • Assurance reviews of AI governance arrangements you already have in place

Why organisations need AI governance now

AI already appears across everyday organisational practice – in drafting, research, customer communication, internal administration, decision support, and outsourced software tools. For most organisations, the question is no longer whether AI will be used, but how to use it safely and with proper oversight.

The risk is rarely dramatic failure. More often it is quieter than that – a tool sounds authoritative, appears to cite sources, or produces plausible work product, and comes to be relied upon before anyone has properly checked or governed it. The point is no longer only regulatory: the UK Jurisdiction Taskforce’s Legal Statement on Liability for AI Harms (July 2026) confirms that English law already holds organisations and professionals liable for the negligent use of AI. Good governance helps organisations ask the right questions before that reliance becomes routine.

Who this is for

This support is relevant for commercial organisations, regulated bodies, and public interest organisations that want to make sensible use of AI without losing sight of accountability or legal obligations. It is equally useful for organisations just starting to formalise their AI use, and for those with informal practice already in place that now needs proper structure.

Our style of support

We do not treat AI as a fashionable add-on. We treat it as part of governance. That means looking at how tools are actually being used, who is responsible for them, what risks they create, what safeguards are in place, and what boards or senior teams need in order to exercise proper oversight.

Our advice is independent and not tied to any software vendor. We do not assume every organisation needs the same level of process – some need a light-touch framework and clear staff boundaries, others need more formal structures, registers, assessments, and reporting.

Talk to us

If your organisation is beginning to use AI tools, reviewing its current position, or looking for a proportionate governance framework, we would be happy to discuss what support would be most useful. Find the best way to contact us here.

We also provide separate Data Protection advisory services, including DPO support and DPIAs.