AI Governance

AI governance is the set of policies, processes, controls, and accountability structures an organization establishes to ensure the artificial intelligence it builds or deploys is used safely, lawfully, and in line with its risk tolerance. A governance program typically defines who owns AI risk, how models are inventoried and approved before deployment, how outputs are tested for accuracy and unfair bias, how third-party and foundation models are validated, and how incidents are logged and escalated. It is the operational discipline that sits beneath every specific AI exposure a deployer carries.

Several frameworks shape what a credible program looks like. The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023 with a Generative AI Profile added in July 2024, is the leading voluntary U.S. standard and organizes governance around four functions: govern, map, measure, and manage. ISO/IEC 42001, published in December 2023, is the first certifiable AI management system standard. On the regulatory side, the EU AI Act, which entered into force in August 2024 and phases in through 2026 and 2027, imposes binding governance and documentation duties on high-risk systems, and Colorado's AI Act, the first comprehensive U.S. state AI law, takes effect in 2026.

For insurers, AI governance is becoming an underwriting variable the way multi-factor authentication became one in cyber. Carriers writing cyber, tech E&O, and generative AI liability increasingly ask deployers to disclose their model inventory, testing protocols, human-in-the-loop checkpoints, and vendor controls at application and renewal, and a documented program can mean broader terms, higher limits, or simply the difference between an offer and a declination. The insurance industry's own mirror is the NAIC Model AI Bulletin, which requires licensed insurers to maintain a written AI Systems Program; deployer governance is the buyer-side equivalent of those same elements.

Governance also matters after a loss. A mature, documented program is evidence of reasonable care if an AI claim reaches litigation, and its absence is a fact a plaintiff will use. Because the output-driven exposures elsewhere in this glossary (hallucination, algorithmic bias, agentic action, prompt injection) all turn in part on whether the deployer took reasonable steps to prevent the harm, the governance program is both the first line of defense against the claim arising and a material part of the defense once it does. Affirmative generative AI liability coverage sits on top of governance, answering the residual exposure that controls cannot eliminate.