← Back to all articles

The Risk-Tiered Approach to AI Governance That Actually Ships

By Vance Sterling·9 min read·April 15, 2026

Last week I talked about why governance does not have to be a bottleneck. This week I am going to show you exactly how to implement it. I have rolled out risk-tiered governance at three financial institutions, and the pattern is the same every time: define the tiers clearly, assign the right review process to each, and build in automatic escalation triggers so nothing slips through.

Why One-Size Governance Fails: The Numbers

Before I walk you through the implementation, let me share data from an organization that tried the opposite approach. A Fortune 500 financial services company created a single AI governance board in 2023. Every AI project, regardless of scope or risk, went through the same review. The board met biweekly. Here is what happened in their first year:

They received 34 project submissions. The average time from submission to approval was 9.2 weeks. Eight projects were abandoned by their sponsors before receiving approval — the teams either found non-AI workarounds or the business need expired. Of the 26 that were approved, 11 were low-risk internal tools that posed no meaningful regulatory, reputational, or customer harm risk. Those 11 projects collectively spent 97 weeks in governance review. The cost of that review — committee time, documentation preparation, back-and-forth — was approximately $1.1M across all 11. None of those projects needed that level of scrutiny.

Meanwhile, three high-risk credit decisioning projects got the same 9-week average as the internal chatbots. If anything, those three needed more time, not the same time. One-size governance does not just slow down the easy projects. It under-serves the hard ones.

The Three Tiers: Definitions That Leave No Room for Interpretation

The biggest mistake in tier-based governance is vague tier definitions. If a project lead has to use judgment to decide their tier, some will be honest and some will optimize for speed. The tier needs to be deterministic. Here is how I define them.

Tier A — Assisted Operations. The AI assists internal employees with tasks they already do. No customer-facing output. No automated decisions. No regulated data beyond what the employee already accesses. Examples: meeting summarization, internal search, code assistance, document drafting for internal use, data visualization tools. Review process: one-page checklist, single reviewer, 48-hour turnaround.

Tier B — Augmented Decisions. The AI provides analysis, recommendations, or content that reaches customers or influences business decisions, but a human reviews and approves the output before it takes effect. Examples: customer service response drafts (reviewed by agent before sending), loan application pre-screening (officer makes final decision), marketing content generation (editor approves before publishing), risk flagging dashboards. Review process: data privacy assessment, bias review, explainability documentation, two to three reviewers, two to three week turnaround.

Tier C — Autonomous Decisions. The AI makes or executes decisions without human review in the loop. Or the AI processes data in ways that create new regulatory obligations. Or a failure would create liability exceeding $500K. Examples: automated credit scoring, real-time fraud blocking, algorithmic pricing, claims auto-adjudication, any system that could trigger fair lending or discrimination complaints. Review process: full committee review, model validation, regulatory mapping, external audit scope, monitoring and retraining plan, six to twelve week turnaround.

The key word in Tier B is 'reviewed before it takes effect.' The moment you remove the human from the loop, the project escalates to Tier C. This is the single most important boundary in the framework.

Building the Review Process for Each Tier

Tier A review is designed to be completed by one person in one sitting. The reviewer is not a committee. It is a designated individual — usually someone from the data or AI team who understands the technology. Their job is not to evaluate the business case. Their job is to confirm three things: the project is correctly classified as Tier A, the data sources are appropriate, and there are no obvious risks that the project lead missed.

I assign two Tier A reviewers per organization so there is always backup. Each reviewer commits to a 48-hour turnaround SLA. If they cannot review within 48 hours, it automatically routes to the backup. In practice, most Tier A reviews take 15 to 30 minutes.

Tier B review requires three inputs: the project lead fills out the extended checklist (30 to 45 minutes), a data privacy reviewer assesses data handling practices (one to two hours), and a fairness reviewer evaluates bias potential (one to three hours depending on complexity). These three reviews happen in parallel, not sequentially. That is critical. Sequential review is the number one cause of governance delays. Each reviewer has a one-week SLA. Total time from submission to approval: two to three weeks.

Tier C review is the only tier that requires a committee meeting. But even here, the committee does not start from scratch. The project team submits comprehensive documentation in advance. The committee's job is to review, challenge, and approve — not to do the analysis. Committee meetings are scheduled monthly with the option to call an ad hoc session for urgent projects. Pre-read materials are distributed one week before the meeting.

Template #8

AI Governance Checklist — All Three Tiers

Fill-in-the-blank governance checklist with Tier A (one page), Tier B (extended), and Tier C (full review) sections. Includes the 4-question risk classifier and review SLAs.

Get the Book on Kindle

Automatic Escalation Triggers

The smartest governance frameworks include escalation triggers that automatically bump a project up a tier when conditions change. This prevents the scenario where a Tier A project evolves into something that should have been Tier B, but nobody noticed because governance only happened at the start.

Trigger 1: Scope expansion to customer-facing output. If a Tier A internal tool gets a request to expose its output to customers, it escalates to Tier B review before that change ships. This happens more often than you would think. A document classification tool built for the back office gets noticed by someone in customer service who wants to use it for incoming correspondence. Suddenly an internal tool is influencing customer interactions.

Trigger 2: Removal of human review. If a Tier B system has a feature request to auto-execute instead of recommending, it escalates to Tier C. At one bank, a Tier B fraud flagging dashboard was working so well that the operations team asked to auto-block flagged transactions. That single change — removing the human reviewer — transformed the risk profile entirely.

Trigger 3: New data source addition. Adding a new data source to any AI system triggers a tier re-evaluation. The model might have been Tier A when it only used internal HR data. But if someone connects it to a customer database, the tier classification needs to be reassessed.

Build these triggers into your project management workflow, not into a separate governance tracker that nobody checks. At the organizations where this works best, the escalation triggers are checkboxes in the sprint planning template. Before every release, the tech lead confirms: no scope expansion to customers, no removal of human review, no new data sources. If any answer changes, governance gets re-engaged.

Implementation: The 30-Day Rollout

Week 1: Draft your tier definitions and classification questions. Customize the four-question classifier for your industry. In financial services, I add a fifth question about regulatory examination history. In healthcare, I add one about HIPAA applicability. Get sign-off from your Chief Risk Officer or equivalent.

Week 2: Classify your existing AI projects using the new tiers. You will likely find that 50 to 70 percent of them are Tier A or B. This retroactive classification builds the business case for the new process because you can quantify how much time would have been saved.

Week 3: Assign reviewers and set SLAs. Designate two Tier A reviewers, build your Tier B reviewer pool (privacy, fairness), and confirm your Tier C committee schedule. Publish the SLAs so project teams know what to expect.

Week 4: Launch with your next three projects. Do not try to retroactively re-review everything. Apply the new process to new submissions. Measure the time from submission to approval for each. After 90 days, compare to your historical average. That is your proof that tiered governance works.

Actionable Takeaway

Take your current AI project list and classify each project into Tier A, B, or C using the definitions above. If more than 30 percent of your projects are Tier A and they are all going through the same review process as your Tier C projects, you have a governance efficiency problem. Draft the four-question risk classifier, assign two Tier A reviewers, and pilot the fast-track process on your next low-risk project. Measure days to approval before and after.

The AI Governance Checklist (Template #8) in the AI Business Case Kit includes all three tier checklists, the risk classification questions, reviewer assignment templates, and escalation trigger documentation — ready to customize for your organization.

Get the AI Business Case Kit →

Get the AI-First Leader on Kindle

8 fill-in-the-blank templates for scoring use cases, evaluating vendors, building budgets, and presenting to the board. From 20+ years in enterprise AI.

Not ready to buy?

Start free: 5 AI Questions Every Executive Must Answer Before Investing →

Free PDF guide. No spam.