The Three-Tier AI Governance Model That Doesn't Kill Speed
I watched a Fortune 500 bank lose 14 months because every AI use case, from a simple document summarizer to a credit decisioning model, went through the same governance board. Same intake form. Same review committee. Same six-week approval cycle. By the time the summarizer got approved, three teams had already built their own versions in shadow IT. That is what happens when governance treats all AI the same.
Why Single-Queue Governance Always Fails
Most companies stand up an AI governance board and route everything through it. The logic sounds right: centralized oversight, consistent standards, one body accountable for risk. In practice, it creates a single queue where a chatbot that answers HR questions sits behind a model that prices mortgage risk. Both wait. Both rot.
At one bank I worked with, the governance board met biweekly. They had 47 use cases in the queue by month three. Each review took 30 to 90 minutes. Do the math. Even at 30 minutes per review, you need nearly 24 hours of committee time just to clear the backlog. That does not include the new submissions arriving every sprint.
The real damage is not the delay itself. It is what the delay signals. When teams learn that governance takes six to eight weeks regardless of complexity, two things happen. First, the ambitious projects lose executive sponsorship because nobody wants to wait. Second, the simple projects go underground. I have seen organizations where 40% of AI usage was completely ungoverned because the governance process was so slow that teams just stopped submitting.
Single-queue governance is not governance. It is a bottleneck with a compliance label on it.
The Three-Tier Model: Match Scrutiny to Risk
The fix is not less governance. It is proportional governance. You tier your AI use cases by risk and match the approval process to what is actually at stake. I have implemented this at two different institutions, and the framework has three tiers.
Tier 1 is low risk. These are internal productivity tools. Summarizers, search assistants, code completion, meeting note generators. No customer-facing decisions. No regulated data. No financial impact beyond time savings. Tier 1 use cases get a self-service approval. The team fills out a short risk checklist (10 questions, takes 15 minutes), and if every answer falls in the green zone, they are approved automatically. A governance analyst spot-checks 20% of Tier 1 approvals monthly. At the bank where I built this, Tier 1 approval went from 42 days to 2 days.
Tier 2 is medium risk. These involve customer-facing content, employee-impacting decisions, or sensitive internal data. Think customer service copilots, recruitment screening tools, or internal knowledge bases that pull from confidential documents. Tier 2 gets a lightweight review: a 30-minute session with a two-person panel (one from legal or compliance, one technical). Turnaround target is 10 business days. The panel does not redesign the project. They validate that the team has addressed data handling, bias testing, and rollback plans.
Tier 3 is high risk. Credit decisions, fraud detection, pricing models, anything that directly affects a customer's financial outcome or triggers regulatory reporting. Tier 3 gets the full governance board: legal, compliance, risk, model validation, business sponsor. Full documentation package. Independent testing. Turnaround is 30 to 45 days, which is appropriate because these models can cost you eight figures in regulatory fines if they go wrong.
How to Build the Risk Tiering Criteria
The tiering only works if the criteria are clear enough that a product manager can self-classify without gaming the system. Ambiguous criteria create arguments. Arguments create escalations. Escalations recreate the single queue you were trying to eliminate.
I use five classification factors. Each gets a score of 1, 2, or 3. You add them up. Score of 5 to 8 is Tier 1. Score of 9 to 12 is Tier 2. Score of 13 to 15 is Tier 3. The five factors are: data sensitivity (public, internal, regulated), decision impact (informational, advisory, automated action), customer exposure (none, indirect, direct), regulatory scope (none, reportable, auditable), and reversibility (easily undone, partially reversible, irreversible or hard to detect).
Here is a concrete example. A team wants to deploy an AI assistant that helps relationship managers prepare for client meetings by summarizing recent account activity. Data sensitivity: 3 (regulated client data). Decision impact: 1 (informational only, no automated decisions). Customer exposure: 1 (internal tool, client never sees the output). Regulatory scope: 2 (data handling is reportable). Reversibility: 1 (you can shut it off and nothing changes). Total score: 8. That is Tier 1, just barely. It gets the self-service checklist with one addition: the data sensitivity flag triggers a mandatory data handling addendum, but it still does not need a committee.
Compare that to a model that auto-generates personalized loan offers. Data sensitivity: 3. Decision impact: 3. Customer exposure: 3. Regulatory scope: 3. Reversibility: 3. Score: 15. Full Tier 3 review. No shortcuts. The scoring makes the distinction obvious and defensible. When a regulator asks why one project got light review and another got full scrutiny, you can point to the rubric.
Operationalizing This Without a 12-Person Team
The most common objection I hear: 'We don't have the staff for three different review tracks.' You do not need three separate teams. You need one governance function with three different workflows.
At the mid-size bank where I first deployed this, the governance team was four people. One analyst handled all Tier 1 spot checks. Two senior reviewers rotated through Tier 2 panels (they each did two reviews per week, 30 minutes each). The full team plus borrowed experts from legal and model risk convened for Tier 3 reviews twice a month. Four people governed over 60 active AI use cases. The previous single-queue model had five people and was drowning in 20.
The key operational detail most people miss: you need a fast, simple intake form that does the tiering automatically. We built ours in a basic workflow tool. Product teams answered the five scoring questions, the form calculated the tier, and it routed to the right track. Total build time was three days. No vendor. No AI governance platform purchase. Just a form with logic.
One more thing. Build in a reclassification trigger. If a Tier 1 project changes scope, say it starts accessing regulated data or becomes customer-facing, the team is required to re-score. We made this part of the sprint review checklist. Every two weeks, the product owner confirms the risk tier is still accurate. In 18 months, we had 11 reclassifications. Three went from Tier 1 to Tier 2. One went from Tier 2 to Tier 3. Without the trigger, those would have been ungoverned changes in production.
What Regulators Actually Want to See
I have been in the room for OCC and Fed examinations where AI governance was on the agenda. Regulators are not looking for perfection. They are looking for three things: evidence that you know what AI is running in your organization, evidence that risk-appropriate controls exist, and evidence that you enforce those controls consistently.
The three-tier model gives you all three. Your intake system creates the inventory (they will ask for this, and I have written about it before). Your tiering rubric demonstrates proportional controls. And your spot-check logs and review records prove enforcement. One examiner told me directly: 'We don't care how many committees you have. We care that you can explain why this model got the level of review it got.' The scoring rubric answers that question in 30 seconds.
For non-banking companies, the same principle applies even if a regulator is not in the picture today. The EU AI Act uses a risk-tiering approach. So does the NIST AI Risk Management Framework. If you build proportional governance now, you are already aligned with where regulation is heading. If you wait, you will be retrofitting controls onto 100 live models under deadline pressure. I have seen that movie. It ends with a nine-month freeze on all new AI projects while the compliance team catches up.
Free Resource
Want the Complete AI Leadership Playbook?
50+ pages of frameworks, scorecards, and implementation plans from 20+ years of enterprise AI adoption.
Get the Book on KindleActionable Takeaway
This week, pick five AI use cases currently in your governance pipeline. Score each one on the five factors (data sensitivity, decision impact, customer exposure, regulatory scope, reversibility) on a 1-to-3 scale. If any score 8 or below, ask yourself honestly why they are waiting for a full committee review. That gap between the score and the process is exactly where your governance is creating drag without reducing risk.
This article covers a core framework from The Executive's AI Playbook. The complete playbook includes printable scorecards, additional real-world examples, and full implementation checklists.
Get the complete framework →