Workshop: Governance charter
Draft Meridian's AI governance charter: the principles, the operating structure, roles and accountability, and the decision rights that make governance real.
A governance charter is the founding document that turns scattered good intentions into an accountable program — it says what the organization stands for, who is responsible, and how AI decisions get made. You'll draft Meridian's. This is the artifact that, more than any other, determines whether governance actually happens or just decorates a shared drive.
Step 1 — Principles
- 1Write 5–7 AI principles Meridian commits to (fairness, transparency, human oversight, privacy, accountability, safety, and value). Keep them specific enough to decide with — 'we do not deploy AI that makes consequential decisions about people without human oversight' beats 'we use AI responsibly'.
- 2Each principle should imply a control you can later verify. Principles that can't be checked are marketing.
- 3Add a short, board-approvable risk-appetite statement tied to your internal tiers — 'we accept low and moderate AI risk in pursuit of efficiency; we accept elevated risk only with the full control set operating; we do not accept critical risk to individuals' rights or safety' — so the committee has something concrete to decide against. Without an appetite statement, every go/no-go is improvised.
Step 2 — Operating structure & roles
- 1Define the bodies: an AI governance committee (cross-functional: legal, security, data, product, a business owner, ideally an ethics voice) that reviews high-risk systems and sets policy. Who chairs it, how often it meets, what it decides.
- 2Define the roles and accountability (a RACI in miniature): who owns each system's risk, who reviews before deployment, who can approve a high-risk go-live, who is accountable to the board. The key move: every AI system has a named accountable human — governance fails the moment responsibility is diffuse.
- 3Locate the function: does AI governance sit under legal, security, a Chief AI Officer, a data office? There's no single right answer, but ambiguity here is fatal.
Step 3 — Decision rights & the intake gate
- 1Define the intake gate: no AI system reaches production without an inventory entry, an impact assessment, and — by tier — the required review. Low-risk: self-attest. Moderate/elevated: committee-lite review. Critical (and anything legally high-risk): full committee sign-off plus the legal obligations.
- 2Define escalation: when does a decision go up? (A prohibited use case, a high-risk go/no-go, a serious incident.) And who can say no — a governance program with no authority to stop a launch is theater.
Step 4 — The charter document
Assemble GOVERNANCE-CHARTER.md: principles, the risk-appetite statement, structure, roles/accountability, decision rights, and the intake gate, tied to your risk map (which systems get which review). Two to four pages — a charter nobody reads is as useless as no charter. This is the centerpiece of your capstone program, and the document you could adapt for a real organization with a day's work.
In the workbook: three real-ish governance-failure vignettes (a shadow HR tool that auto-rejected candidates, a chatbot that promised refunds it couldn't honor, a data-deletion request that missed the model's embeddings). For each, name the charter provision — principle, role, decision right, or intake gate — that would have prevented it.