Back to writing

December 3, 2025 · 3 min read

Governance That Accelerates Delivery

Governance should reduce uncertainty and increase deployment speed, not block progress. Here's how to make that real.

AI Governance
Strategy

The governance question is not whether controls exist. The question is whether controls are executable inside delivery workflows.

I've worked on governance frameworks in enough regulated environments — UK government, financial services, defence — to know the pattern. Leadership commissions a governance framework. A consulting team writes it. It's a good document: thorough, well-structured, defensible. And within six months it's sitting on a SharePoint gathering dust, because nobody translated it into something an engineering team can implement.

Just as agile transformed how we think about documentation in software development — treating docs as lean, evolving, living artefacts rather than comprehensive upfront specifications — the same shift needs to happen in governance. What matters is not the weight of the document. What matters is the effectiveness of the strategy-execution bridge, where each side drives the other.

What practical governance looks like

The organisations I've seen do this well share four characteristics:

Small set of required artefacts

Not a 40-page governance pack. Three to five artefacts that force the team to answer the right questions: What decisions does this system make autonomously? What data does it access? What happens when it fails? What's the monitoring plan?

Risk tiers tied to technical controls

"High risk" shouldn't mean "more meetings." It should mean: mandatory human-in-the-loop, real-time monitoring with alerting, automated rollback capability, and quarterly assurance reviews. Each tier maps to specific technical measures.

Time-boxed, evidence-based approvals

A governance review that takes six weeks is one that delivery teams will route around. Set a service level: five working days for standard risk, ten for elevated. Base reviews on evidence, not presentation quality.

Post-deployment monitoring as governance

In agentic systems, the behaviour you need to govern is emergent — it happens in production, not in a design document. Monitoring, anomaly detection, and drift measurement are governance activities. If your framework ends at the deployment gate, it's incomplete.

The result

That's the shift: from governance as a checkpoint to governance as an operating system.