AI Governance Frameworks Codify — What's Settled in 2025

A year ago, AI governance was a set of evolving internal practices, with regulators starting to publish guidance. In 2025 the picture has consolidated. The EU AI Act has come into force in phases. Sector regulators in financial services and other regulated industries have published more specific guidance. Internal governance frameworks are codifying. The patterns are clearer.

This piece is a practitioner view of what AI governance looks like in early 2025 — what regulators expect, what internal frameworks include, and how enterprise teams are operationalising it.

What's externally settling

The regulatory landscape:

EU AI Act

The first major comprehensive AI regulation, applicable to systems deployed in or affecting the EU. Risk-tiered:

• Unacceptable risk — banned
• High risk — extensive requirements (risk management, data governance, transparency, human oversight, accuracy, robustness, cybersecurity)
• Limited risk — transparency requirements
• Minimal risk — light obligations

Most enterprise AI workloads fall in limited or minimal categories; some — especially in employment, education, financial services, law enforcement — fall in high-risk and require substantial conformance work.

The Act's phased entry means different obligations apply at different dates. The compliance work is ongoing.

Sectoral guidance

Financial regulators (Federal Reserve, OCC, FCA, MAS, ECB and others) have published guidance on AI/ML use in banking. Healthcare regulators are publishing on AI in clinical settings. Government bodies have AI procurement and use frameworks.

The guidance broadly aligns on themes: appropriate risk management, accountability, transparency, fairness, security. The specifics vary by sector.

NIST AI Risk Management Framework

A non-binding framework that has become a de facto reference. Maps risks across the AI lifecycle to controls. Used by many enterprises as a starting point for internal frameworks.

Country-specific frameworks

Singapore's Model AI Governance Framework, the UAE's AI guidance, the UK's pro-innovation approach, Canada's directive on automated decision-making — each is country-specific but they share common ground.

What's internally codifying

The pattern of internal frameworks emerging:

AI inventory

A registry of all AI systems in the enterprise. Each entry has:

• Description
• Risk classification
• Owner
• Data classification
• Model dependencies
• Governance controls applied
• Last review date

Without inventory, governance is impossible. The inventory is the foundation.

Risk classification framework

A method for classifying AI systems by risk. Common dimensions:

• Materiality of decisions or actions
• Reversibility of consequences
• Data sensitivity
• Affected populations
• Regulatory applicability

Each system is classified; the classification determines the controls required.

Lifecycle controls

Controls applied across the system's lifecycle:

• Pre-development risk assessment
• Development standards (testing, evaluation, security)
• Pre-deployment review
• Post-deployment monitoring
• Periodic reassessment
• Decommissioning

Each phase has documented requirements; each requirement has evidence captured.

Model governance

Specific to the model layer:

• Model approval registry (which models can be used)
• Version control (specific versions, not "latest")
• Change management for upgrades
• Performance monitoring
• Bias and fairness assessment

Data governance

How data interacts with AI:

• What data can be used for training, inference, retrieval
• Where data is processed
• Consent and lawful basis
• Retention and deletion

Human oversight

Where human review applies:

• Consequential decisions
• Bias-sensitive outputs
• Customer-facing communications
• Compliance-sensitive cases

Audit and evidence

What is logged, retained, accessible:

• AI invocations
• Decisions and outputs
• Human reviews
• Configuration changes
• Performance metrics

Incident management

What happens when something goes wrong:

• Definition of AI incidents
• Reporting and escalation
• Investigation procedures
• Remediation tracking
• Disclosure where applicable

How enterprises operationalise this

The patterns we see for making governance work:

Governance committee with operating teeth

A cross-functional committee — engineering, risk, compliance, legal, business — that meets periodically. The committee makes decisions, not just recommendations. Decisions are tracked and followed up.

Governance encoded in platforms

Rather than relying on reviews, the AI platform encodes the requirements. Workloads can't deploy without satisfying them. The platform is the enforcement layer.

Specialised governance roles

A growing number of enterprises have AI governance leads or AI risk officers. The role coordinates across stakeholders and owns the framework.

Documentation as primary artifact

Every AI system has documentation — what it does, what data it uses, what controls apply, what the risk assessment concluded. The documentation is the evidence for audits and reviews.

Periodic review cadence

Every AI system is reviewed periodically — annually or more often for higher-risk systems. The review confirms the system still operates as intended within its risk envelope.

Vendor governance

For AI capabilities provided by vendors, governance includes vendor management — contract terms, data handling, model provenance, exit options. Vendor governance is part of the enterprise governance.

What's not yet settled

A few areas where the patterns are still emerging:

Generative AI in regulated industries

Specific regulator expectations for generative AI use in regulated contexts (financial advice, medical communication, legal drafting) are still evolving. Conservative postures dominate; the appetite varies.

Agentic AI

The governance framework for autonomous agents taking actions is less mature than for predictive AI. The patterns will keep developing as agent deployments mature.

Open-source model governance

How to govern the use of open-source models — provenance, modifications, downstream re-use — is less codified than commercial model governance.

Cross-border AI

When the AI runs in one jurisdiction, processes data from another, serves users in a third — the governance is complex and not yet standardised.

AI use in AI development

Models used to develop other models (synthetic data, model distillation, reinforcement from feedback) is an emerging area. The governance is immature.

What we keep seeing

Patterns in enterprise AI governance in early 2025:

The frameworks are real and operational. They influence how systems are built, not just how they're described.

Platform enforcement is more reliable than manual review. Enterprises that encode governance in platforms operate more reliably.

Documentation discipline pays off. Enterprises with thorough documentation handle audits and regulator interactions more cleanly.

Specialist roles are emerging. AI risk officers, AI governance leads — the roles are coalescing.

Cross-functional committees matter. Engineering can't decide governance alone; legal can't decide engineering alone. The committees that work include all the relevant functions.

The EU AI Act is being taken seriously. Even for systems primarily deployed outside Europe, the Act's structure is influencing internal frameworks.

What we recommend

For enterprise teams operating AI in 2025:

1. Maintain an AI inventory. Without it, governance is impossible.
2. Classify systems by risk. Apply controls proportionally.
3. Encode governance in your platform. Manual reviews don't scale.
4. Document each system properly. The documentation is the audit evidence.
5. Establish a cross-functional governance committee. Decisions need engineering, risk, compliance, legal involvement.
6. Map your frameworks to external requirements. EU AI Act, sector regulations, NIST RMF.
7. Track the evolving areas. Agentic AI, generative AI in regulated contexts, cross-border — these will continue to develop.

AI governance in 2025 has codified enough that the framework is no longer the question. The execution is. The enterprises with strong execution — inventory, classification, platform enforcement, documentation — operate confidently. The enterprises that have frameworks but not execution discover the gaps under regulator pressure or after incidents. The framework matters; the execution determines whether it actually governs.