Calibrate AI governance ceremony to organisational scale
Adopt the substance of large-organisation AI governance expectations but strip back the ceremony — risk-appetite statements, dedicated AI committees, independent maturity reviews — that adds oversight overhead without adding oversight capacity.
Most published AI governance guidance is written for large organisations with the staff, committee structure and oversight infrastructure to absorb significant ceremony. The expectations themselves are usually sound — written governance framework, mapped legal exposure, documented deployments, assigned accountability, articulated risk appetite, tiered approval processes, stakeholder communication, regular review, escalation channels, supplier risk management. The implementation ceremony is the part that does not transfer cleanly to a mid-sized organisation: standalone risk appetite statements, dedicated AI committees, bespoke incident channels, independent external maturity reviews, separate AI policy bodies sitting alongside existing governance.
The heuristic is to take the substance and calibrate the ceremony. Each expectation can be honestly met without the corresponding large-organisation instrument. A risk-appetite statement can be a one-page appendix to the AI policy rather than a standalone board-endorsed document. AI deployments can be documented in an extended approved-tools register rather than a separate inventory system. AI incidents can fold into the existing IT incident process rather than a dedicated channel. Higher-risk use cases can be reviewed annually; lower-risk on trigger only. Accountability can be a one-paragraph statement in the policy rather than a new committee charter. The substance bar is met; the ceremony bar is not. See Start AI governance imperfect; iterate rather than wait for the iterative posture this depends on.
Two reasons this matters. First, ceremony scaled beyond the organisation’s actual capacity is governance theatre — it generates artefacts that look like oversight without delivering it, and the artefacts then decay because no one has the capacity to maintain them. Second, the perceived requirement to operate large-organisation ceremony is a common deferral excuse — the standard sounds unreachable, so nothing happens, and the technology arrives ahead of any policy at all.
Calibrating works only if the divergences are explicit. A self-assessment that quietly omits the corporate-scale instruments looks like an oversight; one that names them with reasoning — see Name what you’re deliberately not doing — is defensible. The principle is to honour the substance through the smallest credible instrument the organisation can actually run.