Enterprise Governance & Risk

Building an AI Governance Program from Scratch

The first Claude pilot rarely needs a governance program. The fifth one does — and by then, retrofitting policy onto live systems is far harder than starting with a lightweight structure on day one.

Claude 3P 101 · Updated July 2026 · Unofficial guide

"AI governance" sounds like a committee that slows everything down. In practice, a good program is the opposite: it is the small set of documents, owners, and checkpoints that lets your organization say yes to new AI use cases quickly, because everyone knows who decides, what is allowed, and what evidence a launch needs. This article lays out a minimal structure that scales from one Claude integration to dozens. It is recommended practice, not a regulatory checklist — confirm the scope your industry actually requires with your provider and counsel.

The four building blocks

Most working programs, whatever they call themselves, contain the same four parts:

1. A policy. One document stating what employees and teams may and may not do with AI systems — scope, permitted uses, prohibited uses, and where to escalate. See the policy template article for the sections it needs.

2. Named owners. Governance fails when it is everyone's job. You need an accountable executive sponsor, a working-level program owner, and an owner per use case. A one-page charter records who these people are and what authority they hold; a steering committee gives them a forum.

3. A review process. An intake step for new use cases, a risk-tiering rubric so review depth matches actual exposure, and a pre-launch validation gate for anything user-facing.

4. A record. An inventory of every AI integration — owner, model, platform, risk tier, last review date. This is the artifact an auditor, regulator, or new CISO asks for first.

Anchor the program in real platform controls

Paper policy is only half a program; the other half is technical controls that make the policy true by default. If you use Claude through the Claude API or Claude Platform on AWS, several native features map directly to governance needs. Workspaces let you separate projects, environments, or teams while keeping centralized billing and administration — a natural unit for "one approved use case, one workspace," with API keys scoped to a single workspace. The Console defines five organization roles (user, claude_code_user, developer, billing, admin), so access can follow job function rather than being shared informally. And the Admin API lets you programmatically manage members, workspaces, and API keys, which means your inventory can be reconciled against what actually exists rather than what a spreadsheet says.

On the data side, know your defaults before you write policy about them: Anthropic states that for the Claude API it automatically deletes inputs and outputs on its backend within 30 days, and that retained data is never used for model training without your express permission. Stricter arrangements (zero data retention, HIPAA-ready configuration) exist but are contractual, not self-serve toggles. On Amazon Bedrock and Google Cloud, the cloud provider is the data processor, so your program inherits — and must verify — that provider's data-handling terms instead.

Rule of thumb: every policy sentence should be traceable either to a technical control that enforces it or to a named person who checks it. A rule with neither is decoration.

There is a standard for this — use it as a map, not a mandate

AI governance is no longer improvised. ISO/IEC 42001:2023 is an international standard for AI management systems — Anthropic describes it as the first international standard outlining requirements for AI governance, and announced its own accredited certification under it in January 2025. You do not need to certify to benefit: the standard's shape (policy, roles, risk assessment, lifecycle controls, continual improvement) is a useful checklist for whether your program has obvious gaps. If vendor assurance matters to you, Anthropic publishes its compliance documentation through its Trust Center; remember that Anthropic's certifications cover its commercial products such as the Claude API, and deployments through Bedrock, Vertex AI, or Foundry inherit the cloud provider's compliance posture instead — confirm specifics with your provider.

Start small, but start with all four blocks

A common failure mode is building one block to perfection — usually the policy — while use cases ship with no inventory and no review. A one-page policy, a three-person committee, a spreadsheet inventory, and a half-page intake form is a complete program for an organization with five use cases. Grow each block as the portfolio grows, using the maturity model to decide what to strengthen next.

Where to go next

Start with the program charter to name owners, then adapt the policy template with your legal team. The enterprise checklist on the homepage covers the platform-side controls.

Sources