AI Policy & Governance Framework

By mid-2024, Accent Group had AI tools running in production, AI tools being trialled by business units, and AI tools being requested by every part of the organisation — all without a coherent framework for evaluating risk or governing use. The governance framework was built in response to that reality: not to slow adoption, but to make it sustainable and defensible.

The risk classification matrix draws on the EU AI Act tiers and Australia's AI Ethics Principles, adapted for a retail enterprise context. The key question for each AI system is: what's the consequence of a failure, and who bears it? A content recommendation system failing silently is a revenue impact. An HR screening tool failing silently is a legal liability. The classification determines the oversight requirements — automated, periodic human review, or full human decision authority.

The vendor due diligence checklist was the most practically requested output. Business units were signing up to AI SaaS products before procurement or security had reviewed them, often because the product felt low-stakes. The checklist creates a consistent standard: data residency, model training on customer data, audit logging, human escalation paths, and data deletion capability. The acceptable use policy covers generative AI specifically — what you can and cannot put into an LLM prompt that has external API calls. That last point matters because employees sharing confidential information with commercial LLMs is a real data protection risk.