AI Governance
AI governance is the operating model that makes AI use controllable: who may run which models on which data, with what oversight and what evidence. It is the enabler of sovereign AI, not its brake.
Controlled, trustworthy AI deployment
The moment the first team uses an AI tool in production, every organisation faces the same choice. Either an ungoverned shadow AI emerges, where no one knows which data flows into which model. Or AI use is banned outright and goes underground anyway. AI governance is the third way: a frame that makes AI usable while steering the risk. This page describes what that frame governs, why it enables rather than blocks, and how it binds the relevant regulations into a single practice.
What AI governance governs
Governance is not a document but an ongoing process across five surfaces:
- Models. Which Language Models and providers are approved, and which are not? A locally run open-weights model carries a different risk than a US cloud API.
- Data. Which data classes may go into which model? Particularly sensitive personal data does not belong in a foreign cloud unchecked.
- Access. Who may use AI for what purpose? Roles and approvals instead of a silent self-service counter.
- Oversight. Where does an AI decision need a human in the loop, and where is a spot check enough?
- Evidence. Can the organisation show afterwards which model produced which answer from which data? Without an audit trail, every compliance statement is just a claim.
These five surfaces are the skeleton. Everything else, from model selection to training, hangs off them.
Governance as an enabler, not a brake
The most common misconception equates governance with prohibition. That is exactly what creates the problem it is meant to solve. Where AI is banned wholesale, people use it anyway, just invisibly and uncontrolled. Effective governance inverts the logic: it defines an approval process that makes safe use faster than the workaround. An approved model, a clarified data class and a known owner take the friction out of usage instead of forbidding it. Governance thus becomes the precondition for AI development and AI use to be sovereign at all. The strategic question of where to invest in AI is settled beforehand by AI strategy; governance settles how the use stays controlled.
The regulations in one frame
AI governance is also where the relevant regulations stop contradicting each other and start complementing each other. They apply at the same time, not as alternatives:
- The EU AI Act classifies AI systems by risk and ties obligations to that, from transparency labelling to human oversight for high-risk applications. Through its result-used-in-the-EU trigger it reaches Swiss actors too.
- ISO/IEC 42001 provides the organisational underpinning: an AI management system, analogous to ISO 27001 for information security, that turns governance from a one-off measure into an auditable routine.
- The revised Swiss Data Protection Act (revFADP) applies independently as soon as an AI system processes personal data. Handing data to US providers adds a second legal layer described by the US Cloud Act.
Frameworks such as the NIST AI Risk Management Framework and the OECD AI Principles give the whole a shared language for risk, transparency and accountability. Governance is the bracket that turns these layers into a single practice instead of three separate compliance projects.
The governance cycle
Governance is cyclical, not one-off. Every new model, every new use case and every rule change runs through the same loop. It turns the five surfaces into a repeatable sequence:
flowchart TD
A["AI inventory<br/>incl. shadow AI"] --> B["Classify<br/>role, risk, data class"]
B --> C["Set controls<br/>approval, oversight, limits"]
C --> D["Operate<br/>with evidence and audit trail"]
D --> E["Review<br/>new models, new rules"]
E --> A
The decisive step is the first. Without a complete inventory that explicitly includes the bought-in shadow AI in SaaS tools, governance steers only the visible part and misses the real risk. The classification draws directly on the risk classes of the EU AI Act.
Where governance breaks
- Governance theatre. A policy exists, but no one enforces it. A frame without an approval process and without an audit trail is decoration.
- Shadow AI. The inventory captures the official tools, not the embedded AI features in software already in use. The biggest risk stays invisible.
- Too late. Governance is set up only after the first incident. By then it is damage control rather than steering.
- Only tech or only paper. Governance made solely of tools misses the roles and processes; governance made solely of documents misses enforcement. The two belong together.
What the rulebooks mean for the organisation
Governance that deliberately steers models and data flows onto sovereign infrastructure resolves several obligations at once: it keeps model choice, data classes and evidence in the organisation's own hands rather than leaving them to a foreign provider. That classification, from risk class to model approval, is the core of AI governance; the commercial evidence-and-supply-chain side is covered by Security, Compliance and OSPO. The ongoing scan of the technology landscape that approvals rest on is described by the Tech Radar; the values layer behind the controls is covered by Digital Ethics. For Swiss organisations the question sharpens: as soon as an AI system sends personal data to a US cloud, the revised FADP and the US Cloud Act apply, and where an EU scope trigger is also met the risk-class logic of the EU AI Act is added.
References
- Council of Europe Framework Convention on Artificial Intelligence. The international-law frame on AI, human rights and the rule of law, signed by Switzerland. (05.09.2024). www.coe.int/en/web/artificial-intelligence/the-framework-convention-on-artificial-intelligence
- OECD AI Principles, 2024 update. Five values-based principles and five recommendations for trustworthy AI, adhered to by 47 states and organisations. (03.05.2024). oecd.ai/en/ai-principles
- ISO/IEC 42001:2023, AI management system. The first international standard for an artificial-intelligence management system. (2023). www.iso.org/standard/81230.html
- NIST AI Risk Management Framework (AI RMF 1.0). Voluntary US framework for steering AI risk across the four functions govern, map, measure and manage. (26.01.2023). www.nist.gov/itl/ai-risk-management-framework
Related topics
- EU AI Act, the risk classes and obligations governance builds on.
- Compliance, the technical view on evidence and control.
- nFADP / revFADP, the Swiss data protection law that applies in parallel.
- Digital Ethics, the values layer behind the controls.
- Tech Radar, the basis for model and technology approvals.
- Security, Compliance and OSPO, the commercial delivery of evidence and control.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.