I was advising a large financial services organization that had been trying to build AI governance for nine months. They had drafts of policies. They had architectural diagrams. They had assessment frameworks. But nothing was finished. Nothing was deployed. Nothing was working. The initiative was stalled, and everyone was frustrated.
The problem wasn't lack of effort. It was lack of structure. They were trying to do everything at once. Build the inventory, classify systems, define roles, implement controls, create oversight processes, train people, update procurement, modify contracts, establish escalation paths, and build monitoring infrastructure. All in parallel. All with unclear exit criteria. All with unclear ownership.
When I asked them to structure the program into phases, with clear exit criteria and dedicated owners, everything changed. Suddenly there was clarity. People knew what they were accountable for. People knew when their phase would be done. Progress became visible. Within six months, they had moved from draft to deployed governance across multiple systems.
The Four-Phase Model
Successful AI governance programs follow four distinct phases, each with specific outputs, timelines, and exit criteria. Understanding these phases transforms a chaotic, open-ended program into a structured, deliverable-focused one.
Phase One: Inventory and Classification (4-6 Weeks)
The program begins with understanding what you have. You've done the workshop to identify all AI systems. You've reviewed contracts to find shadow AI. You've classified each system into the EU AI Act risk categories. Exit criteria are clear: every known system is registered, classified, and has an assigned owner. You know what percentage are prohibited risk, high-risk, limited risk, and minimal risk. You know which systems need immediate attention.
The output is the AI system register. Not a spreadsheet. A structured document with complete information on each system: what it does, who uses it, what data it processes, who owns it, and what risk level it is. This register becomes the foundation for everything that follows.
Timeline: 4-6 weeks. This phase is the quickest because it's primarily information gathering. The constraint is typically getting access to people from different departments, not complexity. Dedicated owner: typically the Chief Risk Officer or CTO, with support from a program manager who coordinates the workshops and contract review.
Phase Two: Gap Analysis and Prioritisation (4-6 Weeks)
With complete visibility of what you have, you now ask: what needs to change? For each high-risk system, you assess current state: Do we have documented processes? Do we have human oversight? Do we have bias monitoring? Do we have audit trails? Do we have training for overseers? For each system, you identify gaps. Then you prioritize. Which systems are most critical? Which have the highest risk? Which deployments need to be changed or stopped?
Exit criteria are equally clear: every high-risk system has a gap assessment. Every gap has a priority level. You have a prioritization framework that drives Phase Three. The output is the remediation roadmap: here's what needs to change, in what order, by what date.
Timeline: 4-6 weeks. This phase requires coordinated assessment across multiple systems and functions. Legal assesses contract compliance. Technology assesses technical controls. HR assesses training and oversight roles. Operations assesses monitoring and escalation. A program manager synthesizes all of this into a consolidated remediation roadmap.
Phase Three: Governance Structure (2-4 Weeks)
With priorities defined, you now build the structure that will govern these systems. You define roles: who owns each system? Who oversees it? Who escalates risks? You define processes: how are decisions made? How are risks escalated? How often do we review? You define controls: what monitoring happens? What training is required? What documentation is required? You define boards and committees: steering committee to govern the program itself, oversight committees for each high-risk system, a risk forum where issues surface and escalate.
Exit criteria are clear: all roles are defined and assigned. All processes are documented. All controls are specified. The governance structure is approved by leadership. Communications plan is in place for rollout.
Timeline: 2-4 weeks. This phase is primarily definition and documentation. Complexity comes from coordination across multiple stakeholders and the need to get leadership alignment on governance model and escalation paths. The output includes detailed role descriptions, process maps, control specifications, and organizational charts.
Phase Four: Implementation and Monitoring (Ongoing)
The final phase is deployment of the governance structure. Teams are trained on their roles. Oversight committees start meeting. Systems are monitored. Risks are escalated. Documentation is created and maintained. This is an ongoing phase that doesn't have a fixed end date. It's where governance becomes operational.
Exit criteria in Phase Four are continuous and measured. What percentage of oversight reviews happened on schedule? What percentage of escalations were resolved? What percentage of teams completed training? What new systems were added to the register? What systems moved from high-risk to compliant? Progress is measured weekly and reported monthly.
Timeline: Ongoing, but with measurable cadence. This is where things get real. The structure you built is now embedded in how the organization operates. A program manager transitions from program delivery to program operations, supporting the ongoing governance structure and managing continuous improvement.
What Makes This Work
This phased model works because it does four things. First, it creates clarity. Each phase has a clear purpose, clear exit criteria, and a clear endpoint. People know what they're working toward and when they'll be done. Second, it builds momentum. Completing Phase One is visible. The register exists. The classification is done. You've achieved something. Completion of Phase Two means priorities are clear and the organization can plan the work. Each completed phase creates energy and momentum for the next one.
Third, it enables adaptation. If you wait until Phase Three to find out that classification is harder than expected, you're too far along. With a phased approach, you find out at the end of Phase One, when you still have time to adjust. Learning happens in real time, and the plan adapts.
Fourth, it forces accountability. Each phase has an owner. Each phase has an exit date. If Phase One is supposed to take 4-6 weeks and it's still going after eight weeks, that's a problem that gets escalated. Accountability is built into the model.
Timelines and Scope
The complete program, from Phase One through initial rollout of Phase Four, takes 14-20 weeks. Four to six months. That's faster than most organizations expect, and it's because phasing creates focus and pressure. You're not trying to do everything at once. You're doing things in sequence, with clear exit dates and clear ownership.
Full operational maturity—where the governance structure is embedded and working smoothly—takes longer. Twelve to eighteen months. But the program is delivering value and demonstrating progress throughout that period. You're not waiting until the end to see results. You're seeing them continuously.
The Difference This Makes
Organizations that structure their programs this way deliver 85 percent fewer rework cycles than organizations that try to do everything at once. They move 60 percent faster from planning to operations. They have 3 times higher compliance confidence because they can measure progress and demonstrate control at each stage.
A phased approach also changes how leadership views the program. Instead of an open-ended initiative that might go on forever, it's a structured program with clear milestones and delivery dates. Instead of asking "when will this be done?" leadership can see real progress and can plan resourcing and investment accordingly.
The key is starting with inventory. You can't prioritize what you don't know. You can't build governance structure for systems that haven't been classified. The phases build on each other, and the sequencing matters. Get Phase One right, and everything else becomes possible.