Portfolio Prioritisation — Four Axes
Organisations with multiple high-risk systems cannot address all systems simultaneously. The AI Governance Lead prioritises the portfolio on four axes. Risk tier: highest-risk systems (those in the most sensitive Annex III domains, those with the largest affected populations) take priority. Deployment timeline: systems approaching deployment deadlines are addressed before those in early development. Deployment scale: systems affecting more people carry greater enforcement risk and should be prioritised accordingly. Compliance readiness: systems with less existing documentation require more effort and should start earlier to avoid deadline pressure.
The prioritisation produces a portfolio sequencing plan: which systems enter the seven-phase delivery workflow in which order, and how shared resources are allocated across parallel tracks. The plan is reviewed quarterly and adjusted as circumstances change (a regulatory enforcement action may reprioritise a specific system; a deployment deferral may free resources for another).
Key outputs
- Four-axis prioritisation (risk tier, timeline, scale, readiness)
- Portfolio sequencing plan
- Quarterly review and adjustment
- AI Governance Lead decision
Shared Resource Planning
The AI Governance Lead, Legal and Regulatory Advisor, Conformity Assessment Coordinator, and Internal Audit Assurance Lead are typically shared across the portfolio. Their availability is planned against the portfolio’s milestone calendar. Governance gates (CDR approval, risk register acceptance, Declaration of Conformity signing) are staggered by the AI Governance Lead to avoid queuing.
If multiple systems reach Phase 5 simultaneously, the assessment workload may exceed available capacity. The resource plan identifies these bottlenecks in advance and either staggers the phase entries or secures additional assessment capacity (external consultants, temporary secondments from the internal audit function).
Cross-system synergies reduce per-system effort. Systems sharing common components (the same GPAI model, data sources, or deployment infrastructure) can share compliance artefacts. A GPAI model risk assessment conducted for one system is reused, with system-specific adaptation, for another. Data governance documentation for shared sources is written once and referenced by multiple AISDs.
Key outputs
- Shared resource availability mapped to portfolio milestones
- Governance gate staggering to avoid bottlenecks
- Cross-system synergy identification for artefact reuse
- Bottleneck mitigation planning
Staggered Governance Gates
The portfolio governance cadence operates above individual system cadences. Monthly portfolio status reviews track each system’s progress against phase milestones. Quarterly resource reviews assess whether planned resource allocation is sufficient. Annual strategic reviews assess the portfolio’s overall compliance posture and plan for the coming year.
Governance gates for individual systems are scheduled into the portfolio calendar. The AI Governance Lead blocks out time for each gate (CDR approval, risk acceptance, Declaration signing) weeks in advance. Where two systems’ gates would coincide, the lower-priority system’s gate is moved to avoid splitting the AI Governance Lead’s attention.
This disciplined scheduling prevents the common failure mode where the AI Governance Lead is asked to review and approve multiple systems’ Declarations of Conformity in the same week, leading to superficial review and elevated risk.
Key outputs
- Portfolio governance cadence (monthly, quarterly, annual)
- Individual system gates scheduled into the portfolio calendar
- Gate staggering to prevent simultaneous review overload
- AI Governance Lead time allocation planned in advance