v2.4.0 | Report Errata
docs resources docs resources

Seven Roles Summary & Multi-Role Assignment Seven functional governance roles thread through every domain. AI Governance Lead: ultimate compliance accountability, AISDP approval, Declaration of Conformity signatory, competent authority relationship. AI System Assessor: risk identification, classification analysis, conformity assessment, independence from the development team. Conformity Assessment Coordinator: end-to-end certification workflow, Non-Conformity Register, EU database registration. Legal and Regulatory Advisor: legal sufficiency, regulatory interpretation, Declaration review, insurance coverage. DPO Liaison: FRIA oversight, data governance review, GDPR-AI Act alignment (Articles 56–62). Internal Audit Assurance Lead: independent assurance, periodic audits, audit committee reporting. Technical SME: engineering expertise, AISDP technical content, monitoring configuration. In smaller organisations, one person may hold multiple roles. The AI System Assessor must not also serve as AI Governance Lead (independence requirement). The DPO Liaison and Legal and Regulatory Advisor roles can combine where the individual has both data protection and regulatory competence. Multi-role assignments are documented in the QMS with a rationale confirming that independence and capacity are maintained. Key outputs

  • Seven functional roles with defined accountability
  • Multi-role assignment rules and independence constraints
  • QMS documentation of role assignments

Governance Cadence (Sprint, Monthly, Quarterly, Annual) Four governance rhythms operate concurrently. Sprint-level: compliance tasks embedded in each development sprint; AISDP modules updated; evidence pack maintained; sprint retrospective includes compliance dimension. Monthly: PMM reports prepared by PMM analyst, reviewed by Technical SME; deployer feedback aggregated; non-conformity register status checked. Quarterly: AI Governance Lead convenes oversight review (six agenda items, ) and PMM review (eight agenda items, ); threshold calibration reviewed; board reporting prepared. Annual: Internal Audit Assurance Lead conducts oversight audit (six verification areas, ); break-glass exercise conducted; AI literacy refresher training delivered; external audit commissioned where applicable. Key outputs

  • Four-cadence governance rhythm documented
  • Per-cadence activities, owners, and artefacts defined
  • Cross-references to detailed articles

Decision Authority Framework (Four Tiers) Four decision authority tiers govern PMM-triggered and oversight-triggered actions. Tier 1 (Technical SME): threshold adjustments, monitoring configuration changes, routine engineering remediation. Tier 2 (Technical Owner): model retraining on updated data where all validation gates pass; notice to AI Governance Lead. Tier 3 (AI Governance Lead): architecture changes, feature set changes, hyperparameter shifts; substantial modification assessment triggered. Tier 4 (AI Governance Lead + Legal and Regulatory Advisor): system suspension, withdrawal, recall; immediate deployer notification; potential serious incident reporting. Key outputs

  • Four-tier authority matrix
  • Per-tier scope, authoriser, and notification requirements
  • Cross-reference to
On This Page