Enterprise Governance

If you've finished the AI Foundations trail, you can use AI well as an individual. This trail is the other half of the work: how an organization governs AI use across the people, the policies, and the regulators. Module 1 sets the frame. Five things every leader, policy author, and L&D buyer should be able to answer on a Monday morning — what governance actually is, what its three layers are, which frameworks are worth knowing by name, what artifacts you produce, and who owns what inside the org.

Governance Foundations gave you the operating frame. This module is where the frame meets the use case. Every AI deployment carries a specific risk profile, and the discipline of risk management is making that profile explicit, applying controls scaled to it, watching it over time, and being willing to refuse the deployments that don't survive the analysis. Five things every leader, IT owner, and per-use-case operator should be able to do.

Risk Management gave you the program. Now we get specific. A regulatory crosswalk is the artifact that maps each requirement of each applicable framework to a specific control your organization operates — with evidence. Crosswalks turn 'we have a governance program' into 'here is the requirement, here is our control, here is the artifact that proves it.' That mapping is what carries an organization through a regulator inquiry, customer audit, or board review with answers instead of narrative.

Regulatory Crosswalk mapped your controls to framework requirements. This module gets one layer underneath that: which of your controls come from the AI platform you use (platform-native) and which you have to build yourself (org-overlay). Knowing the boundary is what lets you avoid two equally common failures — over-building controls your vendor already provides, and assuming controls exist that your vendor doesn't actually offer. Five things every IT lead, vendor manager, and policy author should be able to inventory cleanly.

AI governance doesn't exist in isolation. Your organization already has information security, privacy, vendor management, legal, audit, and enterprise risk-management programs — each with its own owners, artifacts, cadences, and reporting lines. AI governance has to coordinate with all of them: where they overlap, where AI adds requirements they don't cover, and where the organizational structures connect. This module is the integration layer — five things every leader, IT owner, and governance program author should be able to design intentionally.

Five modules in, you've learned what an AI governance program is, how to assess risk, how to crosswalk regulations to your operating context, how platform-native and overlay controls combine, and how the program integrates with enterprise workflows. Now you assemble it. Marcus has asked you to draft Vesta Medical's governance program — the document the board will sign and the auditors will measure against. The capstone walks through the structural choices that define the program. Each is a real trade-off: control rigor vs. operator velocity, breadth vs. depth in critical paths, internal authoring vs. external attestation. There aren't single right answers — but some combinations are coherent and some aren't. Pick the program you can defend.