Standing Up the Program
A regulated mid-size company is launching its AI governance program. You're the lead. You have 90 days.
Five modules in, you've learned what an AI governance program is, how to assess risk, how to crosswalk regulations to your operating context, how platform-native and overlay controls combine, and how the program integrates with enterprise workflows. Now you assemble it. Marcus has asked you to draft Vesta Medical's governance program — the document the board will sign and the auditors will measure against. The capstone walks through the structural choices that define the program. Each is a real trade-off: control rigor vs. operator velocity, breadth vs. depth in critical paths, internal authoring vs. external attestation. There aren't single right answers — but some combinations are coherent and some aren't. Pick the program you can defend.
You're four weeks into the role. The CEO of a 600-person regulated company has named you AI governance lead and given you 90 days to stand up a defensible program. You've finished the discovery phase: AI use is happening — across customer service, complaint handling, and internal operations — without a unified policy, registry, or owner. Marcus, your CEO, has set one expectation: "I need to be able to answer board-level questions about our AI posture by quarter end." You have a blank Friday morning, a small budget, and the goodwill of three cross-functional partners who will help if you ask cleanly.