How organisations govern AI use: policies, review boards, risk registers, and controls.
AI governance is the set of policies, processes, and controls that ensure AI and automation systems are used responsibly within an organisation. For automation builders, governance means documenting what your workflows do, who owns them, what risks they carry, and how they are monitored.
The three lines of defence model applies to automation: Line 1 is the workflow owner (responsible for safe design and daily monitoring), Line 2 is a risk or compliance function (periodic audits, policy enforcement), Line 3 is internal audit (independent testing and review).
Every production workflow should have an entry in a registry: name, owner, trigger, data accessed, external services called, risk level, last reviewed date. This is not bureaucracy โ it is the minimum necessary to manage a portfolio of automations responsibly.
When an automation causes harm โ wrong emails sent, data deleted, financial errors โ you need a practiced incident response: stop the workflow immediately, assess the blast radius, notify affected parties, conduct a root cause analysis, and implement controls before restarting.
๐ก Governance scales. A single builder with ten workflows needs a simple checklist. A team managing hundreds of production automations needs a registry, review cadences, and escalation paths. Start small, but start now.
The best way to internalise these principles is to open a real workflow and audit it against this lesson's checklist. Pick any workflow from the workflow library and work through each principle point by point.
Browse workflows to practice →