Frameworks
Four frameworks. One operating model.
A working guide to the conceptual structures this book is built on — what a framework is for, why governance needs them, and how the four interlocking ones fit together.
Why frameworks
A framework is not a template you fill in. It is a shared way of seeing a problem — a compression of experience into a structure that other people can reason about, argue with, and apply.
In enterprise AI, frameworks matter for a specific reason. The problems are novel, the vocabulary is fragmented, and the consequences of getting governance wrong are now too large to solve in ad hoc conversations. When a CIO, a CISO, a business unit head, and a board director talk about “AI governance,” they are usually talking about four different things. A shared framework gives them a place where they can disagree precisely instead of agreeing vaguely.
The four frameworks on this page are the ones Govern or Fail is built on. Each does a different job. Together they form the operating model the book argues for — diagnosis, cadence, architecture, execution.
Read them in the order they appear below. The sequence matters. Diagnosis before treatment. Treatment rhythm before infrastructure. Infrastructure before the 90-day sprint that stands it up.
01 · Diagnostic
Debt Quadrant
Where does your AI estate sit?
The Debt Quadrant plots AI systems on two axes: governance discipline and value velocity. Four positions emerge.
Reckless
high velocity, low discipline
Fast delivery with no brakes. Maximum short-term value, maximum long-term exposure. The most common actual position; the least common self-reported one.
Governed
high velocity, high discipline
The target state. Faster than Reckless by the third deployment, because reusable governance infrastructure compounds.
Bureaucratic
low velocity, high discipline
Oversight without delivery. Audits pass, nothing ships.
Stagnant
low velocity, low discipline
Both clocks stopped. The quietest quadrant, the most dangerous. No pressure to govern, no evidence of value, no external forcing function.
The only wrong answer is a flattering one. Most self-assessments place the organisation in Governed. Most data-based assessments place it somewhere between Reckless and Bureaucratic. The gap between the two is usually the most useful piece of information in any AI governance conversation.
02 · Operating cadence
Governed AI Loop
How do you run governed AI in production?
Five phases, continuously: Align → Constrain → Operate → Assure → Evolve.
The Loop is continuous by design. “Project-based governance” is the pattern that fails — it treats governance as a one-time onboarding rather than an operating rhythm that runs as long as the AI system is in production.
If governance activity in your organisation stops when the system goes live, you are running a governance project, not a governance loop.
03 · Architecture
AIOS — AI Operating System
What do you build to make governance enforceable?
AIOS is a synthesised target architecture, not a product. It names the governed control plane where every AI request is routed, authenticated, logged, policy-checked, and bounded — by default, for every system, without depending on individual developers to do the right thing.
Five components:
- 1Routing & Policy Enforcement — The traffic cop. Every AI request passes through this layer; policy is applied at runtime, not checked by documentation.
- 2Governance Registry — The source of truth for approved systems, policies, callers, and data domains.
- 3Observability & Audit Logging — Every call logged with enough detail to reconstruct the decision. Tamper-evident.
- 4Secrets & Identity — IdP-bound authentication. Who is calling, with what right, for how long.
- 5Connector Library — Approved, reusable bridges to enterprise data and external tools.
AIOS is not a tollbooth you can buy. It is a design target your existing infrastructure grows into — through API gateway maturity, identity integration, and the five components above. Vendor AI governance modules address parts of this at the single-product scope; AIOS is how you enforce governance across the AI systems you did not buy from any single vendor.
04 · Execution
Executive Action Framework
How do you start in the next 90 days?
A time-boxed, executive-sponsored sprint with five phases and one named output per phase.
AI system register
Catalogue every AI system, pilot, and shadow use.
Quadrant placement
Honest assessment of discipline and velocity per system.
AIOS sprint plan
Registry, routing, audit, identity, connectors. Named owner per component.
First two governed systems live
Two production AI systems move from shadow to the control plane. Policies enforced at runtime.
Steady-state operating model
Named owners, recurring reviews, quarterly cadence.
At Day 90, you have a board-ready governance report, a maturity score, and a 12-month roadmap. You do not have a fully governed AI estate — that takes 12 to 18 months. What you have is the accurate picture of where you stand, the ownership structure to act on it, and the board's mandate to continue.
90 days from now, this programme is either in production or it is abandoned. There is no Phase 2 extension. The deadline is a feature, not a bug.
How they fit together
The Debt Quadrant tells you where you are. The Governed AI Loop tells you how governed systems run. AIOS tells you what infrastructure you need to build. The Executive Action Framework tells you how to start.
Each is useful alone. Together they are an operating model.
The book works through them in detail — with cases, data, and the political dynamics that architecture alone cannot solve. The tools on this site operationalise the ones that benefit from interactivity: the Debt Quadrant for plotting your own estate, the Maturity Assessment for scoring governance discipline, the 90-Day Sprint for running the EAF end to end.