Frameworks

Four frameworks. One operating model.

A working guide to the conceptual structures this book is built on — what a framework is for, why governance needs them, and how the four interlocking ones fit together.

Why frameworks

A framework is not a template you fill in. It is a shared way of seeing a problem — a compression of experience into a structure that other people can reason about, argue with, and apply.

In enterprise AI, frameworks matter for a specific reason. The problems are novel, the vocabulary is fragmented, and the consequences of getting governance wrong are now too large to solve in ad hoc conversations. When a CIO, a CISO, a business unit head, and a board director talk about “AI governance,” they are usually talking about four different things. A shared framework gives them a place where they can disagree precisely instead of agreeing vaguely.

The four frameworks on this page are the ones Govern or Fail is built on. Each does a different job. Together they form the operating model the book argues for — diagnosis, cadence, architecture, execution.

Read them in the order they appear below. The sequence matters. Diagnosis before treatment. Treatment rhythm before infrastructure. Infrastructure before the 90-day sprint that stands it up.

01 · Diagnostic

Debt Quadrant

Where does your AI estate sit?

The Debt Quadrant plots AI systems on two axes: governance discipline and value velocity. Four positions emerge.

Reckless

high velocity, low discipline

Fast delivery with no brakes. Maximum short-term value, maximum long-term exposure. The most common actual position; the least common self-reported one.

Governed

high velocity, high discipline

The target state. Faster than Reckless by the third deployment, because reusable governance infrastructure compounds.

Bureaucratic

low velocity, high discipline

Oversight without delivery. Audits pass, nothing ships.

Stagnant

low velocity, low discipline

Both clocks stopped. The quietest quadrant, the most dangerous. No pressure to govern, no evidence of value, no external forcing function.

The only wrong answer is a flattering one. Most self-assessments place the organisation in Governed. Most data-based assessments place it somewhere between Reckless and Bureaucratic. The gap between the two is usually the most useful piece of information in any AI governance conversation.

02 · Operating cadence

Governed AI Loop

How do you run governed AI in production?

Five phases, continuously: Align → Constrain → Operate → Assure → Evolve.

AlignWhat the AI system is supposed to do, for whom, under what constraints. Intent and ownership.
ConstrainThe data boundaries, policy rules, and thresholds that define acceptable behaviour.
OperateThe system running under the constraints, with every decision logged.
AssureMonitoring, audit, and incident response that verify the constraints are holding.
EvolveControlled change: policy updates, model changes, boundary adjustments. Feeds back into Align.

The Loop is continuous by design. “Project-based governance” is the pattern that fails — it treats governance as a one-time onboarding rather than an operating rhythm that runs as long as the AI system is in production.

If governance activity in your organisation stops when the system goes live, you are running a governance project, not a governance loop.

03 · Architecture

AIOS — AI Operating System

What do you build to make governance enforceable?

AIOS is a synthesised target architecture, not a product. It names the governed control plane where every AI request is routed, authenticated, logged, policy-checked, and bounded — by default, for every system, without depending on individual developers to do the right thing.

Five components:

  1. 1Routing & Policy EnforcementThe traffic cop. Every AI request passes through this layer; policy is applied at runtime, not checked by documentation.
  2. 2Governance RegistryThe source of truth for approved systems, policies, callers, and data domains.
  3. 3Observability & Audit LoggingEvery call logged with enough detail to reconstruct the decision. Tamper-evident.
  4. 4Secrets & IdentityIdP-bound authentication. Who is calling, with what right, for how long.
  5. 5Connector LibraryApproved, reusable bridges to enterprise data and external tools.

AIOS is not a tollbooth you can buy. It is a design target your existing infrastructure grows into — through API gateway maturity, identity integration, and the five components above. Vendor AI governance modules address parts of this at the single-product scope; AIOS is how you enforce governance across the AI systems you did not buy from any single vendor.

04 · Execution

Executive Action Framework

How do you start in the next 90 days?

A time-boxed, executive-sponsored sprint with five phases and one named output per phase.

Phase 1 — InventoryWeeks 1–2

AI system register

Catalogue every AI system, pilot, and shadow use.

Phase 2 — Debt AuditWeeks 3–4

Quadrant placement

Honest assessment of discipline and velocity per system.

Phase 3 — ArchitectWeeks 5–7

AIOS sprint plan

Registry, routing, audit, identity, connectors. Named owner per component.

Phase 4 — GovernWeeks 8–11

First two governed systems live

Two production AI systems move from shadow to the control plane. Policies enforced at runtime.

Phase 5 — InstitutionaliseWeeks 12–13

Steady-state operating model

Named owners, recurring reviews, quarterly cadence.

At Day 90, you have a board-ready governance report, a maturity score, and a 12-month roadmap. You do not have a fully governed AI estate — that takes 12 to 18 months. What you have is the accurate picture of where you stand, the ownership structure to act on it, and the board's mandate to continue.

90 days from now, this programme is either in production or it is abandoned. There is no Phase 2 extension. The deadline is a feature, not a bug.

How they fit together

The Debt Quadrant tells you where you are. The Governed AI Loop tells you how governed systems run. AIOS tells you what infrastructure you need to build. The Executive Action Framework tells you how to start.

Each is useful alone. Together they are an operating model.

The book works through them in detail — with cases, data, and the political dynamics that architecture alone cannot solve. The tools on this site operationalise the ones that benefit from interactivity: the Debt Quadrant for plotting your own estate, the Maturity Assessment for scoring governance discipline, the 90-Day Sprint for running the EAF end to end.