PRISM Methodology
PRISM 06Governance

Governance isn’t compliance theater. It’s a valuation lever.

70% of PE investors have walked away from a deal over AI exposure, and 40% apply a valuation haircut when digital maturity lags. The audit trail you build in month one is part of the exit story in year four.

Governance isn’t a page in the program. It’s the floor under every band.

70%
of PE investors have backed out of a deal over AI exposure
40%
apply a 5%+ valuation haircut when digital maturity lags
100%
of agent actions logged and attributable
±5%
confidence calibration target in regulated work

The Operating Model

Three tiers. Clear decision rights. One name on the door.

Oversight, accountability, and execution live at different altitudes — and the whole thing fails if the middle tier is missing.

Tier 1Oversight

The governance committee

IT, legal, HR, finance, security, plus a business sponsor. Approves policy, budget, and risk exceptions.

Meets monthly · owns policy, budget, exceptions

Tier 2Accountability

The AI program owner

One named person, near-full-time. The role most programs skip — and why rollouts stall.

One named person · weekly cadence · single point of contact

Tier 3Execution

A lean center of excellence

Two to four people across IT, data, and the business — tools, templates, training, first-line triage.

2–4 people · tools, templates, training, triage

A named executive sponsor

Unblocks budget and cross-department resistance — distinct from the program owner.

Decision rights, written down

Who sets risk tiers, who vetoes a use case, who owns the budget line.

An interim acceptable-use policy

Shipped in the first two weeks — shadow use needs guardrails on day one.

The Acceptable-Use Policy, Page One

What the interim policy actually says.

Five clauses anyone can hold in their head — shipped before the first skill goes live.

acceptable-use-policy — page 1 of 2Interim · v0.1
1

Approved tools, by name

Everything not on the list is flagged on sight.

2

Data that never leaves

Customer records, financials, NDA material — in plain language.

3

The personal-account rule

Company work never touches personal AI accounts. Zero exceptions.

4

Disclosure

When AI materially affects a decision, the person is told.

5

The escalation path

One “can I use this?” channel — answered in a day.

Review date on page one — expires on purposeSupersedes: nothing — that’s the problem

Why it ships first

Two pages, shipped in week one — because shadow use starts on day zero, not at launch.

The Shadow-AI Audit

You already have an AI program. You just haven’t met it yet.

Before governing what’s planned, we find what’s running — three passes, each catching what the others miss.

01

The survey

Departments self-report under amnesty framing. Nobody gets punished for honesty, so the answers are honest.

02

The expense scan

AI subscriptions already on corporate cards — counted in the program’s cost picture from day one.

03

Network discovery

Sanctioned and unsanctioned tools visible at the boundary — the pass that catches everything unmentioned.

What we find: dozens of tools, concentrated where the repetitive pain is worst. That concentration is the program’s demand map — start there.

96%

of shadow AI eliminated at a $1.5B distributor — the sanctioned skills were simply better

−94%

unsanctioned usage on company data at a manufacturer, once approved tools beat the workarounds

Risk Tiers

Guardrails that scale with consequence.

A draft email and a credit decision don’t deserve the same checkpoint.

Low risk

Agent executes and notifies

Drafts, summaries, internal search. A human sees the record.

Medium risk

Agent pauses for approval

Anything leaving the company. A human owns the send button.

High risk

Human sign-off, always

Hiring, credit, legal, medical, safety. No confidence score overrides this tier.

The Enforcement Machinery

Six mechanisms that make the policy real.

A policy document controls nothing — these run on every skill, every day.

01Live

Confidence-tiered actions

High confidence executes and notifies. Medium pauses. Money and production route through a human.

02Live

Audit logging

Who, when, inputs, outputs, confidence — on every run. Nothing happens off the record.

03Live

Eval harnesses

Golden test sets per high-stakes skill. Nothing promotes to production without passing.

04Live

Skill review board

Bi-weekly vetting of new and live skills. Problems surface in days, not quarters.

05Live

Data residency

EU data on EU infrastructure, US on US. Residency is architecture, not a contract promise.

06Live

Prompt + model versioning

No silent model swaps. Always answerable: which version decided, and who approved.

governance console — live audit stream
09:41:07ap-invoice-triage0.97EXECUTEDnotified s.patel
09:41:32customer-email-draft0.81PAUSEDawaiting approval — m.rivera
09:42:15credit-limit-review0.99ESCALATEDhuman sign-off required
09:43:02contract-clause-extract0.94EXECUTEDlogged · v3.1
09:43:48vendor-statement-recon0.96EXECUTEDnotified a.osei
Eval gate — model change control
model update 4.227/27 golden cases passedapproved by J. Chen

Every action attributable · every change gated

The Skill Review Board, Agenda in Hand

Forty-five minutes, every two weeks. Here’s the agenda.

Six standing items, in order — a board without a fixed agenda becomes a status meeting.

1

Eval regressions

Failed golden sets stay out of production. No exceptions.

2

Incident review

Every escalation, override pattern, and near-miss on the table.

3

The promotion queue

Pilot-to-production candidates, seven artifacts checked each.

4

Spend anomalies

Flagged, explained, or investigated — nothing rides unexamined.

5

Wave-two approvals

New use cases scored against the risk tiers.

6

Model updates pending

Vendor changes queued behind the eval gate.

In the room

Function champions, the program owner, the security lead, the executive sponsor.

On the record

Every decision logged — and the log itself is a diligence artifact.

After Launch

Launch is not the finish line. It’s the starting gun.

The failures that reach the board happen in month seven — after a vendor update nobody read.

Vendor

Model update ships

4.1 → 4.2

Eval gate

27/27 golden cases

Pass

Versioned rollout

v4.2 pinned · approver logged

Fail

Held + alert

program owner paged · v4.1 stays live

Recurring spot checks — per use case, foreverDrift triggers — a number and a nameRe-validation as usage grows

The AI Incident Runbook

When something goes wrong, nobody improvises.

What separates a contained incident from a board escalation is a runbook written in advance.

01

Classify

Data egress, harmful output, or drift. Three categories — triage takes minutes, not a meeting.

02

Contain

The skill is paused by configuration — one switch, effective everywhere.

03

Root-cause

The audit log answers who, what, when, which version — in minutes.

04

Learn

The failing case joins the eval set permanently. Same failure never ships twice.

05

Disclose

Legal decides notification from a prepared matrix — not from scratch at midnight.

Vendor Concentration

Any AI vendor a critical workflow depends on is a single point of failure.

The continuity discipline you apply to your ERP applies to the model behind your collections desk.

vendor-continuity checklist5 / 5

Every AI-dependent workflow rated for what breaks if the vendor disappears

A documented, tested fallback for each critical path

Deprecation notice, pricing caps, data portability — negotiated up front

Model-training opt-outs confirmed in writing

AI vendors folded into existing DR and BCP exercises

The Money

Budget discipline is governance too.

ROI is defined before the pilot, or it’s a story — not a number.

Budget the full cost of adoption

Integration, training, governance, legal review — the license line is usually the smallest number on the page.

ROI defined before the pilot starts

Hours saved, cost avoided, error reduction — agreed in writing before the pilot, never after.

Pilot budget separated from scale budget

Scale dollars release only against proven numbers — a demo doesn’t unlock the second tranche.

A reporting cadence the board can trust

Weekly dashboard, monthly committee review, quarterly board update — shadow spend counted in.

Spend Governance

Cost is a first-class risk. Govern it like one.

Without per-workflow attribution, AI spend silently erodes the margin it was meant to expand.

Per-workflow cost attribution

Every skill invocation carries its cost — expensive workflows visible while they’re still cheap to fix.

Per-function unit economics

Cost per invoice coded, per ticket deflected, per memo drafted — denominators the CFO already thinks in.

Model routing as written policy

Which model handles which tier is a documented decision with caps and alerts.

Anomaly narration

The monthly report explains what moved and why — a number that never surprises the board.

The dials behind these reports live in the telemetry layer.

The Quarterly Board Pack

What the sponsor sees each quarter.

All the machinery above compresses into one document — six items, no appendix.

Quarterly AI program update — contents
01Program ROI against the value-creation plan
02Adoption and usage trend, by function
03Incident summary with resolutions
04Spend versus budget, with unit economics
05The risk register delta
06What’s queued next quarter — and the ask

Five pages the CFO presents without us in the room — that’s the deliverable.

Anchor Frameworks

Aligned to the frameworks buyers now check in diligence.

We anchor to the standards a diligence team looks for — so the answer to “are you aligned” is yes, with evidence.

NIST AI RMF

AI Risk Management Framework

Govern, map, measure, manage — the de facto reference for enterprise AI risk in the US.

ISO/IEC 42001

AI Management System

The certifiable AI management system — alignment now is cheaper than a scramble at exit.

OWASP LLM

LLM Security Guidance

The security baseline for prompt-injection and output-handling — failure modes unique to language models.

In regulated industries, our validation aligns to bank model-risk guidance (OCC SR 11-7). One insurance client’s framework became an audit asset — the examiners asked for a copy.

The Exit Lens

Why the sponsor cares.

The question isn’t whether your AI program gets examined at exit — it’s what the examination finds.

What survives diligence
  • Logged decisions
  • Versioned models
  • Documented human oversight
  • Per-function unit economics
What doesn’t

“A compelling AI narrative” with nothing underneath.

A deck with no evidence trail doesn’t just miss the premium — it invites the haircut.

The whole point

The audit trail you build in month one is the diligence answer you give in year four.

Ready to move

Install the operating model before you need it.

We’ll map your risk tiers, name the owner, and stand up the audit trail — defensible from the first pilot to the exit data room.

Talk to LightCI