AI Organization Operating Model
Version: 1.1.0 Last updated: 2026-07-16 Status: Informative OAIES implementation profile
Purpose
Establish a hybrid platform-and-product model with explicit service ownership and decision rights.
Why
Central standards without embedded delivery become a bottleneck; federation without a platform fragments controls.
When
Use once multiple teams build or operate AI systems.
How
- Charter an AI platform team for gateway, evaluation, observability, approved providers, and standards.
- Embed accountable AI engineers in product teams.
- Create an AI governance forum with engineering, product, security, privacy, legal, risk, and affected-domain representation.
- Publish RACI, service catalog, exception process, and funding model.
- Review portfolio risk, incidents, adoption, and provider health monthly.
Organization design
The AI Platform is a funded internal product, not a standards committee. It owns gateway, approved-provider integration, prompt release, evaluation execution, OpenTelemetry pipelines, cost controls, and common incident tooling with published SLOs. Product teams own use-case outcomes, requirements, local data, evaluation semantics, human workflows, and production service health. Independent assurance must not report to the platform or product owner whose evidence it evaluates.
Decision RACI
A means one accountable role; avoid multiple accountable parties.
| Decision | Executive sponsor | Technology Steering Committee (TSC) | AI platform | Product owner | Engineering owner | Security/privacy/legal | Independent assurance |
|---|---|---|---|---|---|---|---|
| Approve enterprise AI risk appetite | A | R | C | I | I | C | C |
| Admit provider/model to approved catalog | I | A | R | C | C | R | C |
| Approve low-risk use-case launch | I | I | C | A | R | C | I |
| Approve medium-risk launch | I | C | C | A | R | R | C |
| Accept high residual risk / high-impact launch | A | R | C | R | C | R | C |
| Operate shared AI controls | I | I | A/R | C | C | C | I |
| Define task quality and affected-person outcomes | I | I | C | A | R | C | C |
| Issue time-bound exception | A for high | A for medium | R for platform controls | R | C | C | C |
| Pause unsafe production capability | I | I | R | A/R | R | R | I |
| Verify corrective action closure | I | I | C | R | R | C | A |
| Retire use case or provider | A for strategic | R | R | A for use case | C | C | C |
Governance operating cadence
| Forum | Cadence | Quorum | Inputs | Binding outputs |
|---|---|---|---|---|
| TSC | Biweekly; emergency within 24 hours | Chair, platform, product/domain, security; privacy/legal when triggered; assurance attends without owning delivery | Provider qualification, architecture deviations, radar proposals, medium/high exceptions | Approved catalog/radar changes, conditions, owners, expiry |
| AI portfolio review | Monthly | Executive sponsor, finance, product, engineering, risk | Outcome scorecards, incidents, spend forecast, control capacity, remediation debt | Funding changes, expansion/hold/retirement decisions |
| Independent assurance review | Quarterly and pre-launch for high risk | Assurance lead plus qualified reviewer independent of implementation | Sampled evidence packs, control tests, complaints, overrides, provider changes | Findings, severity, due dates, closure criteria |
| Incident learning review | Within five business days of stabilization | Service owner, incident lead, platform, affected control owners | Timeline, trace/release IDs, causal analysis, affected decisions | Corrective actions, golden-set additions, provider requalification |
Minutes record attendees, conflicts, evidence, dissent, decision, accountable owner, due date, expiry/review date, and linked system/provider versions. A meeting is not evidence that a technical control operated.
Funding model
Use a three-part model:
| Funding pool | Pays for | Allocation rule | Guardrail |
|---|---|---|---|
| Enterprise baseline | Gateway, identity, audit, evaluation runner, observability, approved-provider qualification, incident capability, assurance minimum | Annual platform capacity based on portfolio demand and risk | Product teams cannot opt out of baseline controls to reduce local cost |
| Use-case consumption | Model tokens, dedicated environments, use-case datasets/evaluators, domain review, on-call load | Showback from metered use; chargeback only after metric quality is verified | Cost allocation cannot expose individual prompt content or become employee surveillance |
| Risk remediation reserve | Urgent vulnerabilities, regulatory change, provider exit, incident correction, control scaling | Executive-controlled reserve with post-use review | Reserve does not replace sustained ownership funding |
Every approved use case has a total-cost-of-ownership model covering model/provider, evaluation, telemetry, storage, domain labeling, human oversight, incident response, and exit. If required controls are not funded, the release is not approved; the risk is not transferred to the platform team.
Exception governance
exception:
id: AI-EX-2026-014
system_release: sha256:...
control_or_requirement: "specific requirement"
business_need: "why normal compliance is currently impossible"
risk_statement: "scenario, likelihood evidence, impact"
compensating_controls: ["testable control"]
owner: "named accountable role"
approvers: ["authority required by tier"]
issued_at: "UTC timestamp"
expires_at: "maximum approved duration"
telemetry: ["metric and alert proving boundary"]
exit_plan: "remediation or capability shutdown"
Exceptions cannot waive prohibited uses, applicable law, truthful records, incident reporting, or a critical safety/security stop condition. They expire automatically; renewal requires new evidence and an updated remediation plan. The platform enforces machine-testable conditions such as route, tenant, model, token, user cohort, or tool restrictions. Monthly portfolio review publishes counts by control, age, risk, and overdue status.
Service-level objectives
- Gateway availability and policy-decision integrity are separate SLOs; a fast incorrect allow is not availability success.
- Approved prompt/model configuration propagation has an RTO and a tested last-known-good cache.
- Evaluation gate freshness measures time since last successful run against the exact production release.
- Provider requalification freshness pages before approval expires.
- Assurance finding closure tracks risk-weighted overdue days, not raw ticket count.
- Exception exposure tracks requests, users, side effects, and days under exception.
Evidence contract
The decision record is the operating-model charter. It records decision rights; service catalog; funding; intake; RACI; SLOs; assurance calendar; escalation. The CTO or delegated AI executive owns completeness; the evidence is invalid when platform or assurance lacks mandate, capacity, or independence. Organization evidence records mandate, authority, competence, funding, conflicts, decisions, exceptions, metrics, and review cadence.
Failure response and recovery
Trigger: control demand exceeds funded capacity or teams bypass platform boundaries.
Immediate response: prioritize by risk, suspend unsupported launches, and escalate funding decisions. Preserve the operating-model charter, affected trace IDs, timestamps, and decision logs before mutation. Open an incident when users, data, money, authorization, or a release decision may have been affected; closure requires a regression case and verified control change specific to ai organization operating model.
Decision authority
The CTO or delegated AI executive accepts the operational decision. The enterprise risk executive provides independent challenge for high-risk scope, failed gates, or exceptions. Committees may decide only within delegated authority; executives retain risk appetite and funding accountability while independent assurance retains challenge.
Tradeoffs
| Choice | Benefit | Cost |
|---|---|---|
| Hybrid model | Scale with consistency | Coordination overhead |
Anti-patterns
- A central team owning every use case.
- A committee approving designs without technical evidence.
Enterprise considerations
- Board-level risk appetite flows to product controls.
- Separate enablement metrics from risk oversight.
Framework relationship
The AI Organization Operating Model document is an operating aid; effectiveness requires observed decisions, funded controls, and independent evidence rather than the existence of this process.
| Source | Relationship for AI Organization Operating Model | Boundary |
|---|---|---|
| NIST AI RMF | GOVERN 2.1 and 2.3 | Use NIST governance outcomes to test decision rights and accountability in practice. |
| ISO/IEC 42001 | 42001 clauses 5.1 and 7.1 | A documented process supports—but does not itself demonstrate—effective management-system operation. |
| Domain threat/control source | Technical risk owners consume OWASP findings | Test only the threats applicable to the documented system and release |
Checklist
- Every decision has exactly one accountable role in the RACI.
- Platform, product, control, and assurance responsibilities are contractually distinct.
- TSC quorum, conflicts, dissent, and binding outputs are recorded.
- Baseline, consumption, and remediation funding cover full lifecycle cost.
- Unfunded controls stop launch rather than becoming implicit platform debt.
- Exceptions have machine-enforced scope, owner, telemetry, expiry, and exit plan.
- Independent assurance samples evidence and verifies closure without owning implementation.
- Platform SLOs cover policy integrity, release freshness, requalification, and rollback.
References
- NIST, AI RMF 1.0, GOVERN 2–6 (accessed 2026-07-16).
- ISO, ISO/IEC 42001:2023, clauses 5–10 (accessed 2026-07-16). No certification or conformity claim is made.
Changelog
| Version | Date | Change |
|---|---|---|
| 1.1.0 | 2026-07-16 | Added organization design, decision RACI, governance forums, three-part funding, exception schema, assurance independence, and platform SLOs. |
| 1.0.0 | 2026-07-16 | Initial complete profile. |