Agentic systems governance
autonomous AI governance · agent control framework
A control framework for AI systems that act autonomously across multiple steps, tools, or decisions without human intervention at each stage. It defines the boundaries of autonomous action, escalation thresholds, audit logging requirements, and accountability assignment so boards and regulators can inspect what the system did and why.
Why it matters to a board
Without explicit governance boundaries, agentic AI systems create accountability gaps that neither the board nor regulators can readily trace or remediate.
Related topic →
AI governance
regulated AI governance · AI controls framework
The operating model that makes AI adoption practical in regulated environments where model risk, auditability, accountability, and human control are non-negotiable. It covers use-case intake, model risk classification, human-in-the-loop controls, evaluation criteria, and alignment with regulatory expectations such as FCA, PRA, and the AI Act.
Why it matters to a board
Boards without an explicit AI governance model cannot demonstrate to regulators or investors that their AI decisions are controlled, auditable, or reversible.
Related topic →
See also: model risk classification, human in the loop control
Audit evidence model
regulatory evidence pack · audit trail model
A structured approach to capturing, storing, and presenting the documentation that regulators and internal auditors require to verify that data controls are operating as described. It maps each regulatory obligation to a specific data artefact — lineage record, quality check, stewardship log, or classification decision — so evidence can be produced on demand.
Why it matters to a board
An audit evidence model transforms regulatory readiness from a reactive scramble into a standing, inspectable control that reduces supervisory risk.
Related topic →
See also: data lineage, data stewardship
BCBS239 remediation
BCBS 239 · risk data aggregation remediation · RDARR
The programme of work required to bring a bank's risk data aggregation and reporting capabilities into alignment with the Basel Committee's Principles for Effective Risk Data Aggregation and Risk Reporting. It typically involves identifying Critical Data Elements across finance and risk, resolving quality and lineage gaps, and building inspectable controls the regulator can examine.
Why it matters to a board
Non-compliance with BCBS239 creates direct supervisory exposure, undermines board confidence in risk numbers, and blocks regulatory clearance for strategic transactions.
Related topic →
See also: critical data elements, data lineage
Build vs buy strategy
make vs buy · platform sourcing strategy
A structured decision process for determining which data platform capabilities to develop internally and which to procure from vendors. It weighs total cost of ownership, competitive differentiation, integration complexity, and long-term vendor dependency against the speed and maturity that commercial products deliver. The output is a sequenced architecture and vendor governance plan.
Why it matters to a board
Poorly governed build-versus-buy decisions lock organisations into expensive platforms or custom builds that cannot scale without disproportionate investment.
Related topic →
Commercial analytics
commercial data products · revenue analytics
Data products and reporting capabilities designed around the decisions that drive revenue, margin, pricing, client retention, and operating efficiency. Unlike general-purpose BI, commercial analytics is built backwards from a specific commercial question — such as underwriting profitability or customer churn — and owned by the business leaders who act on the insight.
Why it matters to a board
Boards that lack commercial analytics aligned to actual decisions tend to receive volumes of reporting that cannot be translated into targeted corrective action.
Related topic →
See also: data product, decision grade data
Critical Data Elements
CDEs · critical data fields
The finite set of data fields that are essential to a specific regulatory, risk, or commercial decision. Identifying and certifying CDEs is the foundation of any data quality programme because it focuses remediation effort on the data that actually matters. Quentin has documented experience deploying Microsoft Purview plans across more than 500 Critical Data Elements.
Why it matters to a board
Boards cannot provide credible assurance on regulatory reporting or commercial decisions until the Critical Data Elements underlying those outputs are identified, owned, and quality-certified.
Related topic →
See also: data quality remediation, bcbs239 remediation
Data catalogue
data catalog · enterprise data catalogue · metadata catalogue
A searchable inventory of an organisation's data assets that captures metadata, ownership, classification, lineage, and quality status for each dataset or data element. A well-maintained catalogue allows business leaders, data teams, and regulators to understand what data exists, where it came from, who is responsible for it, and whether it is fit for a specific use.
Why it matters to a board
Without a data catalogue, boards cannot answer basic governance questions about where key figures originate, who owns them, or whether they have been quality-checked.
Related topic →
See also: data lineage, data stewardship
Data governance
enterprise data governance · data governance framework
The operating model that establishes ownership, accountability, and decision rights over an organisation's data assets. Effective governance replaces ad-hoc data management with stewardship, metadata, lineage, and quality controls that boards, auditors, and business leaders can inspect. It is the foundation on which regulatory compliance and commercial data confidence are built.
Why it matters to a board
Data governance is the mechanism through which a board can hold the organisation accountable for the quality and integrity of the information used to make consequential decisions.
Related topic →
See also: data governance forum, data stewardship, data catalogue
Data governance forum
data governance council · data and AI governance working group
A standing committee or working group with a defined charter, membership, decision rights, and escalation path that governs data policy, resolves ownership disputes, approves quality standards, and provides board-level accountability for data controls. The forum is the primary mechanism for translating data governance policy into consistent operational behaviour across business lines and functions.
Why it matters to a board
A chartered data governance forum gives the board a single accountable body responsible for data quality standards, rather than diffused ownership with no clear point of escalation.
Related topic →
See also: data governance, data stewardship
Data lineage
data provenance · data traceability
A traceable record of where a data element originated, how it was transformed, and which reports, models, or decisions it feeds. Lineage allows a data team to answer the question a regulator or auditor will inevitably ask: where did this number come from? Without lineage, organisations cannot confidently certify data quality or explain discrepancies in regulatory submissions.
Why it matters to a board
Data lineage is what converts a claim of data quality into inspectable evidence a regulator can examine and an auditor can verify.
Related topic →
See also: data catalogue, audit evidence model
Data product
data asset · analytical data product
A curated, owned, and quality-assured dataset or analytical output designed to serve a specific business decision or operational use case. Unlike a raw report, a data product has defined ownership, documented inputs, quality contracts, and a lifecycle. Examples include an underwriting data product, a workforce analytics product, or a finance performance dataset used in board reporting.
Why it matters to a board
Data products give boards a governed, reliable layer between raw platform data and the decisions executives make, replacing fragile one-off extracts with accountable infrastructure.
Related topic →
See also: single source of truth, decision grade data
Data quality remediation
data quality improvement · DQ remediation programme
A structured programme of identifying, measuring, and correcting data quality defects — including completeness failures, accuracy errors, consistency gaps, and timeliness issues — across the data elements that matter most to regulatory and commercial decisions. Remediation combines process controls, system fixes, ownership assignment, and ongoing monitoring to sustain quality over time.
Why it matters to a board
Unaddressed data quality issues accumulate into regulatory citations, commercial mispricing, and executive decisions made on numbers the organisation cannot defend.
Related topic →
See also: critical data elements, data stewardship
Data stewardship
data ownership · data steward role
The practice of assigning named individuals or roles as accountable owners of specific data domains, datasets, or Critical Data Elements. Stewards are responsible for defining quality standards, resolving data issues, maintaining metadata, and representing their domain in governance forums. Stewardship converts abstract governance policy into day-to-day operational accountability.
Why it matters to a board
Without named stewards, data governance frameworks collapse into shared responsibility with no clear owner when quality fails or a regulator asks who certified a figure.
Related topic →
See also: data governance forum, data catalogue
Decision-grade data
decision-ready data · executive data
Data that has been designed, governed, and quality-assured specifically to support a named executive or regulatory decision. Decision-grade data is not simply accurate data — it also has documented ownership, clear lineage, known limitations, and is presented in the format and timeliness the decision-maker actually requires. Technically correct data that arrives late or is poorly framed is not decision-grade.
Why it matters to a board
When data is not decision-grade, executives receive technically correct reports that still cannot support the commercial or governance call they need to make.
Related topic →
See also: data product, single source of truth
Enterprise data strategy
data strategy · organisational data strategy
A board-level plan that defines how an organisation will treat data as a managed asset aligned to commercial, regulatory, and operational objectives. It sets direction on governance, platform architecture, data quality, talent, and investment sequencing. An effective enterprise data strategy translates the organisation's ambitions into a tractable, time-sequenced programme with clear ownership.
Why it matters to a board
Boards without an explicit enterprise data strategy cannot prioritise data investment against competing demands or provide credible assurance to regulators and investors.
Related topic →
See also: data governance
Human-in-the-loop control
human oversight control · HITL control
A governance design that requires a qualified human to review, approve, or override an AI system's output before it is acted upon in a regulated or high-stakes context. Human-in-the-loop controls define the trigger conditions, the role responsible for review, the evidence the reviewer must examine, and the escalation path if the AI output is rejected or uncertain.
Why it matters to a board
Regulators in financial services increasingly expect documented human oversight of material AI decisions; absent these controls, firms risk enforcement action and reputational harm.
Related topic →
See also: ai governance, model risk classification
MI governance
management information governance · reporting governance
The set of controls, ownership assignments, and review processes that ensure management information is accurate, consistent, timely, and aligned to the decisions it is meant to support. MI governance defines who produces each report, who approves the metric definitions, how often the data is validated, and what happens when a figure is challenged by the board or a regulator.
Why it matters to a board
MI governance is what separates a board pack that can be relied upon from one that is contested, re-stated, or quietly set aside when decisions get hard.
Related topic →
See also: decision grade data, single source of truth
Model risk classification
AI model risk rating · model tiering
The process of assessing and categorising an AI or analytical model according to the potential harm its outputs could cause if they are wrong, biased, or misapplied. Classification determines the validation rigour, human oversight level, monitoring frequency, and approval pathway required before a model can be deployed or used in a regulated decision context.
Why it matters to a board
Without a formal model risk classification process, organisations deploy AI tools at inconsistent risk levels, creating uncontrolled exposure that regulators will identify during review.
Related topic →
See also: ai governance, human in the loop control
Single source of truth
SSOT · golden record · authoritative data source
A design principle in which a specific, authoritative dataset is designated as the canonical version of a given metric or data element, with all other systems and reports deriving from it rather than maintaining independent copies. Achieving a single source of truth for key commercial and regulatory figures eliminates the reconciliation debates that erode board confidence in the data estate.
Why it matters to a board
Contested numbers at board level are almost always a symptom of missing single sources of truth; each competing version represents a governance failure with regulatory and commercial consequences.
Related topic →
See also: decision grade data, data product
Use-case intake
AI use-case approval · model intake process
A formal process for evaluating and approving proposed AI applications before development or deployment begins. Intake captures the business objective, the data sources required, the decision the AI will influence, the potential for harm or bias, and the regulatory implications. It is the first control gate in a model risk governance process and prevents uncontrolled proliferation of AI tools across a regulated organisation.
Why it matters to a board
A governed use-case intake process gives the board visibility and veto rights over AI adoption before risks are embedded in production systems.
Related topic →
See also: ai governance, model risk classification
