AI governance often gets caricatured as bureaucracy that slows teams down. Done well, it is the opposite: a clear set of controls that lets you deploy AI confidently because you know the risks are handled. The trouble is that these controls are easy to skip in the rush to ship and painful to retrofit after an incident. This is a practical, category-by-category checklist to run before an enterprise AI system reaches production.
Governance foundations: ownership and policy
Governance starts with clarity about who is accountable and what the rules are. Every AI system in production needs a named owner responsible for its behavior, cost, and risk — not a committee, a person. You need an inventory of your AI systems and the models they use, an acceptable-use policy that tells teams what is and is not allowed, and an approval process proportionate to risk so a low-stakes internal tool is not gated like a customer-facing financial one.
This foundation is what turns AI from a scatter of shadow experiments into a governed capability. Without it, you cannot answer basic questions a regulator or your own board will eventually ask: what AI are we running, who owns it, and how did we decide it was safe. Establish a risk-tiering scheme early so the rest of the checklist scales with stakes rather than applying uniformly.
- A named owner accountable for each production AI system.
- An inventory of AI systems and the models they use.
- An acceptable-use policy and a risk-proportionate approval process.
Data governance and privacy
AI systems are data systems, and most AI risk is data risk. Before deployment, confirm you know what data flows into the system, classify it by sensitivity, and ensure sensitive data (PII, PHI, financial records, secrets) is handled within the appropriate compliance boundary. For regulated data that means in-boundary model deployment — Azure OpenAI or Amazon Bedrock on private endpoints, or self-hosted — never a public API that has not met your data terms.
Enforce data minimization: do not feed the model more than the task requires, and redact or exclude sensitive fields where possible. Verify data-residency requirements are met, that you have a lawful basis for the processing, and that retention and deletion policies cover prompts, outputs, and logs. Prompts and completions frequently contain sensitive data and are easy to over-retain in logging systems nobody classified.
- Classify all data entering the system and keep sensitive data in-boundary.
- Minimize and redact — feed the model only what the task needs.
- Confirm residency, lawful basis, and retention/deletion for prompts, outputs, and logs.
Access control and the security perimeter
AI systems, especially agents with tools, are a security surface that must inherit your existing controls rather than bypass them. Retrieval must be entitlement-aware so the system only surfaces data the requesting user is permitted to see — enforced in the retrieval layer, before text enters the prompt, never as a post-hoc instruction the model might ignore. Agent tools must be scoped to least privilege, with destructive actions gated behind approval.
Treat every AI service and MCP server as an internet-facing API with elevated privileges: authenticate and authorize per user, propagate real identity so the system enforces the user's actual entitlements, and run it behind your gateway with your standard secrets management and network policy. Manage secrets and model credentials as you would any high-value credential, with rotation and no hard-coding.
Model and application security
LLM applications have their own threat classes on top of ordinary appsec. Prompt injection is the headline: untrusted input — user messages, retrieved documents, tool results — can try to override your instructions or misuse a tool. Defend by separating and labeling untrusted content, validating and sanitizing all tool arguments, and never passing model output straight into a shell, query, or file path. Treat model output that drives an action as untrusted until validated.
Cover the rest of the surface: guard against sensitive-information disclosure and system-prompt leakage, rate-limit to prevent abuse and denial-of-wallet attacks, and bound agent behavior with recursion and token budgets so a runaway loop cannot drain your budget or hammer a downstream system. Frameworks like the OWASP Top 10 for LLM applications are a useful checklist to review your design against before go-live.
- Defend against prompt injection: separate untrusted input, validate tool args, never execute raw model output.
- Prevent data and system-prompt leakage; rate-limit against abuse and denial-of-wallet.
- Bound agents with recursion and token budgets and circuit breakers on external calls.
Safety, quality, and evaluation controls
A system can be secure and still unsafe if it produces harmful, biased, or confidently wrong output. Before deployment, have an evaluation suite that measures the quality dimensions that matter for your use case — accuracy, and for RAG, faithfulness and citation accuracy — plus content-safety guardrails on inputs and outputs appropriate to your audience. Test for bias and fairness where the system makes or influences decisions about people.
Ensure the system fails safe: an explicit refuse-or-escalate path when confidence or grounding is insufficient, so it says 'I don't know' rather than fabricating. Keep a human in the loop on consequential decisions. These controls are the difference between a system that occasionally admits uncertainty and one that occasionally causes a harmful, unretractable error at scale.
Observability, auditability, and incident readiness
You cannot govern what you cannot see. Before production, instrument tracing across the system — per-request inputs, outputs, model version, tool calls, latency, and token cost — and put quality, latency, and cost on dashboards with alerts. For agents and regulated workloads, maintain an immutable audit log tying user, action, arguments, and result together so you can reconstruct what happened months later when someone asks.
Prepare for the incident you hope never comes. Define what constitutes an AI incident, who responds, and how you contain it — the ability to disable a feature fast via a flag is a genuine control. Plan for a model or prompt rollback like any deploy. In our experience the teams that recover gracefully from an AI incident are the ones who wired in observability and a kill switch before they needed them, not after.
- End-to-end tracing with quality, latency, and cost dashboards and alerts.
- Immutable audit logs linking user, action, and result for consequential systems.
- A defined incident process, a fast feature kill switch, and a model/prompt rollback plan.
Regulatory alignment and ongoing review
Governance is not a one-time gate. Map your systems to the regulatory landscape that applies — sector rules like HIPAA or financial model-risk frameworks such as SR 11-7, and horizontal regimes like the EU AI Act's risk tiers where relevant — and document how each obligation is met. Higher-risk systems warrant heavier controls, formal documentation, and more frequent review; low-risk ones should not be smothered in the same process.
After go-live, review periodically: models drift and update, data changes, threats evolve, and regulations move. Re-run your evaluation suite, revisit access and data controls, and confirm the audit trail still holds. The goal of this whole checklist is not to slow deployment but to make it confident and repeatable — a standard path that lets teams ship AI quickly because the risks are known and handled rather than discovered in production.
Key takeaways
- 1.Every production AI system needs a named owner, an inventory entry, and risk-proportionate approval before launch.
- 2.Most AI risk is data risk: classify data, keep sensitive data in-boundary, minimize, and control residency and retention.
- 3.Enforce entitlement-aware retrieval and least-privilege tools, and defend against prompt injection and denial-of-wallet.
- 4.Ship only with an evaluation suite, content-safety guardrails, a fail-safe refuse/escalate path, and human oversight on consequential decisions.
- 5.Wire in tracing, immutable audit logs, a kill switch, and a rollback plan, then review periodically against evolving models, threats, and regulations.