Five days ago, Gartner published a prediction that should make every AI steering committee uncomfortable: by 2027, forty per cent of enterprises will demote or decommission autonomous AI agents because governance gaps were identified only after production incidents. Not before. After.

The proximate cause, according to Gartner, is uniform governance, the same controls applied to every AI agent regardless of autonomy level. Over-restrict the simple ones, you get shadow development. Under-restrict the autonomous ones, you get incidents that reach the board before the risk committee hears about them.

Two months earlier, Singapore MAS concluded phase two of Project MindForge and published an AI Risk Management Toolkit with a consortium of twenty-four banks, insurers, and capital market firms. The Toolkit’s centrepiece is an Operationalisation Handbook, practical guidance for implementing the AI risk management framework MAS proposed in its November 2025 consultation paper. The implicit message: MAS does not believe the industry can operationalise AI governance from first principles alone. It commissioned the handbook because the gap between governance-on-paper and governance-in-practice was wide enough to require a structured bridge.

These two events, read together, say the same thing from different angles.
The governance most organisations have built for AI is not wrong in intent.

It is wrong in structure.

The differentiation

The consensus response to AI governance gaps is predictable: more policy, more review gates, more framework documents. Every consultancy in the region is selling “AI governance maturity assessments” that produce colour-coded matrices and recommend additional layers of oversight.

This essay argues the opposite. The problem is not insufficient governance. The problem is that most AI Centres of Excellence have optimised for the appearance of governance — artefacts that satisfy audit questions — rather than for the operational capacity to make and track consequential decisions about AI in production.

The distinction matters because governance artefacts and governance capacity produce entirely different organisational behaviours. One produces documents. The other produces decisions.

Thesis

The most dangerous AI governance is the kind that looks good in a board deck but cannot answer three questions: what is in production, what risk does each carry, and who decided.

What is inside

- Why the “centre of excellence” model defaults to governance theatre — the structural incentives that make artefact-production easier than decision-making

- A three-tier operating model — what to fix on Day 1 (mandate and taxonomy), Week 1 (operating rhythm), and Month 1 (capability transfer) — with specific artefacts for each

- The proportional governance principle — why uniform controls fail and what risk-proportionate review actually looks like in a regulated environment

- A diagnostic you can run on Monday — four questions that reveal whether your AI CoE is governing or performing

The framework: Day 1 / Week 1 / Month 1

Day 1 — Mandate clarity and risk taxonomy

The single highest-leverage fix for a struggling AI CoE is not a new framework. It is a clear, written mandate that answers four questions: what decisions does the CoE make (not “advise on” — *make*), what decisions require escalation, who is accountable for each decision class, and what happens when someone bypasses the process?

Most CoE charters answer none of these. They describe the CoE’s purpose in aspirational terms — “accelerate AI adoption,” “ensure responsible AI,” “drive innovation” — without specifying decision rights. A charter that says “ensure responsible AI” is a mission statement. A charter that says “the CoE approves or rejects all AI deployments that interact with customer data, with escalation to the CRO for any model that influences pricing or underwriting decisions” is a governance mandate. The difference is the difference between decoration and authority.

The universal pattern. Decision rights are the irreducible foundation of governance. Without explicit decision rights, a governance function defaults to advisory — and advisory functions get bypassed the moment they slow delivery.

The regulated-industries manifestation. In financial services and insurance, the MAS AI Risk Management Guidelines (proposed November 2025) expect boards and senior management to establish “frameworks, structures, policies and processes for AI risk management.” The critical word is *structures* — MAS is not asking for documents alone. It is asking for organisational design that assigns accountability. The MindForge Toolkit reinforces this: its Operationalisation Handbook walks through governance structures precisely because policy documents alone were insufficient across the twenty-four-firm consortium.

Your translation. Pull your CoE charter. If it does not specify which decisions the CoE owns, which it escalates, and what the consequence of bypass is, it is not a governance document. It is a brochure. The people who need to care about this are the CoE lead, the CTO, and the CRO. If any of them cannot recite the decision rights from memory, the mandate is not operational.

What to build. A one-page decision-rights matrix: rows are decision types (new deployment, model update, data source change, vendor integration, exception request), columns are CoE authority level (approve, escalate, advise, inform). Circulate it to every AI project lead. If someone is surprised by what is on it, the mandate was not previously clear.

The second Day 1 action is a risk taxonomy that is actually used. Not a risk register — a taxonomy. The distinction: a risk register is a compliance artefact that catalogues individual risks. A taxonomy is a classification system that determines how every AI initiative is governed from its first week.

The universal pattern. Proportional governance requires a classification scheme. Without it, every initiative receives the same scrutiny — which means either too much friction for low-risk tools or too little scrutiny for high-risk deployments. This is precisely the failure mode Gartner identified: “Enterprises are treating AI agent governance as binary — either locked down or fully trusted.”

The regulated-industries manifestation. Singapore MAS’s proposed guidelines distinguish between AI used in customer-facing or regulated activities and AI used in internal operations. The former is subject to “more exacting standards around explainability, fairness, human oversight and testing.” This is not a suggestion to treat all AI the same. It is an explicit instruction to differentiate. Yet a surprising number of AI CoEs in the region apply a single review process to everything from an internal document-summarisation tool to a customer-facing underwriting model.

Your translation. If your review process for a Slack bot takes the same calendar time as your review for a credit-decisioning model, your taxonomy is not functioning. The roles affected: AI project leads (who will finally understand why some projects move faster), the risk function (who gains a defensible basis for proportional review), and the CoE itself (which stops drowning in low-risk approvals).

What to build. A three-tier classification:
Tier 1 (internal, no customer data, no regulated decision — fast-track review, CoE informed),
Tier 2 (customer-adjacent or uses sensitive data — standard review, CoE approves), Tier 3 (customer-facing, regulated decision, or autonomous action — full review, CRO escalation). Map every current AI initiative to a tier. The mapping exercise alone will reveal initiatives that have never been classified.

Week 1 — Operating rhythm and proportional review

Governance without cadence is governance without memory. A CoE that meets quarterly to review AI initiatives is not governing — it is auditing, badly, with a three-month lag.

The universal pattern. The operating rhythm of a governance function determines its relevance. Too infrequent, and decisions are made without it. Too frequent with too broad a scope, and it becomes a bottleneck that teams route around. The design challenge is matching cadence to decision velocity.

The regulated-industries manifestation. AI deployment cycles in regulated financial services are accelerating — particularly with agentic AI, where a new agent can move from prototype to production in weeks, not quarters. A quarterly governance cadence designed for traditional model risk management cannot keep pace. The MindForge consortium’s experience underscores this: the Toolkit exists partly because the gap between deployment speed and governance speed had become a structural problem across multiple institutions.

Your translation. Redesign the CoE operating rhythm around three cadences: weekly triage (fifteen minutes — new requests classified by tier, blockers surfaced), monthly deep review (Tier 2 and 3 initiatives reviewed against risk taxonomy, decisions recorded), and quarterly portfolio review (full AI portfolio mapped against strategic objectives, retirement candidates identified). The weekly triage is the critical addition. Without it, the CoE learns about new AI initiatives only when they are already in production or already in trouble.

What to build. A single-page operating rhythm document specifying: who attends each cadence, what is reviewed, what decisions are made (not discussed — made), and where decisions are recorded. Publish it. If the rhythm document does not exist, neither does the rhythm.

The second Week 1 action: implement proportional review that the organisation actually respects. This means review depth scaled to risk tier, with explicit cycle-time targets for each tier.

The universal pattern. Proportional review fails when it exists in policy but not in practice. The most common failure: Tier 1 reviews that take three weeks because the process was designed for Tier 3. Teams learn that the CoE adds three weeks to everything, and they stop submitting. Shadow AI accelerates. The CoE’s portfolio view becomes incomplete. Governance degrades precisely because the governance process was too heavy.

The regulated-industries manifestation. MAS’s expectation of board and senior management oversight does not mean every AI deployment requires board attention. It means the governance structure must ensure appropriate oversight reaches the appropriate level. A well-functioning proportional review gives the board confidence that Tier 3 initiatives are rigorously governed, while Tier 1 initiatives move at a pace that discourages bypass.

Your translation. Set explicit cycle-time commitments: Tier 1 classification confirmed within 48 hours, Tier 2 review completed within two weeks, Tier 3 review completed within four weeks with CRO sign-off. Publish these targets. Measure against them. If the CoE consistently misses Tier 1 targets, the process is too heavy. If it consistently clears Tier 3 in under a week, the review is too shallow. Both are governance failures, just in different directions.

What to build. A proportional review protocol with documented cycle-time targets, escalation triggers, and a bypass-reporting mechanism. The bypass report is not punitive — it is diagnostic. If teams are bypassing, the process has a design flaw. Fix the process, not the teams.

Month 1 — Capability transfer and federated enablement

A CoE that hoards governance capability is a bottleneck by design. The Month 1 objective is building the organisational muscle for governance to operate at the edge — in the business units, in the project teams — without the CoE being in the room.

The universal pattern. Centralised governance scales linearly with headcount. Federated governance scales with organisational capability. The transition from centralised to federated is the maturity move that separates CoEs that accelerate from CoEs that obstruct. But federation without standards is fragmentation. The CoE’s role shifts from gatekeeper to standard-setter and auditor.

The regulated-industries manifestation. In multi-jurisdictional regulated environments — Singapore, Hong Kong, Bermuda, Dubai — the federated model is not optional. Each jurisdiction has distinct regulatory expectations. A Singapore-centric CoE that attempts to centrally govern AI deployments in Hong Kong under MAS-only standards will either slow Hong Kong delivery to a crawl or, more likely, be ignored entirely. The MindForge Toolkit, notably, was built by a multi-institution consortium — an implicit acknowledgment that governance standards must be developed collaboratively across organisational boundaries, not imposed from a single centre.

Your translation. Identify two to three business units with active AI delivery. Embed a governance liaison from the CoE (or train an existing team member) who can perform Tier 1 classifications and initial Tier 2 assessments locally. The CoE retains Tier 3 authority and audit rights. This is not delegation of responsibility — it is distribution of capability with retained accountability. The CTO and business unit heads need to agree on this model explicitly, because it changes who does the work without changing who carries the risk.

**What to build.** A capability-transfer package: the risk taxonomy (from Day 1), the proportional review protocol (from Week 1), a classification decision tree (if X, then Tier Y), and a quarterly self-assessment template that each federated unit completes for CoE review. The self-assessment is not optional — it is the mechanism that prevents federation from becoming fragmentation.

This framework also applies beyond financial services. Any organisation in a regulated industry — pharmaceutical, energy, telecommunications, defence, healthcare — deploying AI at scale faces the same structural tension between centralised governance and operational speed. The proportions change; the architecture does not.

A note on confidence

The structural argument — that governance artefacts and governance capacity are different things — is confirmed by the pattern across every AI CoE engagement this author has observed and by the MindForge consortium’s decision to build an operationalisation handbook rather than another policy template. The three-tier classification scheme is a strong inference from regulatory expectations (MAS, HKMA) and Gartner’s proportional governance recommendation, but the specific tier boundaries will vary by organisation. The cycle-time targets (48 hours, two weeks, four weeks) are design hypotheses calibrated to regulated FS delivery cadences — they should be tested and adjusted, not adopted as gospel. The capability-transfer model is well-established in mature organisations but remains aspirational for most AI CoEs currently operating in the APAC region.

The diagnostic worth running

Here is a pattern worth examining. Ask your AI CoE lead to produce, within one hour, a complete list of every AI initiative currently in production across the organisation. Not in development. In production. Classify each by risk tier. Name the individual who approved each deployment.

The result is reliably instructive. Thirty to fifty per cent of AI initiatives in production have never been formally classified. Approval records, where they exist, point to email threads rather than decision logs. And the list itself is almost always incomplete — because initiatives that bypassed the CoE are, by definition, not in the CoE’s portfolio view.

This is not an indictment of the people running the CoE. It is an indictment of the structure they were given to work with. A CoE without decision rights, without a risk taxonomy, and without an operating rhythm that matches deployment velocity will produce exactly this result — regardless of the talent operating it.

The tool that makes this operational

Reading about governance architecture is useful. Knowing which parts of your current structure are missing is what changes what you build next week. The Prompt Kit does that work — four sequenced prompts that walk from mandate audit through risk taxonomy design, operating rhythm specification, to capability-transfer planning. Each prompt is designed to surface the specific gap in your current governance structure and produce the artefact that closes it.

The first prompt audits your existing CoE charter against the decision-rights framework described above. The fourth produces the capability-transfer package for your first federated unit. Run them in sequence. The output is not a report — it is the governance infrastructure itself.

The close

Here is a diagnostic to run before your next steering committee. Pull up your AI CoE’s last board-ready governance report. Count the number of pages dedicated to frameworks, policies, and maturity models. Now count the number of pages that answer these three questions: what AI is in production today, what risk tier is each initiative classified under, and who specifically approved each one.

If the ratio is more than three to one in favour of frameworks over decisions, your CoE is governing the idea of AI. Not the reality of it.

The good news: the fix is structural, not cultural. Decision rights, risk taxonomy, proportional review, operating rhythm, capability transfer. Five components. Each one buildable. Each one measurable. The hard part is admitting that the current structure, however professionally it presents — is not yet doing the work it was designed to do.

That admission, in the author’s experience, is the actual Day 1.

This essay accompanies the AI CoE Governance Architecture Prompt Kit— four prompts to run the diagnostic against your own AI delivery program.
Download it alongside this essay on Regulated Intelligence.

If you are leading an AI Centre of Excellence in a regulated environment and recognise the pattern described here — governance artefacts that satisfy audits but do not drive decisions — a structured outside read on mandate design, risk taxonomy calibration, and operating rhythm can compress months of iteration into weeks. I take one such conversation per month. Mention it in your reply.

Replies to this post reach me directly. I read all of them.

Regulated Intelligence — TRIZ x AI | Regulated Markets. Written by JL CREPPY.