AEGIS · Diagnostic Engagement
Artifact D.3
90-Day Governance Roadmap
The phase-by-phase delivery plan that converts the diagnostic findings into a governed AI operating model in 12 weeks.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose & How to Use
Intent — Give the Executive Sponsor and the Council a single, contract-grade roadmap they can hold TechFides — and themselves — accountable to. This is not a plan of intentions. It is a delivery commitment with gated evidence.
The roadmap converts the findings from the 2-week diagnostic (Stakeholder Interviews, Shadow AI Scan, 6-Layer Gap Assessment) into a 90-day execution sequence. Each phase ends at a gate that must be passed on evidence — not intent — before the next phase begins.
Use this document three ways: (1) as the Statement of Work backbone signed at engagement kickoff; (2) as the weekly steering committee agenda; (3) as the evidence log the board will review at the 90-day handover.
Engagement Shape
Intent — Name the structure before naming the weeks. The shape is four phases, five gates, one steering committee.
Phase A
Stand Up · Weeks 1–5
Authority, visibility, and the policy baseline. Ends with Gate B (Risk Surface Mapped).
Phase B
Harden · Weeks 6–8
Incident readiness, shadow AI closure, spend instrumentation. Ends with Gate C (Incident-Ready).
Phase C
Scale · Weeks 9–10
Governed workflows, prompt library, SOP rewires. Ends with Gate D (Production Workflows).
Phase D
Handover · Weeks 11–12
Cadence, training, executive and board reporting. Ends with Gate E (Handover Certified).
Phase-by-Phase Plan
Intent — For each week block: theme, objectives, artifacts produced, the gate that closes it, stakeholders on the hook, and the risks that most often derail it.
Phase A · Stand Up
Weeks 1–2
Objectives
- Charter the AI Governance Council and confirm decision rights.
- Ratify AI Acceptable Use Policy v1.0 across the organization.
- Stand up the AI Inventory as the single source of truth for AI systems, tools, and agents.
Artifacts Produced
- 1.1AI Acceptable Use PolicyOwner: General Counsel + TechFides
- 1.2RACI for AI DecisionsOwner: Executive Sponsor
- 3.1AI Inventory Dashboard (initial load)Owner: TechFides + IT
Gate A — Authority Established
- AI Governance Council charter signed by CEO / Executive Sponsor.
- Acceptable Use Policy published and acknowledged by 100% of in-scope employees.
- AI Inventory loaded with Shadow AI Scan findings and at least 95% SaaS coverage.
On the Hook
- Executive Sponsor (decision-maker)
- General Counsel (policy owner)
- CISO / Head of IT (inventory + control owner)
- HR (acknowledgment rollout)
Typical Derailers
- Policy scope too narrow — excludes agentic AI or customer-facing AI.
- Inventory captured once and never refreshed — becomes stale inside 60 days.
- Council composition missing operating unit leaders — decisions lack field context.
Phase A · Stand Up
Weeks 3–5
Objectives
- Publish the Data Classification standard and AI Data Map.
- Complete Vendor & Tool Risk Assessments for all P0 and P1 AI systems.
- Populate the AI Risk Register with quantified, owned risks.
Artifacts Produced
- 2.1Data Classification & AI Data MapOwner: CISO
- 2.2Vendor & Tool Risk AssessmentsOwner: Procurement + CISO
- 1.3AI Risk RegisterOwner: Risk / Compliance
Gate B — Risk Surface Mapped
- Data Classification standard approved; all P0 AI systems have a data flow diagram.
- Vendor assessments complete for every P0/P1 tool; P2/P3 backlog scheduled.
- Risk Register contains at least 15 quantified risks with named owners and due dates.
On the Hook
- CISO (standard + vendor review)
- Procurement (contract gating)
- Data Protection Officer / Privacy
- Operating unit leads (flow validation)
Typical Derailers
- Vendor assessments become a paperwork exercise — no real risk discovered because the questionnaire is generic.
- Data map omits AI training data or fine-tuned model inputs.
- Risk register lacks dollar quantification — executives cannot prioritize.
Phase B · Harden
Weeks 6–8
Objectives
- Deploy AI Incident Response Runbook and run a tabletop exercise.
- Remediate all P0 Shadow AI findings from the diagnostic scan.
- Instrument Value & Spend tracking for licensed AI tools.
Artifacts Produced
- 2.3AI Incident Response RunbookOwner: CISO + Legal
- 3.2Shadow AI Scan — Remediation Close-outOwner: IT + TechFides
- 3.3Value & Spend TrackerOwner: Finance + IT
Gate C — Incident-Ready
- Tabletop exercise executed; after-action report filed within 5 business days.
- P0 Shadow AI findings closed or formally accepted by the Council with compensating control.
- Spend tracker reconciled to finance actuals ±3% for the trailing quarter.
On the Hook
- CISO (runbook owner)
- General Counsel (notification + disclosure playbook)
- Communications (external messaging)
- Finance (spend reconciliation)
Typical Derailers
- Runbook ignores third-party AI vendor incidents — only covers internal systems.
- Shadow AI closures are license cancellations without workflow replacement — users re-adopt other tools.
- Value tracking captures cost but not realized productivity, leaving ROI indefensible.
Phase C · Scale
Weeks 9–10
Objectives
- Ship the first wave of governed workflow automations tied to measurable outcomes.
- Publish the prompt and template library with access controls and data classifications.
- Update SOPs to reflect AI-assisted steps, review points, and escalation paths.
Artifacts Produced
- 4.1Governed Workflow Automations (Wave 1)Owner: TechFides + Process Owners
- 4.2Prompt & Template LibraryOwner: Knowledge Ops
- 4.3SOP Updates for AI-Assisted WorkOwner: Operations
Gate D — Production Workflows
- At least 3 workflows live in production with human-in-loop review steps documented.
- Template library restricted by role; no P2+ data is pasted into templates marked public.
- SOPs for the top 5 AI-touched processes updated and published.
On the Hook
- Process Owners (design + sign-off)
- Head of Operations (SOP authority)
- Training / L&D
- Internal Audit (control walk-through)
Typical Derailers
- Workflows deployed without rollback or kill-switch plans.
- Template library becomes a wiki — never curated, no versioning.
- SOPs updated on paper but not reinforced through manager routines.
Phase D · Handover
Weeks 11–12
Objectives
- Install the quarterly governance review cadence with the Council.
- Launch role-based training and measure completion / assessment scores.
- Deliver the executive dashboard, board reporting pack, and 12-month roadmap.
Artifacts Produced
- 5.1Quarterly Governance Review TemplateOwner: TechFides → Internal PM
- 5.2Adoption PlaybookOwner: Change Management
- 5.3Role-Based Training CurriculumOwner: L&D
- 6.1Executive AI DashboardOwner: TechFides
- 6.2Board Reporting PackOwner: Executive Sponsor
- 6.312-Month AI RoadmapOwner: Executive Team
Gate E — Handover Certified
- First quarterly governance review executed against the template with full Council attendance.
- Training completion ≥90% across in-scope roles; assessment pass rate ≥80%.
- Board reporting pack delivered and a 12-month roadmap approved with budget envelope.
On the Hook
- Board / Audit Committee
- Executive Sponsor
- Internal Program Owner (post-handover)
- Retainer sponsor (ongoing governance)
Typical Derailers
- Handover ends with no internal owner named — the program dies at month four.
- Training is generic, not role-based — engineers get the same content as sales reps.
- Board pack is consulting output, not operating artifacts — loses credibility on the second review.
Master Artifact Schedule
Intent — The 18 Core artifacts, cross-referenced to week, owner, and closing gate. This is the delivery contract.
| # | Artifact | Module | Target | Owner | Gate |
|---|---|---|---|---|---|
| 1.1 | AI Acceptable Use Policy | Policy Core | Week 2 | General Counsel | A |
| 1.2 | RACI for AI Decisions | Policy Core | Week 2 | Executive Sponsor | A |
| 1.3 | AI Risk Register | Policy Core | Week 5 | Risk / Compliance | B |
| 2.1 | Data Classification & AI Data Map | Shield | Week 4 | CISO | B |
| 2.2 | Vendor & Tool Risk Assessments | Shield | Week 5 | Procurement + CISO | B |
| 2.3 | AI Incident Response Runbook | Shield | Week 7 | CISO + Legal | C |
| 3.1 | AI Inventory Dashboard | Signal | Week 2 (initial), ongoing | IT + TechFides | A |
| 3.2 | Shadow AI Scan (diagnostic) + Remediation | Signal | Week 8 close-out | IT + TechFides | C |
| 3.3 | Value & Spend Tracker | Signal | Week 8 | Finance + IT | C |
| 4.1 | Governed Workflow Automations | Deploy | Week 10 | TechFides + Process Owners | D |
| 4.2 | Prompt & Template Library | Deploy | Week 10 | Knowledge Ops | D |
| 4.3 | SOP Updates for AI-Assisted Work | Deploy | Week 10 | Operations | D |
| 5.1 | Quarterly Governance Review Template | Cadence | Week 11 | TechFides → Internal PM | E |
| 5.2 | Adoption Playbook | Cadence | Week 11 | Change Management | E |
| 5.3 | Role-Based Training Curriculum | Cadence | Week 12 | L&D | E |
| 6.1 | Executive AI Dashboard | Brief | Week 12 | TechFides | E |
| 6.2 | Board Reporting Pack | Brief | Week 12 | Executive Sponsor | E |
| 6.3 | 12-Month AI Roadmap | Brief | Week 12 | Executive Team | E |
Operating Cadence
Intent — The meeting cadence that runs underneath the roadmap. Four forums, each with a specific decision they are authorized to make.
Steering Committee
Weekly · 60 minExecutive Sponsor, CISO, General Counsel, TechFides Partner
Gate progress, unblock decisions, own scope changes and slippage. The only forum authorized to move a gate date.
Delivery Stand-up
Twice weekly · 20 minTechFides lead, workstream owners, client PM
Surface blockers within 48 hours. No status theater — if there is nothing to decide, cancel the stand-up.
Council Review
Bi-weekly · 90 minAI Governance Council (full)
Approve artifacts, ratify risk acceptances, and review the inventory delta. This is the body of record for governance decisions.
Executive Readout
End of each phaseExecutive Sponsor + designated execs
Walk the phase gate evidence, approve the go-decision for the next phase, and ratify any scope changes.
Success Criteria at Day 90
Intent — How the board will judge whether the engagement delivered. These criteria are stated up front so they cannot be renegotiated in arrears.
Governance
- AI Governance Council has met at least six times, with minutes and decisions logged.
- Acceptable Use Policy acknowledged by 100% of in-scope employees; new-hire acknowledgment wired into onboarding.
- AI Risk Register maintained with ≥25 risks, owners, and review dates; quantified exposure stated in dollars.
Security & Trust
- P0 Shadow AI findings closed or accepted with compensating controls on file.
- Incident Response Runbook exercised; after-action report filed; gaps scheduled.
- Vendor Risk Assessments complete for all P0/P1 tools; a running backlog established for P2/P3.
Adoption & Value
- At least 3 governed workflows live in production with documented before/after metrics.
- Training completion ≥90% across in-scope roles; assessment pass rate ≥80%.
- Value & Spend tracker reconciled to finance; ROI stated in realized productivity, not hypothetical hours.
Board-Readiness
- Board Reporting Pack delivered, including incident summary, inventory delta, ROI, and risk posture.
- 12-Month AI Roadmap ratified by the executive team with budget envelope and milestone dates.
- Internal owner named and accepting responsibility for the ongoing governance cadence beyond day 90.
Commercial Terms & Handover
Intent — Stated explicitly because they affect the work. No ambiguity between engagement end and governance start.
Scope
This roadmap covers the 12-week Core Implementation engagement following the 2-week Diagnostic. It explicitly does not include platform selection, custom model training, or implementation of controls inside third-party SaaS tools that require vendor engagement beyond the scope of this contract. Those are scoped as Phase 2 initiatives in the 12-Month Roadmap.
Handover on Day 90
On the last day of week 12, TechFides transfers operating ownership to [INTERNAL PROGRAM OWNER NAME]. Artifacts, evidence logs, and council minutes are deposited in the client's designated system of record. TechFides retains no working copies except those specified in the data retention rider.
Post-Engagement Retainer (optional)
Continued governance cadence, quarterly reviews, and on-call advisory are delivered under the AEGIS Governance Retainer. The retainer is priced separately and is not required — but without it, the cadence is the client's to run alone.