AEGIS · Module 5 · Cadence
Artifact 5.1
Quarterly Governance Review Template
The meeting that turns AEGIS artifacts into decisions. A standard 2.5-hour agenda, required attendees, pre-read discipline, and a minutes structure that feeds the board pack.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose
Intent — A quarter without a governance review is a quarter where the artifacts drifted, the risk register grew stale, and the organization forgot which workflows were in production. This template makes the review boring, predictable, and unmissable.
What this meeting produces
- Decisions, with named decision-makers, captured in the minutes.
- Refreshed risk register (Artifact 1.3) — reviewed, not just read.
- Signed-off inventory deltas (Artifact 3.1).
- Workflow dispositions — Scale / Hold / Rework / Retire — per Artifact 3.3 thresholds.
- Prioritized next-quarter work feeding the roadmap (Artifact 6.3) and board pack (Artifact 6.2).
What this meeting is not
- Not a status update — those go in the executive dashboard (Artifact 6.1).
- Not a vendor pitch — new tools route through intake (Artifact 3.1), not this meeting.
- Not a training session — policy and tool walkthroughs belong in Artifact 5.3.
Cadence & Logistics
Intent — Predictability is the point. The meeting happens every quarter whether anything dramatic has happened or not — and especially when nothing has.
When
Third Tuesday of the first month of each quarter. 2.5 hours. On calendar one year in advance. Attendance is in-person unless otherwise agreed.
Quorum
Meeting does not start without Executive Sponsor, General Counsel, AI Governance Lead, and at least one function head. If quorum fails, the meeting is rescheduled within 10 business days — not canceled.
Minutes & distribution
Draft minutes within 24 hours, final within 5 business days. Distribution: attendees + ExCo. Board-material items also routed to Artifact 6.2 prep.
Attendees
Intent — Each named role owns a block of the agenda. If the role can't make the meeting, a delegate with decision authority must attend — no silent chairs.
| Role | Accountability |
|---|---|
| Executive Sponsor | Chair. Convenes, closes, owns outcomes to the ExCo and Board. |
| AI Governance Lead | Quarterback. Prepares packet, walks artifacts, captures decisions. |
| General Counsel | Policy, regulatory, incident-notification authority. |
| CISO | Security posture, incident ownership, vendor risk. |
| CHRO | Role change, training, workforce communications. |
| VP Finance | Spend ledger, ROI discipline, budget decisions. |
| Function Heads | Each affected function sends its head when workflows from their area are on the agenda. |
| Scribe | Captures minutes, actions, decisions. Not a participant — independent role. |
Pre-Read Discipline
Intent — Governance reviews that fail, fail because the room is reading the pre-read. Enforce the 5-day rule.
- Governance Lead publishes pre-read 5 business days prior.
- Each artifact owner confirms their artifact is current (not stale), including Next Review Due dates.
- Finance publishes Artifact 3.3 with quarter close data no later than 3 business days prior.
- Incidents packet compiled from Artifact 2.3 by CISO 3 business days prior.
- Pre-read includes: prior minutes, action register, artifact snapshots, decision items with options.
- Decisions required at the meeting are flagged in the pre-read with their options — no decisions get introduced fresh in the room.
Standard Agenda
Intent — Eleven blocks, 2.5 hours. Anything that does not fit here belongs in a different forum.
| Block | Duration | Owner | Purpose | Output |
|---|---|---|---|---|
| 0 · Roll-call + prior actions | 10 min | Governance Lead | Confirm attendance, quorum, and completion status of prior-quarter action items. Actions not closed are rolled to this quarter or escalated. | Prior-actions report with close/defer/escalate decisions. |
| 1 · Inventory & scope changes | 15 min | AI Governance Lead | Walk through every addition, reclassification, and retirement in Artifact 3.1 since the last review. Confirm each carries an owner and next-review date. | Inventory deltas approved; any unowned rows escalated. |
| 2 · Risk register walk | 20 min | AI Governance Lead + Risk Owner | P0/P1 risks reviewed individually from Artifact 1.3. New risks, status changes, and closed mitigations. Treatment decisions confirmed or revised. | Risk register updated; any newly P0 risk has a named mitigation owner and deadline. |
| 3 · Workflow performance | 20 min | Workflow Owners | Each T3/T4 workflow (Artifact 4.1) walks through its quarter: metrics vs. tolerance, exception count, drift signals. T1/T2 workflows reviewed in aggregate. | Workflows flagged for redesign / retirement. Owner & deadline captured. |
| 4 · Incidents & near-misses | 15 min | CISO / Incident Commander | Every SEV-1/SEV-2 and a sampling of SEV-3/SEV-4 incidents from Artifact 2.3. Root-cause themes, systemic follow-ups, external notifications completed. | After-action items confirmed; cross-cutting themes captured. |
| 5 · Value & spend | 15 min | VP Finance + Governance Lead | Ledgers from Artifact 3.3 reconciled. Scale/Hold/Rework/Retire decisions at every initiative. Forward-quarter budget check. | Initiative dispositions confirmed; material budget variances escalated. |
| 6 · Policy & regulatory update | 15 min | General Counsel + Governance Lead | Regulatory developments since last review. Policy 1.1 change proposals. EU AI Act / state AI law / sectoral obligations tracking. | Policy change PRs approved or deferred; reg tracker updated. |
| 7 · Vendor posture | 10 min | CISO + Procurement | Vendors from Artifact 2.2 with posture change (SOC report expired, breach, acquisition). Renewals in the next 90 days. | Vendor actions: reassess / renegotiate / replace. |
| 8 · People & culture | 10 min | CHRO + Governance Lead | Training completion (5.3), adoption signals (5.2), feedback from the employee forum. Role-change watch items. | People actions named; escalations to ExCo if any. |
| 9 · Next-quarter priorities | 20 min | Executive Sponsor | Rank the next-quarter work. Top 5 priorities feed the roadmap (Artifact 6.3) and the executive dashboard (Artifact 6.1). | Prioritized list with owner + deadline for each. |
| 10 · Decisions, actions, close | 10 min | Governance Lead | Confirm every decision with attribution. Restate every action with owner and due date. Board pack deltas assigned. | Minutes draft circulated within 24 hours; actions tracked in the register. |
Artifacts Consulted
Intent — Every AEGIS artifact touches this meeting in some form. This is the canonical list.
| # | Used For |
|---|---|
| 1.1 | AI Acceptable Use Policy — change review |
| 1.2 | RACI — any role changes since last review |
| 1.3 | AI Risk Register — P0/P1 walk |
| 2.1 | Data Classification & AI Data Map — scope changes |
| 2.2 | Vendor & Tool Risk Assessments — posture + renewals |
| 2.3 | AI Incident Response Runbook — quarter's incidents |
| 3.1 | AI Inventory Dashboard — adds, changes, retirements |
| 3.2 | Shadow AI Scan Report — fresh findings |
| 3.3 | AI Value & Spend Tracker — ledger + scorecards |
| 4.1 | Governed Workflow Automations — metrics per workflow |
| 4.2 | Prompt & Template Library — eval regressions |
| 4.3 | SOP Updates — releases since last review |
| 5.2 | Adoption Playbook — adoption signals |
| 5.3 | Role-Based Training Curriculum — completion rates |
Minutes Template
Intent — A consistent minutes structure makes the quarter comparable over time and makes the board pack compilation (Artifact 6.2) mechanical rather than interpretive.
- Meeting
- [CLIENT] · Q# 20NN Governance Review
- Date
- [YYYY-MM-DD] · Duration · 2.5 hr
- Attendees
- Listed by role; proxies noted.
- Quorum
- Confirmed / not confirmed (rescheduled).
- Agenda hit?
- Every block: held / deferred / extended.
- Decisions
- Each as: D-NN · decision · decision-maker · effective date.
- Actions
- Each as: A-NN · action · owner · due date.
- Risks changed
- List with before/after severity.
- Incidents walked
- Summary + cross-cutting themes.
- Escalations to ExCo
- Item, reason, urgency.
- Next meeting
- Date + known-open items.
Regulatory Mapping
Intent — A documented, quorate governance review cadence is a core expectation of every AI assurance framework in force today.