AEGIS · AEGIS Policy Core
Artifact 1.2
RACI for AI Decisions
The decision-rights matrix for AI. Twelve recurring decisions, seven roles, four letters — so nothing stalls for lack of an owner and nothing ships without a namable accountable.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose
Intent — Collapse ambiguity. Every AI decision that happens regularly in this organization has exactly one Accountable. Every Accountable has one Responsible. Consulted and Informed are specific people, not distribution lists.
The most common governance failure is not policy absence — it is unclear decision rights. Employees stall because they cannot find the decision-maker; decision-makers say yes without the right Consulted voice; leadership learns about material AI decisions from incidents instead of from a rhythm. This matrix fixes that by naming, for each recurring AI decision, who is Responsible, who is Accountable, who must be Consulted before the decision, and who must be Informed after.
Legend
Intent — The four letters, stated plainly, so there is no argument later about what 'Consulted' means.
Responsible
Does the work to bring the decision to a conclusion. There is exactly one R per decision, and the R writes the proposal that the A ratifies.
Accountable
Owns the outcome and bears the consequence. There is exactly one A per decision. The A can override or redirect the R, but cannot do both the R and A for the same decision.
Consulted
Must be asked and heard before the decision. Consulted is a two-way conversation. A decision made without consulting all Cs is not valid and must be redone.
Informed
Must be told after the decision, within a named window. Informing is one-way and need not happen before action.
The Seven Roles
Intent — Roles, not names. Names are assigned in §5 and revised at each Council meeting. The role definitions below are durable.
- Executive Sponsor
- The C-suite owner of the AI program. Holds final authority on policy, risk tolerance, and material investment decisions. Reports to the board on AI posture.
- AI Governance Lead
- The operational owner of AEGIS inside the organization. Chairs the Council, maintains the artifacts, and runs the exception process day to day.
- CISO
- Accountable for security, data classification enforcement, vendor risk assessments, and AI-related incident response.
- General Counsel
- Accountable for regulatory alignment, privileged-material handling, contract language, and disclosure obligations.
- Function Lead
- The manager or director of an operating unit (Sales, Engineering, HR, Ops, etc.). Responsible for local enforcement and first-line approval of routine use cases.
- Individual Employee
- Every person with access to an approved AI tool. Responsible for reading the AUP, classifying data before prompting, and reporting violations or incidents.
- Council
- The cross-functional AI Governance Council, meeting at least bi-weekly, composed of the roles above plus rotating operating-unit representation. The body of record for governance decisions.
Decision Matrix
Intent — Twelve recurring AI decisions, mapped across the seven roles. Rows are decisions; columns are roles; cells are the letters that govern who does what.
| ID | Decision | ExecutiveSponsor | AIGovernanceLead | CISO | GeneralCounsel | FunctionLead | IndividualEmployee | Council |
|---|---|---|---|---|---|---|---|---|
| D-01 | Approve a new AI tool for the enterprise Tooling | I | R | C | C | C | — | A |
| D-02 | Approve a routine Conditional use case (§4 of the AUP) Day-to-Day | — | A | I | I | R | I | I |
| D-03 | Approve AI use on privileged or regulated material Legal / Compliance | I | C | C | A | R | I | I |
| D-04 | Accept a P0 or P1 risk from the AI Risk Register Risk | A | R | C | C | C | — | C |
| D-05 | Declare an AI-related incident Incident | I | C | A | C | I | R | I |
| D-06 | Ship a customer-facing AI feature Product | A | C | C | C | R | — | C |
| D-07 | Change the AI Acceptable Use Policy Policy | A | R | C | C | I | I | C |
| D-08 | Approve a vendor-side AI subprocessor change Vendor | I | C | A | C | I | — | I |
| D-09 | Accept a Council exception that would deviate from policy Exception | I | R | C | C | C | — | A |
| D-10 | Revoke or suspend an employee's AI tool access Enforcement | I | C | A | C | R | I | I |
| D-11 | Approve a customer contract with a material AI clause Commercial | C | C | C | A | R | — | I |
| D-12 | Quarterly board-level AI posture reporting Reporting | A | R | C | C | I | — | C |
Named Assignments
Intent — The RACI letters are durable; the names change. This table is revised at each Council meeting and travels with the matrix.
| Role | Named Person | Backup | Effective From |
|---|---|---|---|
| Executive Sponsor | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| AI Governance Lead | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| CISO | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| General Counsel | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| Function Lead | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| Individual Employee | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
| Council | [NAME + TITLE] | [BACKUP NAME] | [DATE] |
Escalation & Timing
Intent — What to do when consensus fails, and how long each decision can sit before it must resolve. Ambiguity here kills programs.
D-01
Approve a new AI tool for the enterprise
Escalation — If a Council member objects, the decision escalates to the Executive Sponsor.
Timing — Monthly intake; target 10 business days to decision.
D-02
Approve a routine Conditional use case (§4 of the AUP)
Escalation — Denied requests can be appealed to the Council at the next scheduled review.
Timing — Target response: three business days.
D-03
Approve AI use on privileged or regulated material
Escalation — Escalates to Council if Counsel declines and function lead disputes.
Timing — Case-by-case; documented in the Exception Log.
D-04
Accept a P0 or P1 risk from the AI Risk Register
Escalation — Board notification required if accepted exposure exceeds the materiality threshold.
Timing — At every Council review; ad hoc as risks emerge.
D-05
Declare an AI-related incident
Escalation — Any employee may escalate directly to CISO; retaliation for good-faith reports is prohibited.
Timing — On detection; severity level assigned within 2 hours.
D-06
Ship a customer-facing AI feature
Escalation — Pre-launch checklist must clear every Consulted role before go-live.
Timing — Per launch; minimum two-week review window.
D-07
Change the AI Acceptable Use Policy
Escalation — Material changes require a board note before the next board meeting.
Timing — Quarterly review; annual full revision.
D-08
Approve a vendor-side AI subprocessor change
Escalation — Subprocessors that materially change data residency trigger Council review.
Timing — On vendor notification; 15 business days to respond.
D-09
Accept a Council exception that would deviate from policy
Escalation — Exceptions expire at the next Council meeting unless re-ratified.
Timing — At every Council review.
D-10
Revoke or suspend an employee's AI tool access
Escalation — Formal discipline follows HR protocol; appeals go to Executive Sponsor.
Timing — On violation; standing review in the Exception Log.
D-11
Approve a customer contract with a material AI clause
Escalation — Non-standard clauses affecting model choice, data residency, or audit rights escalate to Council.
Timing — Per deal; target five business days on standard clauses.
D-12
Quarterly board-level AI posture reporting
Escalation — Incidents above the materiality threshold trigger an out-of-cycle note to the board.
Timing — Quarterly; aligned with board meeting cadence.
Operating Rules for the Matrix
Changes to the matrix
A row in this matrix can be added, removed, or revised only by Council decision. Proposed changes are circulated 72 hours ahead of the Council meeting at which they are reviewed. Silent modification of the matrix is a governance incident.
Decision records
Every D-series decision in §4 produces a durable record: the request, the decision, the date, and the Accountable who ratified it. Records are stored in the engagement's governance system of record and are reviewable by internal audit.
If the matrix is silent
Any AI decision not on this matrix defaults to the AI Governance Lead as R and the Council as A. The Lead is responsible for proposing the correct mapping at the next Council meeting so that the gap does not recur.