The calendar invite goes out. Eight people show up.
They spend an hour on AI principles. Someone presents a framework. A few people nod. The meeting ends.
Three months later, engineering ships something anyway because they got tired of waiting. Legal finds out after launch. Security panics. The council meets again. This time to figure out what went wrong.
That is governance theater. It is also what most AI Councils look like inside six months of formation.
Here is why they fail and what a functioning council actually does.
What a council is for (and what it is not)
The council has three jobs:
Decide what gets built. Not everything, just the AI that matters. Customer-facing AI. AI that touches regulated data. AI agents that take real-world actions. The council looks at proposals and says yes, no, or "fix these things first." Not "let us discuss." Actual decisions.
Kill projects that should die. This is the hardest part. Teams get attached. Executives have pet projects. Someone's bonus is tied to shipping something. The council kills it anyway if the project is not working. If your council has never killed a project, it is not doing its job.
Unblock teams that are stuck. Good teams get stuck on real problems. Legal will not sign off. Security blocked it. The council makes the call. Not next month. This week.
The five-person structure that works
The right size is 5 to 7 people. Not 12.
Product or Engineering Leader. Someone who actually builds AI systems, not someone who manages people who manage people who build them. They know what is technically feasible, how long things actually take, and what corners teams are cutting.
Legal or Compliance Officer. Someone who knows which regulations apply and which risks are real. Not someone who says no to everything. Someone who knows the difference between "we cannot do this" and "we need these guardrails." In 2026, this person should have read the EU AI Act directly.
Security or Risk Leader. Someone who understands AI-specific risks: model poisoning, data leakage, prompt injection, hallucination in agentic workflows. They should scare you a little. That is their job.
Business Owner. Someone who owns the P&L or the strategic outcome. They know if the AI will actually create value or burn money. They have skin in the game.
CFO or Finance Leader (optional but recommended). If AI spending has reached board-level visibility, someone who can approve budgets without a 3-week finance cycle saves enormous time.
Junior people representing their boss cannot make decisions without checking upward, so they effectively do not decide anything. Do not put them on the council. Observers are not deciding. They do not belong in the room.
The risk tier system (replaces guessing)
Every AI project needs a risk score before council review. This is not optional. It replaces the 45-minute debate about whether something is "risky" with a calculation.
Risk Score =
(Data Sensitivity x 3)
+ (Autonomy Level x 3)
+ (User Impact x 2)
+ (Regulatory Exposure x 2)
Each variable scored 1 to 5. Maximum score: 50.
10 to 20: Tier 1. Engineering lead approves. Council notified quarterly.
21 to 35: Tier 2. Product + Security sign off. Council reviews quarterly.
36 to 45: Tier 3. Full council approval. Legal and Security have veto rights.
46 to 50: Tier 4. Full council + CEO awareness. Human-in-the-loop mandatory.
A real example: a company wants to build an AI agent that automatically reviews and responds to customer refund requests, pulling from order history (PII), making decisions without human review, affecting customers directly, in a FinTech environment.
Data Sensitivity: 5 (PII)
Autonomy Level: 5 (no human review)
User Impact: 4 (consequential customer decisions)
Regulatory Exposure: 5 (FinTech)
Score: (5x3) + (5x3) + (4x2) + (5x2) = 15 + 15 + 8 + 10 = 48
Tier 4. Full council decision with mandatory human-in-the-loop before production. That decision takes 30 seconds with this formula. Without it, the same debate takes 90 minutes and ends with a vague consensus.
The 2026 problem nobody is talking about
Every governance framework built before 2024 was designed for AI that generates text.
In 2026, you are not approving a chatbot. You are approving an autonomous agent that can browse the web, write and execute code, read internal documents, send emails on behalf of employees, and make API calls to third-party systems.
A language model that gives a bad answer is a nuisance. An agent that takes a bad action can be a legal event.
Your risk classification must now include: how much can this system do without a human confirming each action? A system that can send emails, modify records, or execute transactions without human review at each step is fundamentally different from a system that generates text for a human to review.
This is Tier 4 territory. Your council needs to treat it differently.
The Council Velocity Score
Most councils track what they approve or deny. Almost none track how fast they decide.
Speed is the governance metric that determines whether your council gets used or gets routed around.
Council Velocity Score (CVS) =
Decisions Resolved Within SLA
/ Total Decisions Submitted
x 100
Target: 85% or higher
Below 70%: teams are already routing around you
Set these SLAs and enforce them:
- Tier 1 approvals: Engineering lead decision within 48 hours
- Tier 2 reviews: Council decision within 5 business days
- Tier 3 and Tier 4 reviews: Council decision within 5 business days of meeting
- Escalations: 48-hour resolution from Chair
- Budget requests: Decision within 2 weeks
If the council cannot decide in that window, the default is no. This default exists to prevent indefinite deferral from becoming a de facto approval.
If CVS falls below 70% for two consecutive months, find the bottleneck. A council that is a blocker gets routed around. A council that enables fast, clear decisions gets used.
The real test
A VP has a pet AI project. They have been talking about it for months. They have budget and a team. They are excited.
The council reviews it. Risk Score: 44. High-risk. It will not move the North Star metric. It will burn $500,000 and 12 months. And there is a data privacy exposure that Legal flagged.
Can your council kill it?
If the answer is "we would probably let them try it," your council is decorative. If the answer is "we would need to escalate to the CEO," your council is slow. If the answer is "yes, we kill it, and we redeploy the budget," you have a functioning council.
What good governance looks like at six months
Teams trust the process. They submit projects knowing they will get a fast, clear decision. Routing through the council is faster than routing around it.
Decisions stick. When the council says yes, it ships. When they say no, it dies. No endless appeals.
The council is boring. Most meetings are approvals and quick reviews. The drama is rare because the process handles the routine stuff.
You have killed at least three projects. If you have not killed anything, you are rubber-stamping.
Response time is measured in days, not weeks. Teams get answers in 48 to 72 hours. Not "we will discuss it next month."
That is a functioning AI governance body. Not impressive to watch. Enormously valuable to have.
Building AI governance for your organization?
In The Elite AI Leadership Accelerator, we cover AI Council design, risk tier frameworks, charter development, and the decision-making process that turns governance from a bottleneck into an accelerator. The first two sessions are entirely focused on governance structure.
What I build and how I can help
- MasterDexter live cohorts
- MasterDexter Teams - private cohorts to train your AI team on production systems
- AITalentStudio - vetted, production-ready AI talent for your company
- Dextar - AI engineering development and consulting for enterprises and startups
- Buildership - ideas to ship real AI
