This case study is presented in the form of a sample board paper, illustrating how an Orr Consulting engagement to strengthen AI governance and assurance could be framed for board review and approval.

Board Agenda Item 5: Proposals for AI Governance and Assurance

Board Paper Reference: 2603/05

Date: 09 March 2026

Author: Chief Operating Officer

Contributors: Orr Consulting (AI Transformation Consultants)

Executive Summary

ES1. At a previous board meeting, a governance risk relating to the increasing use of generative AI tools across the organisation was escalated.

ES2. Staff experimentation with generative AI tools was becoming increasingly common in day-to-day work. While this experimentation offers potential productivity benefits, it also introduces organisational risks, particularly relating to the handling of confidential or client information.

ES3. Orr Consulting was engaged to review existing arrangements and provide recommendations for strengthening governance and assurance for artificial intelligence.

ES4. The review identified a number of Shadow AI risks, including uncontrolled use of external AI tools, potential exposure of confidential information and limited leadership visibility of AI experimentation.

ES5. The main recommendation is to implement the Orr Consulting AI Governance and Assurance Framework, providing a structured approach to managing AI risks while supporting responsible AI adoption.

ES6. Implementation of the framework is expected to take place over a three-month period following board approval.

Board Decisions and Actions Requested

The board is invited to:

• Note the findings of the review of current AI governance arrangements

• Approve the implementation of the Orr Consulting AI Governance and Assurance Framework

• Request a progress update from the senior leadership team following implementation

1. Context and Purpose of Paper

1.1 At the previous board meeting, a governance risk was raised concerning the increasing use of generative AI tools across the organisation without formal governance arrangements.

1.2 Several senior leaders noted that employees were beginning to experiment with generative AI technologies such as ChatGPT and other AI-enabled tools in day-to-day professional work.

1.3 While this experimentation was often well intentioned and potentially beneficial, the board expressed concern that the organisation lacked clear policies, governance structures and assurance processes relating to the use of AI technologies.

1.4 In particular, the board highlighted the potential risk that confidential or client information could be inadvertently shared with external AI platforms.

1.5 The board therefore requested a review of current arrangements and a set of recommendations to strengthen governance and assurance for AI adoption.

1.6 The purpose of this paper is to present the findings of that review and seek board approval for the proposed governance framework.

2. Action Taken

2.1 Orr Consulting was engaged to support the organisation in reviewing its existing AI governance arrangements.

2.2 The review involved discussions with senior leadership team members together with examination of existing governance policies, digital capabilities and operational practices.

2.3 The objective was to identify potential organisational risks associated with AI adoption and recommend proportionate governance arrangements aligned with emerging industry best practice.

2.4 The review identified several key risks associated with Shadow AI, including the following.

• Uncontrolled use of external AI tools - Staff experimenting with generative AI tools without clear organisational guidance on acceptable use.

• Potential exposure of confidential information - Risk that client data, commercially sensitive information or internal documentation could be inadvertently shared with external AI platforms.

• Lack of defined AI accountability - Unclear ownership of AI-related risks and governance responsibilities within the organisation.

• Inconsistent adoption of AI technologies - Different teams exploring AI tools independently without coordination or shared governance.

• Limited leadership visibility - Senior leadership lacked a clear view of where and how AI technologies were being used across the organisation.

2.5 While no incidents had occurred, these risks highlighted the need for clearer governance arrangements to ensure that experimentation with AI technologies remained responsible and controlled.

3. Main Recommendation

3.1 Based on the findings of the review, the primary recommendation is to implement the Orr Consulting AI Governance and Assurance Framework.

3.2 The framework provides a structured approach to governing AI adoption across the organisation while enabling responsible experimentation with AI technologies.

3.3 The framework introduces clear governance structures, policies and assurance mechanisms designed to address the Shadow AI risks identified during the review.

3.4 The framework includes for several priority interventions, summarised below.

3.5 Acceptable Use Policy for AI Tools

Introduction of a clear organisational policy defining acceptable use of generative AI technologies.

3.6 Generative AI (ChatGPT, Copilot, Gemini) Working Principle.

It is proposed that Generative AI technologies will be permitted for appropriate professional use, provided that their use complies with the Acceptable Use Policy for AI Tools and the governance guardrails established under the AI Governance and Assurance Framework. These guardrails include:

• prohibition on sharing confidential, client or commercially sensitive information with external AI platforms

• appropriate human oversight of AI-generated outputs

• responsible professional use aligned with organisational policies and standards.

This approach enables the organisation to benefit from emerging AI capabilities while ensuring that associated risks are appropriately managed.

3.7 AI Governance Oversight

Establishment of clear leadership accountability for AI governance, including oversight of AI risks and approval of significant AI initiatives.

3.7.1 Overall executive accountability for AI governance will sit with the Chief Operating Officer, reflecting the cross-organisational nature of AI adoption across operations, technology, risk and client service delivery.

3.7.2 Orr Consulting will support the Chief Operating Officer and senior leadership team in establishing the governance structures, policies and assurance processes required under the framework.

3.8 AI Risk Identification and Assurance

Introduction of structured processes for identifying, monitoring and managing risks associated with AI technologies.

3.9 Visibility of AI Adoption

Improved leadership visibility of AI experimentation and adoption across the organisation.

3.10 AI Education and Awareness

Targeted leadership and staff education to ensure employees understand both the opportunities and risks associated with AI technologies.

3.11 Together, the governance framework and the targeted measures above will mitigate Shadow AI risks while supporting responsible AI adoption.

3.12 The proposed AI Governance and Assurance Framework will not replace or duplicate existing digital or technology governance arrangements. Instead, it will augment current governance structures by introducing specific policies, oversight mechanisms and assurance processes designed to address the emerging risks and opportunities associated with artificial intelligence. This will be achieved by close working with existing organisational risk and assurance functions.

4. Implementation Approach and Timescales

4.1 Implementation of the Orr Consulting AI Governance and Assurance Framework is scheduled to take place over a three-month period following board approval.

The proposed high level implementation approach is outlined below.

• Phase 1 — Governance Definition (Weeks 1–4)

  • Establish governance ownership and leadership accountability for AI oversight

  • Develop and approve an organisational AI Acceptable Use Policy for generative AI technologies

• Phase 2 — Risk and Assurance Controls (Weeks 5–8)

  • Introduce structured processes for identifying and managing AI-related risks

  • Integrate AI governance considerations into existing organisational governance and risk management arrangements.

• Phase 3 — Awareness and Organisational Rollout (Weeks 9–12)

  • Introduce targeted leadership and staff awareness sessions relating to responsible AI use

  • Provide practical guidance on acceptable use of generative AI technologies.

4.2 Following completion of the implementation phase, the senior leadership team will provide a follow-up update to the board summarising:

• progress with framework implementation

• any emerging risks or governance considerations

• recommended next steps relating to the organisation’s broader AI capability and strategy

4.3 Orr Consulting will support the senior leadership team during this implementation period to ensure that the framework is introduced effectively and aligned with existing governance structures.

5. Board Decisions and Actions Requested

The board is invited to:

5.1 Note the findings of the review of existing AI governance arrangements.

5.2 Approve the implementation of the Orr Consulting AI Governance and Assurance Framework as the organisational mechanism for strengthening AI governance and oversight.

5.3 Request a follow-up update from the senior leadership team on progress with framework implementation at the next scheduled meeting of the board.

Outcome

Following board approval, the organisation implemented the AI Governance and Assurance Framework to strengthen oversight of AI technologies across the organisation.

This included the introduction of acceptable use guidance for generative AI tools, improved leadership visibility of AI experimentation and the establishment of clear governance responsibilities.

These measures reduced the risk of uncontrolled AI experimentation while enabling the organisation to continue exploring AI opportunities within a clear and proportionate governance structure.

Final Note

This Case Study is part of the Orr Consulting AI Insights Library — structured thinking for AI transformation leaders and decision makers.

If your organisation is considering its next steps in AI governance and assurance, Orr Consulting can help you assess current maturity, identify priority gaps and define practical next steps.

Subscribe to Orr Consulting to receive occasional emails with practical AI Insights and updates.