The AI steering committee: charter, membership, cadence.

There is a recurring failure mode in regulated companies trying to do AI well: a small group of people who happen to know how the models work end up holding all of the governance in their heads. The group is enthusiastic, technically competent, and operationally invisible. When a regulator asks who decided to approve a use case, the answer is "we did, in a meeting", and the meeting did not have minutes.

The AI steering committee exists to make that failure mode impossible. It is the standing body that decides, on the record, what AI is allowed to do inside the company. This post is the charter we drafted before we built anything.

Key facts

01: The committee is a standing body, not a working group. Working groups disband when the project ends. The standing body persists, which is what gives governance continuity across staff changes, model upgrades, and vendor swaps. The discipline is in the persistence, not the meeting.
02: Five to seven members, with named alternates. Smaller is faster, larger spreads responsibility too thin. Each member has a named alternate so quorum holds when someone is travelling. The roles are: chair, compliance, risk, security, AI engineering, and a rotating business representative.
03: Monthly cadence with a fixed standing agenda. Monthly is the right rhythm for a committee whose decisions need to land within the same quarter they were taken. The standing agenda covers the use-case register, the metric pack, incidents, vendor changes, and approvals pending. Minutes are published internally within a working day.
04: The committee owns four artefacts. The AI governance charter, the use-case register, the AI acceptable-use policy, and the vendor approval list. Each artefact has the committee as its named owner. No artefact moves without a committee decision recorded against it.

Why a standing body rather than a working group

A working group has a goal and an end date. It dissolves when the goal is met. That is the right shape for "build the first version of the use-case register" or "respond to the consultation on the AI regulation in jurisdiction X". It is the wrong shape for governance, because governance is the work of continuing to be governed after the deliverable is done.

The standing body has no end date. Its job is to keep the artefacts alive: the charter, the register, the policy, the approval list. Each meeting is a checkpoint on the same set of artefacts, which means the committee never starts from zero. New members read the most recent minutes and pick up where the room left off.

The persistence is what makes the committee legible to a regulator. Asked who is responsible for AI governance, the answer is a body with a charter, members, a cadence, and minutes. The body has continuity beyond the people who currently sit on it.

The charter

The charter is three paragraphs, in plain language, that say what the committee is, what it does, and what its decisions bind. We keep it short on purpose: a long charter rots, a short charter survives.

The first paragraph defines the committee as the standing body responsible for AI governance inside the company, names the artefacts it owns, and states that the committee's decisions bind the entire organisation until the committee revises them. The second paragraph describes membership: the seats by role, the appointment process, term length (two years, renewable once), and the named-alternate rule. The third paragraph describes operation: monthly cadence, fixed standing agenda, quorum (chair plus three other seats with at least one being compliance or risk), minutes published within a working day, and the route for escalating decisions the committee cannot reach consensus on.

The charter is reviewed annually on a fixed date, and amendments are made by majority vote of the committee with the change log attached. The version in force is the one the audit log will reference when a regulator asks what the rule was at a given point in time.

Membership

The committee is five to seven seats. Each seat is a role, not a person. People rotate; the seats persist.

The seats we use: a chair (typically the head of risk or compliance, never the head of AI engineering, for reasons of independence), compliance, risk, security, AI engineering, and one or two rotating business representatives. The business seats rotate every six months so the perspective of the lines actually using AI is represented, not just the head office view.

Each seat has a named alternate. The alternate is appointed at the same time as the primary and attends meetings when the primary cannot. This sounds bureaucratic until the first time you lose quorum because three people are on holiday at the same time. The alternates are what make a monthly cadence reliable.

The chair is not the most senior person in the room. The chair is the person responsible for keeping the meeting on agenda and getting minutes out the next working day. That is a real job, and it is worth picking someone who is good at it.

The standing agenda

Every meeting follows the same agenda, in the same order. The order matters: the agenda starts with the operational record (so the committee is grounded in what actually happened since the last meeting) and ends with the forward-looking decisions (which are made with that record in mind).

Review of the metric pack since the last meeting.
Incidents and near-misses since the last meeting, with follow-up status.
Use-case register changes pending: new entries, retirements, scope changes.
Vendor approval list changes pending: new vendors, status changes, renewals.
Policy revisions pending: AI AUP, AI governance charter, sub-policies.
Any matters arising from the line-of-business representatives.

The agenda is not the entire surface; it is the regular surface. Special items can be added with at least three working days' notice, with a one-page brief circulated in advance. The brief is mandatory; without it, the special item is deferred to the next meeting.

What the committee owns

Four artefacts, each with the committee as the named owner.

The AI governance charter (which contains the committee's own definition, recursively). The use-case register (the index of every place AI does work). The AI acceptable-use policy (the document that defines what employees are allowed to do with AI). The vendor approval list (the controlled set of vendors any AI workflow may use).

For each artefact, the committee owns three things: the contents, the change log, and the review cadence. No artefact moves without a committee decision recorded against it in the minutes. The change log is the audit trail: it lets a reviewer answer "what was the rule on the day this happened?" without reconstructing the history from emails.

Common failure modes

The committee that meets but does not decide. The classic shape of a governance failure is a regular meeting whose minutes record discussion without conclusions. The fix is to require every agenda item to end in a decision (approve, defer, reject, request information) or be escalated. Discussion that does not converge on one of those outcomes is moved to a separate document and treated as research, not governance.

The committee that decides but does not write it down. Minutes are mandatory and published internally within a working day. The chair owns this; the chair's success or failure is judged on it. If minutes slip, the chair is replaced.

The committee that is the same five people who built the system. Independence matters. The chair should not be the head of the team that operates the AI, and the line-of-business seats should not be filled by people who report to that head. A committee that lacks independence is a project review meeting wearing a governance hat.

FAQ

Questions readers ask

What is an AI steering committee?

An AI steering committee is the standing body inside an organisation that decides, on the record, what AI is allowed to do. It owns the AI governance charter, the use-case register, the AI acceptable-use policy, and the vendor approval list. It meets on a monthly cadence with a fixed standing agenda, and its decisions bind the organisation until revised.

Who should sit on the AI steering committee?

Five to seven seats, each a role rather than a person, with named alternates. The seats we use: chair (typically risk or compliance), compliance, risk, security, AI engineering, and one or two rotating line-of-business representatives. The chair is independent of the team that operates the AI, and the line-of-business seats rotate every six months to keep front-line perspective represented.

How often should the committee meet?

Monthly is the right rhythm for a committee whose decisions need to land within the same quarter. The standing agenda covers the metric pack review, incidents and near-misses, use-case register changes pending, vendor approval list changes pending, and policy revisions. Minutes are published internally within a working day of the meeting.

What artefacts does the AI steering committee own?

Four: the AI governance charter (which defines the committee itself), the use-case register (the index of every place AI does work), the AI acceptable-use policy, and the vendor approval list. For each artefact the committee owns the contents, the change log, and the review cadence. No artefact moves without a committee decision recorded against it.

How is the committee held accountable?

Through the minutes and the change logs of the artefacts it owns. Each decision the committee makes appears in the minutes with the names of the seats present and the conclusion (approve, defer, reject, request information). Each change to an artefact appears in that artefact's change log with the meeting reference. A regulator reading either trail can reconstruct what the rule was at any point in time.