Governance that survives delivery pressure
← Insights

Practice

Governance that survives delivery pressure

VisionRelic·30 March 2026·9 min read

Why most AI governance frameworks collapse the first time a release date slips, and how to build ones that hold.

Governance frameworks fail at the same moment in every organisation. The release date slips, leadership asks who can move faster, and the controls quietly stop being checked. By the time the release ships, the model card is six weeks out of date, the risk register has not been reviewed, and the architecture review for the change that actually went out was waived under time pressure. Three releases later, this is the new normal, and the framework exists on paper only.

This is not a failure of discipline. It is a failure of design. Frameworks that collapse under delivery pressure were built on the assumption that delivery pressure would not happen. That assumption is always wrong. The interesting design question is not how to prevent the pressure, but how to build governance that bends without breaking when the pressure arrives.

The two failure modes

There are essentially two ways governance fails under pressure, and they require different fixes.

The first is bypass. A control exists, the team knows it exists, and they skip it because they decide the release matters more than the control. This usually happens with controls that live outside the team's normal workflow: a separate review board, a separate ticket queue, a separate approval system. When the calendar tightens, the things that require switching context are the first to go.

The second is staleness. A control exists, the team runs it, but the artefact it produces stops reflecting reality. The model card is updated for the launch and then never touched again. The risk register is filled in at the start of the project and never revisited. The supplier review happens once a year regardless of how often the supplier ships new versions. Staleness is more dangerous than bypass, because it produces a false sense of coverage.

Make controls inseparable from the work

The defence against bypass is to make the controls inseparable from the work itself. If the architecture review and the risk review are the same meeting, the team cannot skip one without skipping both, and skipping both is visible. If the model card is part of the launch checklist, and the launch is gated on the checklist being green, the model card cannot be left blank without blocking the launch the team is trying to achieve.

This requires governance to live where the work lives. If engineering uses Linear, governance lives in Linear. If decisions are recorded in Notion, governance is recorded in Notion. The moment governance moves to a separate tool, owned by a separate team, with a separate cadence, it becomes optional in a way that the engineering work is not. Optional things are the first to be cut.

Make staleness visible by default

The defence against staleness is to make staleness mechanically visible. Every governance artefact should carry a last reviewed date and a next review date. The next review date should trigger an actual notification, in the channel the responsible person uses every day, not a quarterly email summary. When a model card has not been reviewed in ninety days, the team should see a small but visible signal on the dashboard they already look at.

The dashboard matters more than people realise. Most organisations have an engineering dashboard that shows build status, test coverage, and uptime. Adding governance freshness to that dashboard takes a day of work and changes behaviour permanently. Most organisations resist this on the theory that governance should have its own dashboard. That is precisely the wrong instinct. Governance should appear next to the metrics the team already cares about, not in a separate view that they only open when they have to.

Design the escalation path before the incident

Every governance framework needs an escalation path: when something is unclear, who decides? This question almost never has a written answer until the first time it is needed, at which point the answer is improvised under pressure, usually badly. The escalation path should be designed up front, written down, and tested at least once before any real incident requires it.

A good escalation path has three properties. It names a person, not a team. The person it names is reachable in the channel the rest of the team already uses. And it has a clear timeout: if the named person does not respond within a defined window, the decision passes to a named alternate. Without the timeout, escalations stall on a single unreachable person, and the team learns that escalation is not a real option.

Give the framework an owner who ships

Governance frameworks that survive are owned by someone who is part of the delivery organisation, not adjacent to it. The owner should have shipped software before, should be respected by the engineering team, and should have the authority to say no to a release that has not gone through the controls. If the owner only has the authority to write reports about releases that bypassed the controls, the framework is decorative.

This is often politically uncomfortable. The instinct in most organisations is to put governance under the legal or compliance function, on the theory that those functions are independent. Independence is a real value, but it costs more than people expect. An independent governance function that does not understand delivery will produce controls that delivery cannot follow, and the delivery team will learn to route around them.

Test the framework with a fake incident

Once the framework exists, run a tabletop exercise on it. Invent a plausible incident: a model that started producing biased outputs after a routine retrain, a vendor that disclosed a breach affecting your data, a regulator request for documentation on a system that has been in production for two years. Walk through what would actually happen. Most organisations discover, in this exercise, that the framework they wrote is not the framework they would actually use under pressure.

The exercise is uncomfortable, which is the point. It surfaces the gaps before a real incident does, when the cost of surfacing them is only an afternoon of slightly awkward conversation rather than a public failure. Tabletop exercises should be run at least twice a year, and the framework should be revised in response to what they reveal.

What survives looks unremarkable

A governance framework that survives delivery pressure looks, from the outside, almost invisible. There is no separate governance team. There is no separate governance tool. There is no quarterly governance report that nobody reads. There is, instead, a slightly longer architecture review, a slightly more detailed launch checklist, a few more fields on the standard engineering dashboard, and a calendar with quarterly supplier reviews and twice-yearly tabletop exercises.

From the inside, it feels like the way the team has always worked, with a few additional habits that the team has internalised. That is the goal. Governance that you can see from across the room is governance that will be cut the first time the calendar gets tight. Governance that has become indistinguishable from how the team builds is governance that holds.