· Zenous Team  · 3 min read

AI Governance for Delivery Organizations: A One-Page Model That Survives an Audit

AI governance budgets are real now, and auditors arrive with questions your operating model has to answer. Here is the one-page governance model we use on programs where agents do part of the work.

AI governance budgets are real now, and auditors arrive with questions your operating model has to answer. Here is the one-page governance model we use on programs where agents do part of the work.

Gartner puts enterprise AI-governance spending near half a billion dollars in 2026, on its way past a billion by 2030. That money is not buying philosophy. It is buying answers to five questions an auditor now asks any program where AI touches delivery: who authorized this agent, what may it touch, who owns its output, where is the evidence, and what happens when it is wrong.

Most delivery organizations cannot answer all five. The governance documents they do have were written for model risk in data science teams, not for agents opening tickets and drafting change requests inside a program. The gap is not intelligence. It is decision rights.

The one-page model

We scope AI governance for delivery organizations onto a single page with four sections. If it does not fit on a page, it will not survive contact with a program team.

1. Registry

Every agent that reads or writes program systems gets a line in a registry: name, owner (a person, not a team), systems touched, and authorization date. Shadow agents are the 2026 equivalent of shadow IT, and the first audit finding is always the same: the organization did not know what was running. A registry costs an afternoon. The finding costs a quarter.

2. Authority map

For each agent, three columns: may do alone, may draft for human sign-off, may not touch. A reporting agent that drafts executive commentary sits in column two. Nothing that moves money, changes scope, or communicates externally belongs in column one. The map forces the conversation most teams skip: what are we actually delegating?

3. Evidence trail

Every agent action that lands in a system of record carries three facts: the invoking human, the agent identity and version, and the prompt or instruction that produced the output. This is change control adapted to non-human change-makers. Programs that skip it collect audit findings even when nothing broke, because the trail is the control.

4. Failure protocol

Agents fail differently from people: confidently, at volume, and without noticing. The protocol is one paragraph: how errors are detected, who rolls back, and what gets reviewed before the agent runs again. Write it before the first incident. After the incident it becomes politics.

What this costs, and what it buys

Standing this up on a mid-size program takes one to two weeks: a workshop for the authority map, a spreadsheet for the registry, a template change for the evidence trail. It is unglamorous work.

What it buys is speed. Teams with a governance page delegate more to agents, not less, because the boundaries are explicit and nobody is guessing what needs sign-off. The programs that stall on AI adoption are usually not blocked by risk appetite. They are blocked because nobody holds the authority to say what an agent may do. A one-page model unblocks that decision.

Where to start

Run the registry exercise first. Ask every program lead which AI agents read or write their systems, procured or not. The list will be longer than anyone expects, and it turns an abstract governance debate into a concrete backlog: these twelve agents, these owners, this authority map.

If your programs already run agents and nobody can produce the page, that is a finding waiting to be written. An independent delivery audit covers agent governance alongside the classic delivery health checks, and the project audit checklist gives you the self-assessment version. When you want the page written for your portfolio, book a consultation.

Back to Blog

Related Posts

View All Posts »