AI Workflows · HR operating model · Updated June 2026
AI Governance for People Teams: How HR Owns the Policy the CEO Just Asked For
Governance is drifting from IT and Legal onto HR's desk, because the highest-risk AI use in any company is a decision about a person. Here is how to own it: the RACI, the review cadence, and a one-pager you can build today.
How HR should own AI governance, in plain terms: build three artifacts now. A RACI that names who is accountable for each AI use in people decisions, a recurring impact-assessment cadence that reviews high-risk uses for bias and legality, and a one-page summary an auditor reads in five minutes. AI drafts them; a named human owns the sign-off.
Key takeaways
- HR owns the riskiest slice. The most exposed AI use in any company is a decision about a person, which is exactly HR's domain. Governance lands here for a reason, not by accident.
- Three artifacts cover the core. A RACI for AI people decisions, a recurring impact-assessment cadence, and a one-page governance summary are enough to start owning it credibly.
- Cross-functional, HR-led. Governance is a shared effort with IT, Legal, and Security, but for people-affecting AI, HR is the natural accountable owner that pulls the others in.
- AI builds the artifacts, a human owns them. Claude can draft the RACI, the assessment template, and the one-pager fast. A named leader confirms each entry and signs off.
Why governance landed on HR's desk
For two years, AI governance lived with IT and Legal. IT worried about tools and security, Legal worried about contracts and the EU's rules, and HR was a stakeholder at best. That arrangement is quietly breaking, because the AI uses that carry the most legal and human risk turned out to be the ones HR runs: hiring screens, promotion tools, performance documentation, discipline recommendations. When a regulator or a plaintiff comes looking, they are not asking IT about the data center. They are asking who decided to use an algorithm in hiring and whether anyone checked it for bias.
So the CEO reads an article, hears that other companies are getting sued over AI hiring tools, and asks for "our AI governance policy." That request usually lands on HR, and a lot of People leaders freeze, because governance sounds like a giant framework that belongs to someone with a compliance title. It does not have to. The version of governance HR actually needs is narrow and ownable: the part that covers AI in people decisions, built from three artifacts you can produce this month.
Governance is not a framework you buy. It is three questions you can answer in writing: who owns this, how often do we check it, and could we explain it to an auditor.
The three artifacts that make governance real
Strip governance down to what an auditor or an executive actually wants to see, and it is three documents. Build these and you have moved from "we should do something about AI" to "here is how we govern it."
| Artifact | What it answers |
|---|---|
| The RACI | Who is responsible, accountable, consulted, and informed for each AI use in people decisions? |
| The impact-assessment cadence | How often do we review each high-risk AI use for bias, accuracy, and legality? |
| The governance one-pager | Could an executive or auditor understand how we govern AI in five minutes? |
The RACI is the spine. For every place AI touches a people decision, it names a single accountable owner, the people responsible for running it, the functions consulted (Legal, IT, Security), and who must be kept informed. Most governance failures are really ownership failures: a tool nobody clearly owned, a check nobody was assigned to run. The RACI closes that gap on paper before it becomes a gap in court.
The impact-assessment cadence borrows from the annual-assessment idea now appearing in state AI laws like Colorado's. You set a schedule, quarterly or annual depending on risk, to review each high-risk AI use for bias, accuracy, and continued legality. The cadence is what turns governance from a one-time document into a living practice, and it is exactly what a regulator wants to see when they ask "when did you last check this."
Build it with AI in an afternoon
Each of these three artifacts is a structured document, which is precisely what AI drafts well. Run this with Claude or your sanctioned tool, one artifact at a time.
Step 1: Inventory where AI touches people decisions
Before drafting anything, list every place AI influences a decision about a person: sourcing, screening, interview scoring, promotion, performance documentation, discipline. You cannot govern a use you have not found, and the inventory is the input for all three artifacts. This is human knowledge work; the model cannot find your shadow uses for you.
Step 2: Draft the RACI
Feed the inventory in and ask for the matrix. Example prompt: "You are helping an HR team build an AI governance RACI. Here are the places AI touches people decisions in our company: [paste your inventory]. For each one, draft a RACI row naming a responsible role, a single accountable owner, the functions to consult (suggest Legal, IT, Security where relevant), and who to keep informed. Use generic role titles, not real names. Flag any use where no clear owner is obvious."
Step 3: Build the impact-assessment template and cadence
Example prompt: "Draft an AI impact-assessment template for a single high-risk people-decision use. It should capture: what the tool does, what data it uses, the bias check performed and its result, the legal basis and applicable state notice requirements, the human reviewer of record, and the date of next review. Then propose a review cadence, quarterly for the highest-risk uses and annual for lower-risk ones, and explain the split in two sentences."
Step 4: Write the one-pager
Example prompt: "Using the RACI and the assessment cadence above, write a one-page AI governance summary an executive or auditor can read in five minutes. Cover: our principle (a named human owns every AI-influenced people decision), how we assign ownership, how often we assess, and how we keep records. Plain language, no jargon, one page."
Step 5: A named leader reviews, the cross-functional partners sign on, you publish
The model gave you three solid drafts. Now a human owns them. A named People leader reviews every RACI entry, confirms the legal references with counsel, and walks the one-pager through IT, Legal, and Security so the consulted functions actually agree to their roles. You date it, assign the accountable owner, and set the first assessment on the calendar. Save the prompts as templates so the next review cycle starts from your standard.
Paste-ready: AI governance one-pager
Use this as the frame for the auditor-facing summary. Fill the bracketed fields from your inventory and RACI, then route the legal line to counsel.
Principle. A named human owns every AI-influenced people decision at [company]. AI may assist; accountability stays human.
Scope. This governs AI used in people decisions: sourcing, screening, interview scoring, promotion, performance documentation, and discipline.
Ownership (RACI). For each AI use, one accountable owner is named, with responsible operators, consulted functions (Legal, IT, Security), and informed parties. RACI of record: [link or location].
Assessment cadence. Highest-risk uses (anything influencing hiring or termination) are reviewed [quarterly]; lower-risk uses [annually]. Each review checks bias, accuracy, and continued legality.
Recordkeeping. Each assessment records the tool, its data, the bias check and result, the legal basis and notice requirements, the human reviewer of record, and the next review date.
Owner and review. Accountable owner: [named People leader]. Effective date: [date]. Next assessment: [date]. Legal references reviewed by: [counsel].
Honest usage notes
The artifacts are fast to draft and slow to make real. AI will produce a clean RACI and a tidy one-pager in an afternoon, and that genuinely beats staring at a blank page. The value, though, is in the human work around it: actually finding your shadow AI uses, getting IT and Legal to commit to their consulted roles, and holding the assessment cadence when the calendar gets busy. A beautiful governance document that nobody follows is worse than none, because it creates a paper record you are not living up to.
Governance is also genuinely cross-functional, and HR owning the people-decision slice does not mean HR owns all of AI. Be precise about the boundary: HR is the accountable owner for AI that affects people decisions, and a consulted partner for the rest. Claiming more than that sets you up to own risks you cannot control. For the multistate legal pressure that makes this cadence necessary, our briefing on the AI employment law patchwork shows why a regular assessment is the safe posture, and our employee AI policy guide covers the companion artifact every governance program needs.
Guardrails
Do not let AI assign accountability
The model can suggest a RACI structure, but a real human must own each accountable role and agree to it. Accountability that nobody actually accepted is a governance document, not governance. Walk the matrix through the people named in it before it is final.
Do not let the one-pager outrun the practice
A polished governance summary that describes assessments you do not actually run is a liability. Only claim the cadence you will hold. It is better to document a quarterly review you keep than an ideal one you skip.
Verify the legal references
The impact-assessment template touches state notice requirements and discrimination law that vary by jurisdiction and change quickly. AI can draft the references and get a detail wrong. Route the legal pieces to counsel before the governance program is published. The broader HR workflow playbook covers where these guardrails fit across the function.
How we built this workflow
This three-artifact approach and the prompt set reflect hands-on use of AI to draft structured governance documents from a real inventory of uses, where the reliable pattern is inventory-first, draft, human-confirms-accountability. The impact-assessment cadence echoes the annual-assessment requirements appearing in state AI laws, which we reference rather than restate as legal advice. We do not publish invented adoption statistics or fabricated audit outcomes. Confirm the legal references against current guidance and counsel before relying on this page.
What to do this quarter
You do not need a governance team or a new platform to answer the CEO's question. Block an afternoon, inventory where AI touches people decisions, and build the three artifacts with the prompts above. By the end of the day you have a RACI that names owners, an assessment template and cadence, and a one-pager an auditor could read. Then do the slower, more important work: walk it through Legal, IT, and Security, and put the first assessment on the calendar.
That is what owning governance actually looks like for a People team. Not a hundred-page framework, but three clear artifacts and the discipline to keep them alive. The People leaders who win this moment are the ones who stop waiting for someone else to own AI in people decisions and credibly own it themselves, with a human accountable for every call.
Part of TLY's AI Workflows → workflow playbooks for senior professionals.
Frequently asked questions
Why is AI governance becoming HR's responsibility?
Because the highest-risk AI uses in a company are decisions about people, and those are HR's domain: hiring screens, promotion tools, performance documentation, and discipline recommendations. When a regulator or plaintiff investigates, they ask who chose to use an algorithm in a people decision and whether anyone checked it. That accountability naturally lands on HR, so governance for people-affecting AI lands there too.
What does an AI governance program need at minimum?
Three artifacts: a RACI that names who is responsible, accountable, consulted, and informed for each AI use in people decisions; an impact-assessment cadence that reviews each high-risk use on a set schedule for bias, accuracy, and legality; and a one-page governance summary an executive or auditor can read in five minutes. Build those and you have moved from intention to a real, ownable program.
Does HR own all of AI governance?
No. Governance is cross-functional, shared with IT, Legal, and Security. HR is the accountable owner for AI that affects people decisions and a consulted partner for the rest. Being precise about that boundary matters: claiming ownership of all AI sets HR up to own risks it cannot control, while owning the people-decision slice is both credible and defensible.
How often should we run AI impact assessments?
Set the cadence by risk: quarterly for the highest-risk uses, such as anything influencing hiring or termination, and annual for lower-risk uses. The recurring schedule, echoing the annual-assessment requirements appearing in state AI laws, is what turns a one-time document into a living practice and what a regulator wants to see when asking when you last checked a tool.
Can AI build our governance documents?
AI can draft the RACI, the impact-assessment template, and the one-pager quickly from your inventory of uses, which is a real time saver. It cannot assign real accountability, confirm that named owners accept their roles, or verify legal references that vary by jurisdiction. A named People leader reviews every entry, walks it through the cross-functional partners, routes legal pieces to counsel, and owns the result.
Own the policy, build the system
Drafting a governance one-pager is the easy part once you have the structure. The harder skill is building a program that actually holds: finding the shadow uses, getting cross-functional buy-in, running the assessments on schedule, and keeping the records that survive an audit. That is what we teach: a practical system for putting AI to work across HR and governing it credibly, without ever handing the accountability to a machine.
Go deeper with The Leveraged HR Professional course Join The Leverage Club for $49 and get the RACI, assessment template, and governance one-pager prompts Not sure where to start? Take the 2-minute course finderSources: TLY hands-on use of AI to draft structured governance documents from a use inventory (June 2026); impact-assessment cadence informed by annual-assessment requirements appearing in state AI employment laws, referenced rather than restated as legal advice. Requirements vary by jurisdiction and change quickly; verify legal references against current guidance and counsel before relying on this page.