SYS/2026.Q1Agentic SEO audits delivered in 72 hoursSee how →
BusinessPlaybook13 min readPublished May 8, 2026

Ninety days from no governance to enforceable program — charter, risk register, audit cadence, ethics, all phased.

AI Governance Program: 30/60/90-Day Implementation Plan

Ninety days is the right horizon to move an AI governance program from intent to enforcement. This plan phases the work into three thirty-day windows — charter and risk register, audit cadence and incident runbook, ethics framework and quarterly hand-off — with owners, deliverables, and the enforcement levers that make the artefacts actually bite.

DA
Digital Applied Team
AI governance · Published May 8, 2026
PublishedMay 8, 2026
Read time13 min
SourcesField engagements
Plan horizon
90 days
three nested 30-day windows
Enforcement levers
5
documented vs enforced
Risk categories
8
canonical register surface
Audit cadence
Quarterly
anchored by monthly + weekly

An AI governance program rolled out on a 30/60/90-day plan converts scattered policy artefacts into an enforceable operating loop. Days 1-30 stand up the charter, name the committee, and seed the initial risk register. Days 31-60 wire the audit cadence, model-update review process, and incident runbook so drift is caught while still cheap. Days 61-90 layer the ethics framework, the enforcement metrics that distinguish documented from operative governance, and the quarterly hand-off that makes the program sustainable past launch.

Most AI governance programs fail not at design but at enforcement. A charter that lives in Confluence with no escalation path, a risk register populated once and never revisited, an audit cadence that slips every time engineering hits a milestone — the artefacts exist, the enforcement does not, and the gap between the two is where incidents live. The 90-day plan exists to compress the investment that closes that gap into a window short enough to sustain executive attention and long enough to stand up the full operating loop.

This guide walks each thirty-day phase with its five named milestones, the enforcement design that separates documented from operative governance, the template kit teams need to ship the plan, and the four failure modes that consistently break programs in the field. The audience is the team running the program — governance lead, executive sponsor, engineering and security partners — not the team that has to sell the program to a board. By day 90 the artefacts exist, the cadence is operating, and the governance function has handed itself a quarterly rhythm it can run without bespoke executive air cover.

Key takeaways
  1. 01
    Governance is enforced or it is theatre.Every artefact in the 90-day plan pairs a written rule with a mechanism that makes the rule operative — escalation paths in the charter, quadrant walks in the register, eval gates on model updates, rehearsals on the incident runbook, forums for ethics review. Without the mechanisms the documents are governance theatre, useful for an auditor and useless against an incident.
  2. 02
    Charter is the artefact, cadence is the work.Teams optimise for charter polish and under-invest in cadence design, which is the wrong direction. A modest charter paired with a live monthly committee, a quarterly executive review, and a weekly engineering health check beats a beautiful charter that lives in a drawer. The cadence is what produces the decisions; the charter just lets the cadence happen.
  3. 03
    The risk register surfaces what the charter hides.The charter defines who decides. The register defines what they decide on. Programs that produce only a charter end up adjudicating every decision case by case with no shared baseline; programs that maintain a live register get a committee that already knows which risks are categorised, scored, and owned before the next decision lands.
  4. 04
    Ethics review must be a forum, not a checkbox.Gray-area use cases — synthetic media, scoring decisions, automated communications to vulnerable populations — need a forum where people who do not agree can disagree productively, conducted before implementation rather than after. A signed-off checklist eliminates the disagreement that produces the value. Concept-stage routing, six to eight diverse participants, written decisions with reasoning archived as precedent.
  5. 05
    Quarterly hand-off is the only sustainable rhythm.Programs that depend on bespoke executive attention past day 90 do not survive the first leadership transition. The 90-day plan's final milestone is a quarterly hand-off — committee runs itself, register walks itself, audits land on calendar without escalation, model updates clear gates without intervention. Anything that still needs the program lead to push at day 91 is a milestone that did not finish.

01Why 90 DaysGovernance is enforced in 90 days or it stays theatre.

Ninety days is the smallest window that fits the full governance operating loop and the largest window that holds executive attention without slipping. Shorter and the work compresses into artefact production without the cadence design that makes the artefacts useful; longer and the program loses the momentum it needs to push through the enforcement decisions that produce disagreement. The 30/60/90 split mirrors the natural rhythm of the work: standing up the charter, wiring the operating cadence, and proving the program runs without bespoke air cover.

The reason most governance programs miss the window is the same reason most programs over-invest in the charter and under-invest in everything else. The charter is the visible artefact, the one an executive sponsor signs, and so it absorbs disproportionate attention. Meanwhile the cadence, the register methodology, the incident runbook rehearsals, and the ethics forum design — the actual operating loop — get squeezed into the final two weeks. The 90-day plan exists to redistribute attention from the visible artefacts to the invisible operating rhythm that makes governance bite.

The other failure mode worth naming is the 12-month rollout disguised as a strategic program. Twelve months of governance design produces zero enforcement until month twelve, at which point the design that was finalised in month two is already stale. Ninety days is short enough to ship something, observe how it behaves under real incidents, and revise from contact with reality rather than from a quarterly steering committee meeting that never gets the data it needs.

The honest framing
The win condition for day 90 is not a perfect governance charter — it is a complete kit that bites. A modest charter paired with a live register, a rehearsed incident runbook, monthly and quarterly cadences holding, and an ethics forum that has convened at least once beats a beautiful charter that lives in a drawer. Optimise for the operating loop, not the artefact polish.

The 30/60/90 split is not arbitrary. Each window has a structural reason. Days 1-30 are charter and register because without those two artefacts the work in days 31-60 has no anchor — the audit cadence cannot run without something to audit, the incident runbook cannot escalate without somebody to escalate to, the model-update review cannot decide without a register to update. Days 31-60 are operating cadence because the cadence is what produces the data that feeds days 61-90 — the enforcement metrics, the ethics forum's first cases, the quarterly hand-off readiness check. Days 61-90 close the loop and make the program self-sustaining.

Worth flagging — the 90-day window assumes a small but real standing capacity. A program lead at roughly half time, a committee that can convene monthly at ninety minutes, and partial allocations from engineering, security, legal, and product. Programs that try to run a 90-day rollout with the program lead at five percent and no committee allocations consistently miss day 60 and quietly slide into a 12-month effort. Capacity is the precondition, not the deliverable.

02Days 1-30Charter, committee, initial risk register.

The first thirty days produce two artefacts and the rituals that keep them alive — the governance charter with its committee, decision rights, and escalation path; and the initial risk register populated across the eight canonical categories. Everything in days 31-60 assumes both artefacts exist; producing them at adequate depth in the first window is the load-bearing move of the program.

The five milestones below structure the window. Each names an owner, a deliverable, and the dependency that the next phase inherits. Milestone slippage in days 1-30 cascades into days 31-60 because the audit cadence cannot run against an unfinished register and the incident runbook cannot escalate to an uncommitted committee. Defend these milestones; renegotiate scope elsewhere first.

Day 5
Sponsor and committee named
Owner: Program lead · 5 days

Executive sponsor confirmed. Committee composition finalised — five to seven members spanning engineering, security or risk, legal or compliance, product, and an executive sponsor seat. Chair named with eighteen-month rotation. Quorum and emergency-convene protocol agreed. Without the committee the rest of the window has no decision-making body.

Foundation milestone
Day 12
Charter v1 drafted
Owner: Program lead · 7 days

Decision rights mapped — direct, advisory, delegated. Escalation path documented with challenge and emergency variants. Artefact owners assigned for register, audit cadence, model updates, incident runbook, ethics forum. Charter circulates for committee review; objections logged, not relitigated in v1.

Charter milestone
Day 18
Risk register categories seeded
Owner: Security director · 6 days

Eight canonical categories seeded — data leakage, model failure, vendor concentration, supply chain, bias and fairness, regulatory exposure, operational dependency, reputational. Severity and likelihood scales documented. Quadrant walk-through methodology agreed. Empty register is acceptable; structure is the deliverable.

Register milestone
Day 25
First register populated
Owner: Security director · 7 days

Initial entries populated across all eight categories — minimum two per category, ideally three to five. Each entry has severity, likelihood, current mitigation, residual risk, single named owner, review date. Quadrant map produced. The map is the artefact the committee will walk in days 31-60.

Register milestone
Day 30
Charter ratified, committee convenes
Owner: Executive sponsor · 1 day

Charter v1 ratified by the committee in its first formal meeting. Register walk-through performed for the inaugural top-right quadrant entries. Outstanding objections from charter draft re-surfaced or formally tabled. Days 1-30 closes with both artefacts live and the committee operative — not perfect, but operating.

Closing milestone

The structural decision that matters most in days 1-30 is committee composition. Too narrow and the committee cannot see the surface area; too broad and it cannot decide. Five to seven members is the band; getting beyond seven means the committee cannot ratify a charter in a single meeting and the program slips its first milestone. The chair rotation is the second decision that matters more than teams expect — eighteen months is long enough to learn the role and short enough that no single person becomes the de facto definition of governance.

The most common day 1-30 failure mode is over-investing in charter prose. The charter is a contract artefact; it does not need to read like a thought-leadership essay. A four-page charter with explicit decision rights and a working escalation path beats a twelve-page charter with three pages of mission statement. If the program is spending more than seven days on charter prose, redirect to the register — the prose can mature over the next quarter, the register cannot start producing decisions without a baseline.

"Days 1-30 produce two artefacts and the rituals that keep them alive — the charter and the risk register. Everything in days 31-60 assumes both exist."— 90-day governance plan, day 30 checkpoint

03Days 31-60Audit cadence, model-update review, incident runbook.

The second window wires the operating cadence onto the artefacts. Audit rhythms get stood up at three nested cadences; the model-update review process is wired into engineering CI so silent vendor swaps cannot occur; the incident runbook is drafted and rehearsed at least once before day 60. By the end of the window the committee is no longer just ratifying a charter — it is running the artefacts the charter authorised.

The cadence work is where governance programs most commonly drift. Annual audits collapse three different time horizons into one ceremony; the 90-day plan replaces that with weekly, monthly, and quarterly rhythms that each have a different audience, deliverable, and escalation path. Wiring all three rhythms in the same window prevents the failure mode where the monthly stands up but the weekly never does and the quarterly slips into the next year.

Day 35
Weekly engineering health cadence
Owner: Engineering lead · 5 days

Thirty-minute engineering-led cadence stood up — eval pass rate, latency p95, cost per request, error class distribution, canary health. Async-friendly; output is a one-page health report. Escalation to the committee if anything red or trending red. Catches drift the day it starts rather than the quarter it compounds.

Operational rhythm
Day 42
Monthly committee cadence operating
Owner: Committee chair · 7 days

Ninety-minute monthly committee meeting holds its second occurrence inside the window. Standing agenda — register walk-through, open incident review, model-update queue, pending ethics-forum items, audit-finding remediation status. Output is a minuted decisions log. The decisions log is the artefact, not the meeting notes.

Committee rhythm
Day 48
Model-update review wired into CI
Owner: Engineering lead · 6 days

Four gates wired into engineering CI — eval, canary, rollback readiness, communication. Vendor model swaps cannot merge to production without the eval gate passing. Rollback authority documented; three roles (engineering lead, security director, on-call) can pull the trigger without committee re-approval, with post-fact ratification.

Process milestone
Day 55
Incident runbook drafted
Owner: Security director · 7 days

Four phases documented — detection, containment, communication, postmortem — with named owners, target times, severity tiers SEV-1 through SEV-4. Communication templates pre-written for internal, customer-facing, partner-facing audiences. Detection within thirty minutes, containment within sixty, communication within two hours, postmortem within ten business days.

Runbook milestone
Day 60
First incident rehearsal executed
Owner: Security director · 1 day

Tabletop rehearsal of a simulated SEV-1 or SEV-2 scenario walks every phase of the runbook. The rehearsal exposes the templates that reference dead Slack channels, the escalation lists with former employees, the rollback runbooks for renamed services. Findings feed a runbook v1.1 update; rehearsal cadence locked at quarterly.

Closing milestone

The model-update review is the highest-leverage milestone in this window. Vendors ship new model versions every few weeks; a governance program without an eval gate on production swaps absorbs vendor regressions silently until a customer or an internal eval surfaces them. Wiring the four gates into CI in days 31-60 prevents the standard anti-pattern — "the vendor said it benchmarks better, so we shipped it" — because the vendor's benchmark is not your eval suite, and your eval suite is the only measurement that gates a production swap.

The incident runbook rehearsal is the second highest-leverage milestone, and the one teams most often defer past day 60. The argument usually sounds like "we will rehearse once the runbook is finalised," which inverts the relationship — the runbook is finalised by rehearsing it. A real incident at day 75 against an unrehearsed runbook is the failure mode the window is designed to prevent. Defend the day 60 rehearsal; it is what proves the runbook works before it has to.

The cadence rule
The cadence that gets dropped first under pressure is the weekly. Resist that. The weekly is the rhythm that catches drift before it becomes the monthly committee's problem or the quarterly executive's problem. Cancelling the weekly to free engineering time is a false economy — the time saved comes back as monthly committee thrash or as a postmortem the quarterly never anticipated.

04Days 61-90Ethics framework, enforcement metrics, quarterly hand-off.

The final window converts the artefacts and cadences from days 1-60 into a self-sustaining program. The ethics framework stands up the forum that handles gray-area use cases; enforcement metrics make the difference between documented and operative governance visible to the executive layer; the quarterly hand-off transfers the program from launch mode to standing rhythm. By day 90 the program runs without daily program-lead attention — that is the test, not whether all the artefacts exist.

The ethics framework milestone is the one most likely to be under-scoped. Teams treat it as a document — a value statement, a checklist, an attestation — and miss that the value is in the structured forum that convenes before implementation on disputed use cases. The 90-day plan treats the framework as the forum's charter rather than a free-standing artefact; the framework defines who attends, what they decide, how the decision is recorded, and what the appeals path looks like.

Day 67
Ethics forum convened
Owner: Head of Product · 7 days

Forum charter ratified — six to eight participants, concept-stage routing, written decision with reasoning, two-stage appeals path. First gray-area case routed and adjudicated — synthetic media, scoring decision, automated communication to vulnerable population, or similar. The first case is the forum's proof of concept; defer easier cases.

Forum milestone
Day 73
Enforcement metrics dashboard live
Owner: Program lead · 6 days

Dashboard published — committee meeting attendance, register entries with reviewed-in-window status, audit cadence completion rate, model-update gate pass rate, incident runbook rehearsal recency, ethics forum decisions in window. Five levers visible on one page. Distinguishes documented from operative governance at a glance.

Metrics milestone
Day 80
Quarterly executive review run
Owner: Executive sponsor · 1 day

First half-day quarterly executive cadence executes — charter fitness, register completeness, audit cadence health, model-update process review, incident runbook rehearsal verdict, ethics framework refresh. Quarterly governance review document published. The quarterly is the rhythm that survives the program lead's eventual transition.

Executive rhythm
Day 85
Program review against day 30 baseline
Owner: Program lead · 5 days

Day 90 readiness reviewed against day 30 deliverables — did the artefacts hold up under cadence pressure, where did milestones slip and why, which enforcement levers are weak, what does day 91-180 need to harden. The review is honest about what worked and what did not; the next quarter inherits the learnings.

Review milestone
Day 90
Hand-off to standing rhythm
Owner: Program lead → committee chair · 1 day

Program leaves launch mode. Committee chair owns monthly cadence; engineering lead owns weekly; executive sponsor owns quarterly; security director owns register and runbook; head of product owns ethics forum. Program lead transitions to roughly twenty percent allocation to coordinate the standing rhythm. Day 91 looks like day 121.

Closing milestone

The enforcement metrics dashboard is the most important deliverable in days 61-90 because it is the artefact that makes "governance is enforced or it is theatre" visible to the executive layer in a single screen. Five levers, one page — the page is the difference between a governance program the executive sponsor can defend at a board meeting and a program that exists on a wiki nobody opens. The dashboard becomes the standing artefact for the quarterly executive review.

The hand-off milestone is the test of whether the previous eighty-nine days produced a real program. A 90-day rollout that still depends on the program lead pushing at day 91 has not handed off; it has just relocated the dependency. The hand-off is real when the monthly committee meeting fires without a reminder from the program lead, the weekly engineering health check holds without escalation, the quarterly executive cadence lands on calendar six months out without renegotiation. Day 91 looks like day 121 — that is the win condition.

05EnforcementDocumented vs enforced — five enforcement levers.

The single most common failure pattern in AI governance is the document that exists but does not bite. A charter signed off by an executive sponsor that nobody references in a real decision. A risk register populated once and never revisited. An audit cadence on the calendar that gets moved every time engineering hits a milestone. The artefacts exist; the enforcement does not; the gap between the two is where incidents live.

Five enforcement levers separate documented governance from operative governance. Each lever takes a written rule and pairs it with a mechanism that makes the rule operative. The 90-day plan wires all five into the program — the charter has its escalation path, the register has its quadrant walk, the audit cadence has its rhythm, the model-update process has its CI gates, the ethics forum has its concept-stage routing. A program with any of the five levers missing is still partly theatre.

Lever 01
Charter escalation path

Decision rights without a challenge path are advisory at best. The escalation path names what happens when the committee cannot agree, when a decision is made outside the committee, and when a SEV-1 or SEV-2 incident requires emergency convening within four business hours. The path is what gives the charter teeth in a real disagreement.

Documented challenge + emergency path
Lever 02
Register quadrant walk

A register that is reviewed at the cadence it deserves — top-right quadrant monthly, top-left and bottom-right quarterly, bottom-left annually — produces decisions. A register that is reviewed all at once or never at all produces neither decisions nor governance. The quadrant walk is the lever that makes the register operative.

Quadrant-weighted cadence
Lever 03
Audit cadence triplet

Weekly engineering, monthly committee, quarterly executive. Each cadence has a different audience and deliverable; together they replace the annual ceremony that ratified outcomes that had already happened. Dropping the weekly leaves the monthly committee absorbing operational drift; dropping the quarterly leaves policy and framework drift unreviewed for a year.

Three nested rhythms
Lever 04
Model-update CI gates

Four gates — eval, canary, rollback readiness, communication — wired into engineering CI so production model swaps cannot merge without the eval gate passing. Without the gates wired into CI, the model-update review is a paper process that engineers route around when shipping pressure builds. The gates make the process structural rather than aspirational.

Wired into engineering CI
Lever 05
Ethics forum concept-stage routing

Routing the use case to the forum at concept stage rather than at launch preserves the option to redesign or decline. Routing after implementation produces justification theatre — the forum is implicitly asked to bless work that has already absorbed engineering investment. Concept-stage routing is the lever that makes the forum operative rather than ceremonial.

Forum convenes before implementation

Worth flagging — the levers are not independent. A charter with an escalation path but no quadrant-walked register leaves the committee adjudicating without baseline. A model-update CI gate without an audit cadence catches the swap but never reviews the swap-rate or the regression frequency. The five levers reinforce each other; partial implementation produces less than partial value. The 90-day plan wires all five because a governance program with three of them is still theatre on the other two.

For teams that want to map this against an audit framework, our 50-point vibe-coding policy audit cross-walks every enforcement lever to the audit points that would surface its absence. Running the audit at day 30 produces a baseline; running it again at day 90 produces a delta that quantifies the program's actual enforcement uplift.

06TemplatesCharter, risk register, audit playbook.

The template kit below is the minimum viable artefact set for the 90-day plan. Three templates anchor the work — the charter contract, the risk register schema, and the audit cadence playbook. Two adjacent templates round out the kit — the model-update review process and the incident runbook — but they are documented at depth in the companion Stage 8 governance templates kit.

The YAML expressions below are contract artefacts, not production formats. Teams almost never use YAML in operating governance — the working artefacts are usually Confluence pages, Notion workspaces, or shared spreadsheets. Writing the contract first forces the structural decisions to be explicit before the prose softens them.

# Governance charter — 90-day plan template

charter:
  name: "AI Governance Committee"
  effective: "<window-start>"
  review_cadence: "annual + on-trigger"

  committee:
    chair: "VP Engineering"            # rotates every 18 months
    members:
      - "Director of Security"
      - "Director of Legal/Compliance"
      - "Head of Product"
      - "Director of Data"
      - "Engineering staff representative"
    executive_sponsor: "Chief Technology Officer"
    quorum: 4                          # of 5 voting members
    cadence: "monthly · 90 minutes"

  decision_rights:
    direct:                            # committee decides
      - "Approve new AI vendors above $50k ARR"
      - "Approve production deployment of agentic systems"
      - "Approve register additions of severity >= medium"
      - "Approve incident postmortems with regulatory exposure"
    advisory:                          # committee advises
      - "Model selection inside an approved vendor"
      - "Prompt practice within existing policy"
    delegated:                         # named owner decides
      - owner: "Engineering lead"
        scope: "Tier-C data on Tier-C approved tools"

  escalation:
    challenge_path:
      - "Raise dissent in committee meeting · minuted"
      - "If unresolved · written objection to executive sponsor"
      - "If unresolved · 30-day cooling-off · external advisor"
    emergency_path:                    # SEV-1 / SEV-2 incidents
      - "Convene within 4 business hours"
      - "Authority to suspend any agentic system pending review"
      - "Postmortem within 10 business days"
# Risk register — 90-day plan schema

register:
  categories:                          # canonical eight
    - "Data leakage"
    - "Model failure"
    - "Vendor concentration"
    - "Supply chain (training + tool chain)"
    - "Bias and fairness"
    - "Regulatory exposure"
    - "Operational dependency"
    - "Reputational"

  entry_schema:
    id: "<RR-NNN>"
    category: "<one of canonical eight>"
    statement: "<one-sentence risk>"
    severity: "Low | Medium | High | Critical"
    likelihood: "Rare | Unlikely | Possible | Likely | Almost certain"
    current_mitigation: "<mitigation in force>"
    residual_risk: "<remaining after mitigation>"
    owner: "<single named human>"
    review_date: "<next review per cadence>"

  cadence:
    top_right_quadrant: "monthly walk-through"
    top_left_quadrant: "quarterly walk-through"
    bottom_right_quadrant: "quarterly walk-through"
    bottom_left_quadrant: "annual walk-through"

  governance:
    register_owner: "Director of Security"
    new_entry_approval: "Committee for severity >= medium"
    retirement_approval: "Owner + committee acknowledgement"
# Audit cadence playbook — 90-day plan template

cadence:
  weekly:
    owner: "Engineering lead"
    duration: "30 minutes · async-friendly"
    audience: "Engineering"
    standing_agenda:
      - "Eval pass rate · trend"
      - "Latency p95 · trend"
      - "Cost per request · trend"
      - "Error class distribution"
      - "Canary health"
    output: "One-page health report"
    escalation: "To committee on red or trending red"

  monthly:
    owner: "Committee chair"
    duration: "90 minutes · in-person or hybrid"
    audience: "Committee"
    standing_agenda:
      - "Top-right quadrant register walk"
      - "Open incident review"
      - "Model-update queue"
      - "Pending ethics-forum items"
      - "Audit-finding remediation status"
    output: "Minuted decisions log"
    escalation: "To executive sponsor on unresolved month-end items"

  quarterly:
    owner: "Executive sponsor"
    duration: "Half-day"
    audience: "Executive + committee + program lead"
    standing_agenda:
      - "Charter fitness"
      - "Register completeness"
      - "Audit cadence health"
      - "Model-update process review"
      - "Incident runbook rehearsal verdict"
      - "Ethics framework refresh"
    output: "Quarterly governance review document"
    escalation: "To board or equivalent for material changes"

Worth pulling out — the audit cadence playbook is the template teams most often improvise rather than codify, and improvising it is what produces the "the weekly slipped, the monthly absorbed it, the quarterly never ran" failure pattern. Writing the standing agenda for each rhythm before the rhythm starts running protects the rhythm against ad-hoc reshuffling in week six.

07PitfallsFour governance-program failure modes.

Four failure modes consistently break 90-day governance programs in the field. Each fails in a different window for a different reason. Calling them out before the program starts is the cheapest insurance the program can buy; recognising them mid-program is the second cheapest.

Pitfall 01
Charter perfectionism

Days 1-30 collapse into eight pages of charter prose and zero register entries. The program ratifies a beautiful charter at day 30, walks into days 31-60 with no register to audit against, and the cadence work falls behind because there is nothing to walk. Fix: charter ships at four pages with explicit decision rights and escalation path; prose matures over the next quarter.

Ship charter at four pages
Pitfall 02
Cadence dropping under pressure

Engineering hits a release milestone in week six and the weekly health cadence slips. The monthly committee absorbs the drift signal that the weekly should have caught. Three weeks later a customer surfaces an issue the weekly would have flagged. Fix: name the weekly as non-negotiable in the charter; make cancellation require executive-sponsor sign-off.

Weekly is non-negotiable
Pitfall 03
Ethics framework as checklist

Days 61-90 reduce the ethics framework to a one-page checklist with a sign-off box. The forum never convenes because the checklist is faster. The first gray-area use case ships at day 100 without forum review, surfaces a disparate-impact issue at day 130, and the postmortem cites the checklist as evidence of due diligence. Fix: framework names a forum, not a form.

Forum, not form
Pitfall 04
No hand-off, just relocation

Day 90 arrives. The program lead announces hand-off. Day 91, the monthly committee meeting needs a reminder. Day 95, the weekly engineering health check needs an escalation. Day 110, the quarterly executive review needs renegotiation. The program never handed off; it just rebranded the program lead&apos;s ongoing push as steady state. Fix: hand-off requires day 91 to look like day 121.

Day 91 = day 121

For teams running the 90-day plan in parallel with broader transformation work, our AI transformation engagements include the program lead capacity, the committee facilitation, and the first quarter of cadence operation — so the team inherits a working program rather than a template kit it has to assemble while also shipping product.

The 90-day plan is also a natural follow-on from a Stage 8 governance templates engagement. If the team has already stood up the templates via the Stage 8 pipeline kit, the 90-day plan converts the templates into an operating program rather than a documented capability. The two artefacts are complementary — templates without a plan stay on a wiki, plans without templates run on improvisation.

The pattern that catches teams
The failure mode that costs the most in real programs is pitfall four — the hand-off that is just a relocation. Programs that depend on the program lead pushing past day 90 do not survive the first leadership transition; the cadence collapses, the register goes stale, the runbook never gets rehearsed again. Day 91 has to look like day 121 — that is the only test that matters.
Conclusion

Governance is enforced in 90 days or it stays theatre — pick the path.

The trap in AI governance is treating the charter as the deliverable. The charter is a Confluence page. The deliverable is an operating loop in which a named committee makes named decisions on a named cadence, a live register surfaces the real surface area, audits at three rhythms catch drift before it compounds, model updates pass four gates before they ship, incidents follow a rehearsed runbook, and an ethics forum convenes early enough to shape design. The 90-day plan exists to stand up that loop in a window short enough to sustain executive attention and long enough to prove the loop runs.

The teams that get the 90-day plan right share one habit: they treat governance as a product. The charter has versions. The register has owners. The cadence has rituals. The model-update process has gates wired into CI. The incident runbook has rehearsals on the calendar. The ethics forum has a working archive of decisions. Each artefact is operated, reviewed, improved. The teams that get the 90-day plan wrong produce a charter at day 30 and watch the rest of the program slowly decompose into a wiki page that gets one visit a year from the auditor.

Practical next step: pick the weakest enforcement lever in your current state and rebuild it with an explicit mechanism this quarter. Charter without escalation? Add the escalation path and the chair rotation. Register without quadrant scoring? Add severity-times-likelihood and the monthly walk. Audit without cadence? Stand up the weekly. Fix one lever visibly and use the quick win to fund the next four. Day 90 is closer than it looks.

Stand up real governance

Governance is enforced in 90 days or it's theatre.

Our team stands up AI governance programs — charter, risk register, audit cadence, model-update review, ethics framework, enforcement metrics — with measurable outcomes.

Get startedExplore AI transformation
Free consultationExpert guidanceTailored solutions
What we deliver

90-day governance engagements

  • Governance charter (committee, decision rights, escalation)
  • Risk register with severity and likelihood scoring
  • Audit cadence playbook (weekly / monthly / quarterly)
  • Model-update review with eval gates
  • Ethics-review forum and enforcement metrics
FAQ · Governance 90-day program

The questions GRC teams ask before the program starts.

Five to seven members, broad enough to see the surface area and small enough to decide. The canonical composition is an engineering lead, a security or risk representative, a legal or compliance representative, a product or business owner, and an executive sponsor; teams with regulatory exposure add a compliance officer, and teams with significant data-science depth add a chief data role. The chair rotates every eighteen months to prevent the committee&apos;s identity from collapsing onto a single person. The executive sponsor is a separate role from the chair, by design — the chair runs the committee, the sponsor escalates when the committee is stuck. Quorum is typically four of five voting members; cadence is monthly for ninety minutes, with an emergency-convene protocol that fires within four business hours for SEV-1 and SEV-2 incidents.
Related dispatches

Continue exploring governance.

Business

Agentic AI Governance Templates: Stage 8 Pipeline Kit

Stage 8 of the agentic AI pipeline — governance charter, risk register, audit cadence, and the templates that make governance enforceable, not theatre.

May 7, 2026 · 13 minRead
Business

AI Customer Support Launch: 30/60/90-Day Plan 2026

Launch AI customer support in 90 days — knowledge audit, RAG build, deflection pilot, CSAT-controlled rollout. Phased timeline with template kit inside.

May 8, 2026 · 13 minRead
Business

Claude Code Team Rollout: A 30/60/90-Day Plan 2026

Roll out Claude Code across a team in 90 days — install, skills, hooks, memory, security, productivity signals. Phased timeline with template kit inside.

May 8, 2026 · 13 minRead