This AI governance RACI template covers 12 activities that show up in real governance programs at teams of 5–50. Jump to the matrix or keep reading for role descriptions and common gaps.
Most AI governance failures aren't technical — they're organizational. A tool gets approved by nobody in particular, a data breach sits unreported because nobody knows they're the incident owner, and the vendor DPA review never happens because everyone assumed legal was handling it.
A RACI matrix fixes this by making the answer to "who does what" explicit for every governance activity.
At a glance: 12 activities, 4 role types (R/A/C/I), copy-paste into a spreadsheet, adapt role names to match your org chart.
How to read the RACI
- R — Responsible: Does the actual work. Can be more than one person.
- A — Accountable: Owns the outcome; the one person who signs off. Must be exactly one person per activity.
- C — Consulted: Provides input before the decision. Two-way communication.
- I — Informed: Notified of the outcome. One-way communication; does not need to be involved.
If a cell is blank, nobody is assigned. That is usually a gap — fill it or explicitly decide the activity is out of scope.
The RACI matrix
| Activity | AI Lead / Policy Owner | CTO / Head of Eng | CEO / COO | Legal Counsel | Tool Sponsor (Team Lead) | All Staff |
|---|---|---|---|---|---|---|
| Approve new AI tool | R | C | A | C | R | — |
| Maintain AI tool register | R | I | I | — | I | — |
| Update acceptable use policy | R | C | A | C | I | I |
| Conduct quarterly AI review | R | C | A | — | C | — |
| Respond to AI incident (first 24h) | R | R | A | C | R | I |
| Manage vendor contracts / DPAs | C | R | A | R | — | — |
| Assess third-party AI tool risk | R | C | A | C | C | — |
| Train staff on AI policy | R | I | I | — | C | R |
| File EU AI Act documentation | R | C | A | C | — | — |
| Handle employee AI complaint | R | — | A | C | C | — |
| Review AI tool cost and sprawl | R | R | A | — | C | — |
| Approve AI use in hiring/HR | C | — | A | R | — | — |
Copy this into a spreadsheet. Replace "AI Lead / Policy Owner" with the actual name. Replace "Tool Sponsor" with the lead who owns each specific tool. Leave blank cells blank — adding fake assignments creates more confusion than having none.
Role descriptions for small teams
Most small teams don't have a dedicated AI compliance officer. Here's what each role looks like in practice:
AI Lead / Policy Owner — usually the Head of Product, CTO, or a senior engineer who cares about governance. Owns the AI register, chairs the quarterly review, and is the first call when a new tool request comes in. This is a part-time responsibility, not a full-time job. In a team under 20 people, 2–4 hours per month is typical outside of incident periods.
Tool Sponsor — the team lead who requested the tool or whose team uses it. Responsible for keeping usage within policy, flagging incidents, and attending the quarterly review for their tool. One sponsor per tool; if a tool spans multiple teams, pick the primary owner.
Legal Counsel — in-house or external. Consulted on DPA review, vendor contracts, and EU AI Act documentation. For teams without in-house counsel, route these to the external firm on a fixed-scope basis — a straightforward DPA review is often under an hour of legal time, though complex or novel vendor terms take longer.
Common gaps this matrix reveals
Gap 1 — No A on tool approval. If everyone can approve tools, the register is always out of date. Assign exactly one Accountable person (usually CEO or CTO) and route all approvals through them.
Gap 2 — No R on vendor DPA. Legal gets consulted but nobody owns the actual request. The AI Lead should be Responsible for sending the DPA request; legal reviews and approves.
Gap 3 — Tool Sponsor column is empty. Happens when tools are adopted without a named owner. Start with the AI register — every row must have a named sponsor.
Gap 4 — All Staff column overloaded. If All Staff is Responsible for too many activities, the governance burden falls on employees who have no context. Keep All Staff limited to training attendance and incident reporting.
Simplified AI governance RACI for teams under 15 people
If a full RACI feels like overkill, start with this stripped-down version covering the five activities that cause the most real-world problems:
| Activity | Who does it | Who owns it |
|---|---|---|
| Approve a new AI tool | AI Lead (or CTO) | CEO |
| Report an AI incident | Person who discovers it | CTO |
| Update the tool register | AI Lead | CTO |
| Review vendor DPAs | Legal | CTO |
| Train staff on policy | AI Lead | CEO |
Start here. Move to the full matrix when you reach 15–20 people or add a high-risk AI system (hiring, customer-facing, medical).
Connecting the RACI to your other governance documents
The RACI works alongside two other documents. The acceptable use policy defines what staff can and cannot do with AI tools; the AI Lead owns updates, and all staff are Informed via the quarterly review. The AI tool register is the authoritative list of approved tools — one row per tool, with owner and DPA status — maintained by the AI Lead with input from tool sponsors. The incident response plan covers what happens in the first 24 hours when an AI system fails, leaks data, or produces harmful output; the incident first responder in the IRP is whoever holds the R on the incident response row in this RACI.
Think of this as your AI responsibility matrix — a single reference that maps every governance activity to a named person. Keep all three documents in the same folder (Notion, Confluence, Google Drive) with links between them.
Note: some teams use RASCI (adding S for Supporting role). This template uses the standard four-letter RACI, which covers the vast majority of small-team governance setups without adding a fifth column most teams never fill.
