AI Governance 2.0: Four Frameworks Worth Learning From

AI has become a genuine force multiplier for teams that have always been asked to do more than their headcount allows. Research, drafting, analysis, monitoring — AI tools are making a real difference in what small teams can get done. That’s not a novelty, it’s a practical reality most E&C leaders have already absorbed.

Meanwhile, someone has to govern AI across the enterprise, and that responsibility tends to land in ethics and compliance. Which means the same team adopting AI to keep up with their workload is also responsible for the risk management framework that controls how everyone else uses it.

That tension hasn’t gotten easier. Agentic AI — systems that don’t just respond to queries but take action on behalf of users, connect to third-party tools, and execute multi-step tasks autonomously — raises the stakes considerably. When an AI agent has access to your CRM, your email, your data storage, and your communication platforms, a single misconfigured permission or a naïve prompt from an untrained employee can uncork all kinds of trouble.

And then there’s the workforce dimension. Organizations are now requiring employees to use AI, not just allowing it, but making it part of how the job gets done. That’s creating a new category of risk: employees who have been avoiding AI suddenly expected to use it, making mistakes they don’t know they’re making. Many can’t evaluate output quality or don’t know what to keep out of a prompt. Some, under enough time pressure, will try to configure an agent themselves with no guardrails in place.

This Is AI Governance 2.0

This is why AI governance is having a second, more serious moment. The first wave of AI policies was largely a response to the arrival of public AI tools — focused on ChatGPT access, data confidentiality, and acceptable-use rules. What’s needed now is governance that holds up to the current environment: agentic AI, mandatory adoption, third-party integrations, and a workforce at wildly varying levels of readiness.

A good start? Looking at what other organizations have already worked through. The Business Ethics Leadership Alliance (BELA) member hub has assembled AI governance documents from organizations that have done this work seriously. Here are four worth your time. (If you’re not a BELA member, we’ve provided links to where you can find most of these outside of BELA. Click here to request guest access to the BELA member hub.)

1. Prudential Financial — Ethical Principles of Artificial Intelligence

Prudential’s approach is foundational in the most useful sense: it doesn’t try to anticipate every use case. It defines seven principles covering all AI activity, from design and development through deployment and ongoing use. The principles address value alignment, human accountability, transparency, fairness, compliance, privacy and security, and governance controls.

This document works for E&C leaders because of the level at which it operates. It won’t tell you what to do about a specific agentic AI tool. But it gives you a values framework to apply when evaluating one. Prudential explicitly acknowledges the guidance will need updating as the field evolves. That signals Prudential built it to hold up, not just to record a position at a point in time.

Their concept of “AI Ethics by Design” is worth borrowing. Build ethical controls into AI business practices from the start, not after the fact. For E&C teams pulled into AI governance reactively, that framing offers a real path forward.

Access at Prudential: Prudential Financial — Ethical Principals of AI
Access on BELA: Prudential Financial — Ethical Principles of AI

2. HCA Healthcare — Responsible AI Policy

HCA Healthcare operates in one of the most complex AI governance environments imaginable. It has hundreds of affiliated facilities, multiple care settings, and patient safety stakes that leave no room for error. Their Responsible AI Policy reflects that complexity. That’s precisely why it’s worth reading outside of healthcare.

This is a working policy document, not a principles statement. It covers the full AI lifecycle: approving solutions, quality-checking outputs, and managing cybersecurity risk. It also defines vendor and training requirements for all colleagues. On top of that, it establishes a Responsible AI Governance Council with real authority. The council can issue written go/no-go decisions on high-risk AI solutions.

Two elements stand out. First, the tiered risk-scoring system is worth replicating. It runs from low to critical and gives E&C teams a model for prioritizing oversight work across a large enterprise. Second, the policy explicitly prohibits “dark patterns”: using AI to manipulate user decisions through subliminal techniques. That’s ethical thinking that goes well beyond basic acceptable-use rules.

The vendor accountability language also deserves attention. HCA requires vendors to run their own Responsible AI programs. Vendors face periodic audits covering data privacy, security, and bias.

Access on HCA Healthcare: HCA Healthcare — Responsible AI Policy
Access on BELA: HCA Healthcare — Responsible AI Policy

3. Baker McKenzie — Generative AI Policy Template

The Baker McKenzie template is designed to be adapted, not adopted wholesale. BELA global partner Baker McKenzie built this as a customizable starting structure. Outside counsel should review any implementation before it goes live.

The template addresses the risk areas that matter most. It covers data confidentiality: no proprietary or trade secret data in prompts. And it requires independent verification of all AI-generated content before use. It mandates legal review before any AI-generated work product gets incorporated, and it defines unacceptable uses.

This template is particularly useful for organizations earlier in the governance process. It gives them a defensible starting structure to build from. The template also handles the intellectual property question directly, which many AI policies under-appreciate. AI-generated content may draw from copyrighted works. Using it without material human editing and legal review creates real exposure.

Access on BELA: Baker McKenzie — Generative AI Policy Template

4. IBM — Principles for Trust and Transparency in AI

IBM’s framework operates at the highest level of abstraction of any document in this group, and that’s intentional. Their Responsible Technology and Governance Framework starts with three foundational principles. AI should augment human capability, be grounded in responsible data governance, and operate with full transparency. From there, IBM identifies five pillars of trustworthy AI: transparency, fairness and human value alignment, robustness, and privacy.

What distinguishes the IBM approach is the governance infrastructure behind those principles. Their Responsible Technology Board isn’t a document. It’s an operating body that translates principles into practice across AI and emerging technologies. The board has published specific guidance on agentic AI. That makes this framework directly relevant to what E&C leaders are managing right now.

IBM frames the governance case in a way worth repeating internally: “Governance is like brakes on a car — they aren’t there to stop us; they give us the ability to drive faster.” That framing lands better with business leadership than arguments centered on risk and constraint.

Access on IBM: IBM — Principles for Trust and Transparency
Access on BELA: IBM — Principles for Trust and Transparency

Where to Go from Here

These four documents cover different levels of specificity and different organizational contexts. Together, they show the range of approaches actually working in practice. A financial services principles framework. A major healthcare system’s full policy architecture. A law firm’s customizable template. The variety is useful on its own.

E&C teams can learn directly from organizations that have already done this work. If you’re building or updating your AI governance program, start by reading what others have implemented. It’s a faster and more grounded starting point than building from scratch.

Sidebar: The Governance Gap Nobody’s Talking About Enough — AI Transcription and Recording

A question came in from the BELA community as we finished this piece. Does anyone have a policy on AI transcription and recording to share? And more broadly, what are organizations actually doing? Is it authorized? How long do they retain transcripts?

It’s a good question. None of the four governance documents above address it directly. That’s no criticism, it merely reflects where most AI policies still are. Transcription got into the enterprise before governance did.

The reason is structural. AI transcription isn’t a tool employees went looking for. It arrived embedded in software they were already using: Microsoft Copilot in Teams, Zoom AI, Google Meet, Otter.ai, Fireflies. One click to enable, and “AI notes are on.” Suddenly a third-party AI system is processing every meeting. Most organizations never made a deliberate policy decision about it.

The governance questions this raises are significant, and they compound quickly. Here are four things a sound policy needs to address:

• Consent and notification. This is a legal requirement in many jurisdictions. Recording consent laws vary considerably across U.S. states and internationally. AI transcription tools don’t always show participants that a record exists. Organizations that haven’t defined what notification participants need are carrying legal exposure they haven’t assessed. Many also haven’t defined who’s responsible for giving it.
• Data retention. A transcript of a meeting is a document. It can contain attorney-client privileged discussions, confidential HR matters, unreleased financial information, M&A conversations, or patient data. Most organizations have document retention policies. Far fewer have asked whether those policies apply to AI-generated transcripts. Fewer still have defined who controls where those transcripts live, or who can access them.
• Vendor data practices. What does the transcription tool do with your meeting content? Does the vendor use it to train models? How long do they keep it? These questions belong in a vendor risk assessment. For tools bundled with existing software subscriptions, organizations rarely ask them.
• The agentic dimension. The latest transcription tools don’t just record. They summarize, generate action items, draft follow-up emails, and push data to CRMs. That’s agentic behavior, carrying the same third-party integration risks discussed in the main piece above.

A sound policy defines which tools the organization approves. It specifies what notification participants need before recording begins. It lists which meeting types are off-limits: investigations, legal holds, board sessions, and anything under a litigation hold. And it sets retention periods and access controls. And it defines what vendor commitments the organization requires.

Has your organization addressed this? If you have a transcription or AI recording policy you’re willing to share, we’d welcome it on the BELA member hub. This is exactly the kind of practical governance work the community benefits from seeing.

Author Bio

Bill Coffin  |  Editor-in-Chief, Ethisphere Magazine, Ethisphere

Bill Coffin is the Editor-in-Chief of Ethisphere Magazine and supports the larger content strategy of Ethisphere. He is an internationally recognized writer and editorial leader in the fields of ethics, compliance, insurance and risk management. His work has appeared in The Wall Street Journal, BusinessWeek, Forbes and Fortune, as well as Compliance Week, National Underwriter, Risk Management, Best’s Review and other B2B media. Previously, Bill served as Director, Senior Editor at AIG, leading content strategy for one of the world’s largest insurance companies.

Sam Johnson  |  Content Manager for Global Programs & BELA, Ethisphere

Samantha Johnson is a graduate of The University of St. Thomas School of Law and Iowa State University, holding degrees in Law, Public Relations, and History. At Ethisphere she currently serves as the Global Programs and Content Manager for BELA where she works with multiple teams and BELA Community members to curate and maintain the BELA Resource Hub and support event and communications activities. Samantha was previously a research intern supporting the BELA and Data & Services teams.