Process Governance Models

Most digital teams don’t struggle because of the method - They struggle because governance doesn’t match the method. Rule 3 – Align Governance With Methodology A transformation can run on Agile, Waterfall, or Hybrid. But each model needs its own governance layer. When the method and the structure don’t align, delays and confusion show up instantly. Here’s what alignment looks like in real delivery: 📘 Agile – fast cycles, living documentation | Agile governance evolves sprint by sprint • Documentation updated every sprint, • Decisions captured directly in Jira or Confluence, • Ownership reinforced in retro logs, • Visibility shared across squads, Agile fails when teams try to apply Waterfall approvals to Agile sprints. 📗 Waterfall – gates, approvals, predictability | Waterfall governance relies on structured checkpoints. • Document milestones and validation gates, • Keep a defined approval chain, • Link ownership to each deliverable, • Validate scope before progression, Waterfall fails when decisions move informally without documented trace. 📙 Hybrid – both, but structured | Hybrid blends the speed of Agile with the clarity of Waterfall. • Sprint cadence for momentum, • Monthly governance gates for alignment, • One single governance hub for decisions, RACI, risks, changes, Hybrid fails when each team runs its own rules without a central structure. Governance is not about choosing a method - It’s about structuring the method you choose !  When governance matches delivery, teams stop fighting the system and start delivering clarity. 💬 What’s the biggest governance challenge you face in Agile, Waterfall, or Hybrid?

🧩 I’ve heard the objection more than once: “ISO42001 is just a management system standard. It’s not governance.” I do get it and appreciate the pushback. The structure mirrors other ISO standards: context, leadership, planning, performance, and that makes it easy to assume it’s focused on operational control. But if you stop there, you miss the bigger picture. ➡️What does “Governance” mean? ISACA’s #COBIT defines governance through the lens of the processes of Evaluate, Direct, and Monitor. This isn’t the same as managing daily activities. Governance is about setting purpose, overseeing accountability, and ensuring the organization stays aligned with stakeholder expectations. Here’s the key: #ISO42001 requires all three of those governance functions. 🔸Evaluate – Clause 4 requires organizations to understand external pressures, stakeholder concerns, and the purpose of the AI systems they use. Clause 6 builds on this with AI-specific risk assessment and AI system impact assessments. These aren’t simple check-the-box activities, they’re structured mechanisms to evaluate implications before action. 🔸Direct – Clause 5 puts top management on the hook to establish AI policies, assign roles, and make sure AI initiatives align with organizational objectives. This is how strategic intent gets defined and reinforced. 🔸Monitor – Clause 9 introduces internal audits, performance evaluation, and management reviews. Clause 10 brings in continual improvement and corrective action. This isn’t “set it and forget it.” These are the feedback loops that keep the governance system responsive. But yes, there’s clearly also management. And ISO42001 is very explicit in what it expects on that front. 🔹Management activities show up across Clauses 6, 7, and 8: 6.1 requires planning for AI-specific risks and opportunities, not just identifying them but taking action and integrating those actions into the system. 🔹7.2–7.4 cover resourcing, competence, awareness, and communication. These are core management responsibilities to support operational execution. 🔹8.1–8.4 go deeper into operational control of AI systems, requiring lifecycle planning, system-specific risk treatments, and validation of AI system impact. These are management-level processes that carry out the strategy, policy, and oversight defined at the governance layer. So no, despite its name, ISO42001 is not just a management system standard. It is a governance system that includes and directs management activities. It's a value creation tool. If you’ve worked with COBIT before, you’ll recognize the pattern. Evaluate, Direct, and Monitor sit at the top, while APO, BAI, DSS, and MEA processes carry out and sustain the system underneath. The structure is deliberate. Governance drives management. Management executes governance. When we understand both layers, we stop looking at ISO42001 as just an operational tool and start recognizing it as the system of record for AI oversight.

AI governance sounds boring until your model halts production. Or leaks customer data. Or makes a biased hiring decision. We built AI governance from scratch last year. Here's the framework that keeps us compliant, ethical, and fast. The AI Governance Pyramid. Five layers. Most teams skip straight to the top. That's why their AI implementations fail audits, break trust, or get shut down. Layer 1 (Foundation): Ethics & Principles. This is your "why we use AI" layer. Define your red lines before you build anything. What won't you automate? What decisions require humans? What bias are you willing to tolerate (spoiler: none)? We documented ours in a 2-page ethics charter. Every AI project gets measured against it. If it violates the charter, we don't build it. No exceptions. Layer 2: Data Governance. AI is only as good as your data. And your data is probably a mess. Where does it come from? Who owns it? How long do you keep it? What can't you use? We created a data classification system. Public. Internal. Confidential. Restricted. Each AI model gets assigned a data tier. If you need restricted data, you need executive approval. Layer 3: Risk & Compliance. This is where legal and security teams get involved. What regulations apply? GDPR? CCPA? Industry-specific rules? What happens if the AI makes a wrong decision? We run a risk assessment on every AI project. Low risk = fast approval. High risk = board review. Most teams skip this layer. Then spend months fixing compliance issues after launch. Layer 4: Operational Standards. How do you actually build and deploy AI safely? Model testing protocols. Version control. Access permissions. Monitoring and alerts. We created AI deployment checklists. No model goes live without passing every checkpoint. This layer is boring. It's also what prevents disasters. Layer 5 (Peak): Execution & Innovation. This is where most teams start. "Let's build a chatbot." "Let's automate this workflow." But without the four layers underneath, you're building on sand. When you have the foundation, execution is fast. You know what's allowed. You know how to build safely. You know how to scale without breaking things. Here's what we learned. Most AI failures aren't technical failures. They're governance failures. Someone skipped a layer. Someone didn't document data sources. Someone didn't assess risk. The pyramid looks slow. It's actually what lets you move fast without breaking everything. Which layer does your org skip? Found this helpful? Follow Arturo Ferreira and repost ♻️

Does governing traditional software require the same controls as governing machine‑learning models? Governance for traditional software and #machinelearning (ML) models differs because of their core principles: traditional software is deterministic, while ML models are probabilistic. As a result, governance requirements vary in areas such as validation, risk management, lifecycle control, explainability, human oversight, and change control. Traditional software relies on fixed validation and explicit procedural oversight. In contrast, ML governance requires ongoing validation, monitoring for performance and data drift, formal explainability, and structured human oversight to address emerging risks and uncertainties. An effective governance framework combines both approaches to address the challenges posed by deterministic software and evolving ML systems. It includes five layers: foundational governance for all systems, software governance for deterministic software, ML governance for ML models, integrated controls for hybrid systems, and continuous assurance for ML performance monitoring and regulatory compliance. https://lnkd.in/etph_TfH

Strong leaders know: good decisions aren’t just about instincts or expertise - they come from the process we use to make them. Here are a few practical frameworks that help bring clarity, speed, and alignment: RAPID (Recommend, Agree, Perform, Input, Decide) Helps clarify who does what in the decision process. Avoids confusion by assigning roles, so decisions don’t get stuck in endless loops. RACI (Responsible, Accountable, Consulted, Informed) Perfect for cross-functional work. It defines ownership and communication so everyone knows their role, whether they’re driving, deciding, or simply staying in the loop. Decision Matrices A structured way to evaluate options against weighted criteria. Useful when facing complex trade-offs with multiple variables. Pre-mortems Imagine the decision has failed, ask why and plan against those risks. It strengthens resilience and highlights blind spots. Two-Way Door vs. One-Way Door (Jeff Bezos’ model) Some decisions are reversible (two-way doors) and can be made quickly. Others (one-way doors) need deeper analysis. The trick is knowing which is which. How to implement these models: • Pick one framework and try it in your next project decision. • Train teams gradually, introduce tools in small steps so they stick. • Debrief regularly, review not just outcomes, but how decisions were made. The right process won’t remove uncertainty but it will reduce wasted time, clarify accountability, and make outcomes stronger.

📄 New paper: Orchestrating and Designing Data Collaboratives: What Governance Model is Fit for Purpose? I get asked this a lot: 👉 What’s the difference between a data trust, a data union, a data commons…? 👉 And more importantly—when should you use which? Too often, these models are treated as competing “solutions.” But that framing misses the point. In reality, they reflect different governance logics—and each is designed to solve a specific coordination, agency, or collective action problem in data ecosystems. For instance: Data intermediaries → reduce transaction costs Data unions → rebalance power Data trusts → address legitimacy deficits Data commons → enable collective governance Data cooperatives → redistribute ownership and agency Data sandboxes → manage uncertainty Data spaces → enable scaling and interoperability So the real question is not: ❌ Which model is best? But rather: ✅ Which model is fit for purpose—given the problem you are trying to solve? That’s why I wrote this short paper. It proposes a purpose-driven typology and argues for moving beyond “institutional choice” toward institutional orchestration—where multiple models coexist and evolve within the same ecosystem. 👉 Because in practice, mature data ecosystems don’t rely on a single model—they layer and sequence governance arrangements over time. (And that’s where strategic data stewardship becomes essential.) 📖 Read the paper here: https://lnkd.in/eyT9e4gV 🤔 Curious how others are navigating this: What governance model have you seen work—and why? #data #datagovernance #governance #dataspaces #intermediaries

Most governance models assume one proposal becomes one action. That is not how real systems behave. A single proposal may decompose into multiple governed sub-transitions across: • execution targets • application modules • authority boundaries • infrastructure layers • dependent workflows And once that happens, admissibility becomes harder. Because the question is no longer only: “Is this proposal allowed?” It becomes: “Can this proposed change set still bind without breaking its required dependency structure?” That is the focus of the new edition of The Commit Boundary: Edition 5 — Composite Proposal Formation and Partial Bind Semantics In this edition, I distinguish between: • weakly coupled distributed proposals • strongly coupled functional proposals • partial bind admissibility • composite bind integrity • governance dependency graphs • bind-time dependency adjudication • composite admissibility collapse The core idea: Some composite proposals are merely distributed. Others are semantically coupled such that partial bind success destroys admissibility of the proposal itself. Example: Provisioning access across Slack, Jira, and Confluence may allow partial success. But deploying a billing engine update across schema, authorization, reconciliation, and API modules may not. If one required sub-transition fails at bind-time, the entire functional proposal may need HITL escalation, restructuring, rollback, or compensating proposal formation. This is where governance moves beyond isolated action evaluation. It becomes dependency-aware execution adjudication at the commit boundary. In distributed systems, admissibility alone is insufficient. Governance must determine whether dependent execution paths remain collectively bindable under the canonical state that actually exists at commit. #AIGovernance #RuntimeGovernance #ControlPlane #DistributedSystems #ExecutionSemantics #AgenticAI #SystemArchitecture #CyberSecurity

💡Design System Governance Models Design system governance models help organizations manage and maintain design systems across teams and products. There are three popular models—Solitary, Centralized, and Federated— each offer different approaches to how design systems are governed within an organization. 1️⃣ Solitary model (Standalone) In the solitary model, each team, project, or department creates and maintains its own design system independently. Benefits: ✔ Autonomy and flexibility: Teams can design for their unique needs without waiting for approvals or alignment. ✔ Quick iteration: Changes can be implemented without the need to coordinate with other teams. Downsides: ✔ Inconsistency: The lack of a unified system can lead to inconsistent user experiences across products. ✔ Duplication of effort: Different teams may end up solving the same problems in different ways, wasting resources. ✔ Lack of scalability: As the organization grows, maintaining multiple systems becomes inefficient and difficult to manage. Solitary model is best for early-stage startups or small organizations with highly specialized needs for products. 2️⃣ Centralized model In the centralized model, a single team (often a DesignOps) is responsible for creating, managing, and governing the design system. All teams within the organization must use this system. Benefits: ✔ Consistency: The centralized model ensures a uniform design language and experience across all products and platforms. ✔ Quality control: A central team ensures adherence to standards, best practices, and quality benchmarks. Downsides: ✔ Bottlenecks: The centralized team can become a bottleneck for requests, slowing down individual teams that need changes or new components. ✔ Limited customization: Teams with unique needs may find the centralized system too rigid or slow to adapt to their specific requirements. Centralized model is ideal for organizations seeking consistency and efficiency but may introduce bottlenecks and lack flexibility for individual teams. 3️⃣ Federated model In the federated model, multiple teams contribute to and maintain the design system. Benefits: ✔ Balanced flexibility and consistency: Teams can customize components to fit their needs while still adhering to a common design language and guidelines. ✔ Shared ownership: Teams feel more invested in the design system, increasing adoption and engagement across the organization. Downsides: ✔ Complex governance: Managing contributions from multiple teams can be challenging, especially in ensuring that changes align with the overall system’s vision and standards. ✔ Coordination overhead: Teams must coordinate their efforts to avoid duplication, miscommunication, or conflicting updates. Federated model balances flexibility and consistency, fostering collaboration, but requires robust governance and communication to avoid fragmentation. 🖼 Governance models by Nathan Curtis #design #UI #designsystem

The Holistic Approach: Combining #BusinessProcessManagement with Value and #PerformanceManagement, #EnterpriseArchitecture, #Governance, and SOA   BPM, enterprise architecture, value management, and #ServiceOrientedArchitecture address similar topics, but from a different perspective, and enable different forms of performance and value creation:   - Enterprise architecture (EA) focuses on setting the framework for the business design and sets in place standards, guidelines, policies, and procedures for ensuring the design, integrity, and, if identified and planned, performance, value creation, and realization for the business as a whole.   - Business process management (BPM) focuses on the management of the business process lifecycle, outlining the way the organization can and will execute its competencies. True performance happens at the activity level, and therefore most form of value creation happens at this level. One of the real benefits of introducing BPM principles to your processes is that you can add the principle of continuous improvement to the process lifecycle.   - Value management (VM) adds the concept of the value lifecycle form of value planning, value identification, value creation, and value realization, and bench- marks on the operational and strategic level and thereby identification of cost- cutting and improvement potential. Doing this improves the process lifecycle and EA setup. It also materializes the concept of operational excellence by add- ing characteristics and metrics used for setting up performance measurement.   - Service-oriented architecture (SOA) focuses on providing the design principles for an application architecture based on reusable components (services) and a flexible orchestration layer, which are applied when performing the solution trans- formation from business process requirements to the supporting IT solution.   - Governance focuses on continuously applying the principles in a structured and managed fashion. Governance is applied on all levels of the enterprise, and harmonization should be achieved between business, process, and IT governance.   The different perspectives overlap on topic but not on content. They support each other, and by harmonizing the governance of these perspectives, they will add value to one another and improve the quality of the individual improvement cycles. The same governance principles should be applied to the business model, business process, value and performance management, and realization in the IT domain. Furthermore, harmonization of these perspectives aligns business and IT initiatives because they are based on common standards, policies, and procedures and a shared orientation on the business processes. Source: Excerpt from the book Applying Real World BPM in a SAP Environment, Author: Mark von Rosing Robert Eijpe Caspar Laar Ann Rosenberg Sascha Kuhlmann   © via Raj Grover , https://lnkd.in/d6EQ5d8Y