The Cichocki Advisory 90-Day AI Governance Roadmap: Plan to Production for Boards

Most AI governance programs we encounter at Cichocki Advisory arrive at the same crisis point: the executive team has approved the plan, the slide deck looks credible, and six months later there are no shipped controls. The board asks "what changed?" and the answer is some combination of policy documents, vendor evaluations, and organizational anxiety.

This is the gap our 90-day implementation roadmap is designed to close. The cadence is deliberately tight: most enterprise AI governance programs take 18-24 months to mature, but the first 90 days determine whether the program ships anything at all.

Why 90 days, not 18 months

The case for a 90-day initial sprint isn't speed for its own sake. It's that AI governance is operationally complex enough that without a shippable artifact every 30 days, the program stalls. Boards lose confidence. Executive sponsors get reassigned. Risk teams default to "no" on AI proposals because there's no governance machinery to evaluate them.

Our 90-day roadmap produces three concrete artifacts — one per 30-day phase — each of which is independently usable even if the program changes direction.

Phase 1 (Days 1-30): Inventory and decision rights

Week 1-2: Risk-tiered AI inventory

Every AI system in scope, classified by autonomy, consequence, and data sensitivity. Most engagements surface 40-60% more AI than the executive team thought existed. This includes shadow AI (employee-driven SaaS subscriptions), embedded AI in third-party platforms, and AI components inside vendor products that nobody catalogued.

The deliverable is a single document — the AI inventory — that becomes the foundation for everything downstream. NIST AI RMF terminology gets layered onto this inventory in week 3.

Week 3-4: Decision-rights matrix

For the top two risk tiers, who approves what, and what evidence do they need? Decision rights are documented by role (CISO, General Counsel, Head of Risk, business unit GM, etc.) — not by individual. This is what makes the matrix survive leadership transitions.

The deliverable is the decision-rights matrix and a one-page board summary that the executive sponsor can present at the next governance committee meeting.

Phase 2 (Days 31-60): Embedded controls

Week 5-6: Lifecycle gates

The lifecycle workflow that gets applied to every Tier 1 and Tier 2 AI system: ideation → design review → pre-deployment validation → deployment approval → post-deployment monitoring → decommissioning. Each gate has named approvers and explicit exit criteria.

Critically, the gates don't try to cover everything. They cover the highest-risk paths first. Tier 3 and Tier 4 systems get a lighter-weight version of the same workflow in Phase 3 or later.

Week 7-8: Telemetry and evidence packages

For each gate, what evidence is required, where does it live, who reviews it, and how is it stored for audit? This is the work that turns AI governance from policy into practice. Without evidence packages, the gates are theatrical — they look like controls but produce nothing the board or an auditor can examine.

The deliverable is the evidence specification plus a sample evidence package for one Tier 1 system, end-to-end.

Phase 3 (Days 61-90): Board-ready and continuous

Week 9-10: Board reporting cadence

The quarterly board package that summarizes AI governance posture, risk distribution, exception trends, and forward-looking investment. Format matters: most boards want a four-quadrant maturity view, an exception roster, and a forward-look. Anything more is unread; anything less is unsupportable.

Week 11-12: Continuous-improvement loop

The mechanism by which operational AI governance feedback flows back into policy. This is the loop that prevents governance drift — the failure mode where policies stay static while AI deployment evolves around them.

The deliverable is the continuous-improvement charter (cadence, attendees, escalation paths) and the first quarterly review's agenda.

What ships at day 90

By day 90, the organization has:

1. A complete tiered AI inventory.
2. A documented decision-rights matrix for top-tier systems.
3. A lifecycle workflow with named gates and approvers.
4. An evidence specification with one fully-worked example.
5. A board reporting package.
6. A continuous-improvement charter.

The board has seen all six. The executive team has signed all six. There is at least one Tier 1 AI system that has been through the full lifecycle and produced its evidence package. Risk and Legal have signed off on the controls.

This is what Cichocki Advisory engagements typically deliver in 90 days — not because the broader program is finished, but because day 91 begins with a working system that boards and regulators can examine.

What 90 days does NOT cover

To be honest: the 90-day roadmap doesn't deliver everything. What it intentionally defers:

• Tier 3-4 system coverage — these get lighter-weight controls in months 4-9.
• ISO/IEC 42001 certification work — typically a 9-15 month engagement after the initial 90 days.
• Vendor third-party risk integration — addressed in months 3-6 once the internal inventory is stable.
• Cross-jurisdiction regulatory mapping (EU AI Act, sector-specific rules) — addressed when the organization's regulatory footprint requires it.

What you can do this week

If your organization hasn't started this work and you're trying to figure out the lowest-friction first step:

1. Convene a working group with: CISO, General Counsel, Head of Risk, one business unit GM, one engineering leader. Five people total.
2. List every AI system the group can name. Don't classify yet. Just list.
3. Identify the most autonomous, highest-consequence one. That's where governance investment goes first.
4. Decide who approves changes to it. Document the decision in writing. That's your day-one decision-rights artifact.

The rest is sequence. If you'd like Cichocki Advisory to run the full 90 days alongside your team, book a discovery call.