MVG Governance Worksheet

How to Use This Worksheet

Assemble a small governance team — a governance owner (by name), one business stakeholder, and one technical lead. Three people is enough to start. More than five slows you down.
Work through the four phases sequentially (GOVERN → MAP → MEASURE → MANAGE) over 90 days. Each phase builds on the previous one.
Apply the Family Test at two checkpoints: before adding any system to your inventory (GOVERN), and before opening any deployment gate (MANAGE).
Use the sprint planner on the final page to assign owners, dates, and accountability for each phase.
Review at 90 days — then begin the Align phase (months 3–6) to expand your MVG artifacts into full NIST alignment.

Brand commitments behind this worksheet

Governance is practice, not policy. A council on the org chart that has not met, or a policy nobody references, scores no better than no governance at all. Score this worksheet against what is enforced today — not what is on next quarter's roadmap.

MVG is a starting line, not a finish line. Every artifact you build here is a NIST AI RMF-compatible artifact at an early maturity stage. Nothing gets thrown away when you graduate to full enterprise governance.

MVG Quick-Start Diagnostic

Before working through the full 90-day plan, answer these four questions to assess your governance starting position. If you answered “no” to two or more, your organization is a candidate for MVG — start with question one.

1. Can you list every AI system currently in production or pilot? If no, your first MVG action is an AI inventory. You cannot govern what you cannot see. Start here — it takes days, not months.

2. For each AI system, can you name the person accountable for its outputs? If no, you have a governance ownership gap that MVG's GOVERN phase addresses in two weeks. Not a committee — a person, by name.

3. Do your AI systems have a human escalation path for high-stakes outputs? If no, your AI is operating without a safety net — the exact gap that produced the Air Canada chatbot ruling. Build escalation paths before expanding capability.

4. When was governance last reviewed against actual system performance? If “never” or “more than six months ago,” governance has become a document, not a practice. The 90-day sprint restores it to an operating discipline.

Weeks 1–2

GOVERN — Establish Ownership

NIST RMF: GV-1 (Policies) · GV-2 (Accountability) · GV-4 (Context)

Question 1: What AI systems do we have?

Build an AI system inventory. Not a comprehensive data lineage map — a list.

AI System / Tool	Owner / Team	Decisions Influenced	Risk Tier	Family Test Pass?

Question 2: What could go wrong?

For each system, identify the three most consequential failure modes — not an exhaustive risk taxonomy.

Tier 1 — High Risk: Direct impact on individuals' rights, safety, finances, or employment

Tier 2 — Medium Risk: Indirect impact; affects business decisions, customer experience, or operational efficiency

Tier 3 — Low Risk: Internal tools, content assistance, or non-consequential recommendations

AI System	Risk Tier	Failure Mode 1	Failure Mode 2	Failure Mode 3

Question 3: Who decides?

Assign a governance owner for each system. Not a committee — a person, by name, with authority to pause a deployment.

AI System	Governance Owner (Name)	Authority Level	Escalation Path

GOVERN Phase Checkpoint You should now have three artifacts: (1) an AI system inventory, (2) a prioritized risk register with 3-tier scoring, and (3) an accountability matrix with named owners. These translate directly to NIST GV-1, GV-2, and GV-4.

Weeks 3–4

MAP — Understand Context

NIST RMF: MAP-1 (Context) · MAP-3 (Risks Prioritized)

For each AI system in your inventory, map its context and impact.

Who is affected by this system's outputs? Identify all stakeholders — customers, employees, partners, regulators. Distinguish between direct and indirect impact.

What data does this system use, and where does it come from? Map data sources, consent basis, and any personal or sensitive data categories.

Is this system internal-only, customer-facing, or decision-support? The deployment context determines the governance intensity required.

What regulatory requirements apply? EU AI Act risk classification, GDPR, industry-specific regulations (HIPAA, financial services, etc.).

Context & Impact Matrix

AI System	Stakeholders Affected	Data Sources	Deployment Type	Regulatory Scope	Impact Level

MAP Phase Checkpoint You should now have a context analysis and impact assessment for each system. These translate directly to NIST MAP-1 (Context Established) and MAP-3 (AI Risks Prioritized).

Weeks 5–6

MEASURE — Set Baselines

NIST RMF: MS-1 (Metrics Identified) · MS-2 (AI Evaluated)

What does "good" look like? Define performance metrics: accuracy, fairness metrics, response time, error rate. Set specific thresholds.

How will you detect drift? Identify monitoring approach for model performance, data quality, and fairness metrics over time.

What triggers escalation? Define the specific thresholds that move from "monitoring" to "investigate" to "pause deployment."

Performance Baseline & Drift Monitoring

AI System	Key Metric	Baseline Value	Alert Threshold	Pause Threshold	Review Cadence

MEASURE Phase Checkpoint You should now have performance baselines and drift metrics for each system. These translate directly to NIST MS-1 (Metrics Identified) and MS-2 (AI Evaluated).

Weeks 7–8

MANAGE — Make Operational

NIST RMF: MG-2 (Response Plans) · MG-3 (Risks Managed)

Human escalation paths: For each system, who gets called when something goes wrong? Define the chain from alert → investigation → decision → communication.

Incident response procedures: What happens when a model produces a harmful output? Document the specific steps, not just "investigate and remediate."

Review cadence & deployment gates: How often is governance reviewed against actual system performance? What must pass before new AI capability goes live?

Deployment Gate Checklist

Before any AI system goes live, verify:

Family Test applied — governance owner confirms comfort with system's decisions about their family

AI system is in the governance inventory with named owner

Risk tier assigned and top 3 failure modes identified

Context and impact analysis completed (stakeholders, data sources, regulatory scope)

Performance baselines set with alert and pause thresholds

Human escalation path documented and tested

Incident response procedure documented

Review cadence scheduled (minimum quarterly)

MANAGE Phase Checkpoint You should now have response protocols, deployment gates, and a review schedule. These translate directly to NIST MG-2 (Response Plans) and MG-3 (Risks Managed). You now have a governed AI deployment.

MVG → NIST Artifact Translation

Every MVG artifact translates directly into a NIST AI RMF function. Nothing is discarded during the Align phase — artifacts mature, they don't restart.

MVG Readiness Scorecard

Rate your completion of each phase. Circle: Not Started / In Progress / Complete.

90-Day MVG Sprint Planner

Notes & Observations

MVG-to-Change-Management Bridge

The 90-day MVG sprint creates governance artifacts. But artifacts do not change organizations — people do. This section bridges the MVG sprint to organizational change management, preparing your team for the cultural shift that governance requires.

MVG Artifact (90 Days)	→	NIST RMF Function	Phase
Governance Charter	→	GV-1: Policies & Procedures	GOVERN
Accountability Matrix	→	GV-2: Accountability Structures	GOVERN
AI System Inventory	→	GV-4: Organizational Context	GOVERN
Context & Impact Analysis	→	MAP-1: Context Established	MAP
Risk Register (3 Tiers)	→	MAP-3: AI Risks Prioritized	MAP
Performance Baselines	→	MS-1: Metrics Identified	MEASURE
Drift Monitoring	→	MS-2: AI Evaluated	MEASURE
Escalation Paths	→	MG-2: Response Plans	MANAGE
Deployment Gates	→	MG-3: Risks Managed	MANAGE

Post-Sprint

After MVG Sprint Completion: What Changes?

Completing the MVG sprint means the organization now has governance artifacts that did not exist before. These artifacts require new behaviors from every stakeholder group.

AI systems cannot be deployed without passing the deployment gate checklist

Every AI system has a named owner accountable for outcomes — not a team, a person

Risk tiers determine governance intensity — high-risk systems get quarterly review

The Family Test is applied before every new AI deployment and at every review

Incident response procedures exist and have been communicated to all relevant teams

Stakeholder Communication Plan

Governance succeeds or fails on communication. Each stakeholder group needs a different message, through a different channel, at a different frequency.

Stakeholder Group	Key Message	Channel	Frequency
Executive Team	Governance accelerates AI value and reduces board-level risk exposure	Leadership briefing	Monthly
AI / ML Teams	Governance gives you clearer requirements upfront and reduces post-deployment firefighting	Team standup, Slack/Teams	Weekly during rollout
Business Units	Governance protects your AI investments from regulatory disruption and reputational damage	Town hall, department meetings	Quarterly
Legal / Compliance	MVG artifacts translate directly to NIST AI RMF compliance — reducing regulatory preparation burden	Working session, shared documentation	Bi-weekly
Board of Directors	AI governance is operational risk management — quantified exposure, measured reduction, fiduciary duty	Board report, quarterly presentation	Quarterly

Resistance Anticipation & Response

Every governance initiative encounters resistance. Anticipating it is half the battle. These are the three most common objections and evidence-based responses.

Resistance #1: “This slows us down”

The most common objection from engineering and product teams.

Response: Organizations with mature AI governance deploy AI 31% faster than those without (Obsidian Security). Governance does not slow deployment — it eliminates the rework, incident response, and regulatory firefighting that slow deployment. Unstructured deployment is fast until it fails.

Resistance #2: “We don’t have budget”

The default objection from finance and operations.

Response: A governance hire costs ~$200K. The average data breach now costs $4.88M, and breaches involving shadow AI cost an additional $670K on top of that (IBM 2024 Cost of a Data Breach Report). You are not choosing between “spend” and “don’t spend” — you are choosing between a $200K investment and an uncontrolled multi-million-dollar liability. The budget objection is a framing error.

Resistance #3: “Our AI is low risk”

The complacency objection from teams that believe their AI is “just internal” or “just recommendations.”

Response: In one Nature Scientific Reports study, 91% of ML models tested (n=32) showed performance degradation over time without monitoring (Vela et al., 2022). Shadow AI breaches cost $670K more than breaches involving governed AI (IBM 2024 Cost of a Data Breach Report). And “internal only” AI that touches employee data, hiring decisions, or performance evaluations is not low risk — it is employment law risk. Risk assessment requires governance; governance cannot wait for risk assessment.

Other resistance encountered and responses developed:

First 30 Days After MVG: Quick Wins Checklist

Momentum matters more than perfection. These five quick wins demonstrate governance value within the first month and build organizational buy-in for the sustained change ahead.

Publish the AI System Inventory internally. Making the inventory visible signals that governance is real, not theoretical. Teams see their systems listed with named owners. Transparency creates accountability.

Run the Family Test on your highest-risk system. Conduct the test with the system owner and a cross-functional group. Document the outcome. If the answer is “no,” you have your first governance intervention — and your first proof of value.

Complete one deployment gate review for a new AI system. Use the deployment gate checklist from the MANAGE phase. A single successful gate review creates a template for all future deployments and proves the process works without slowing delivery.

Send the first governance status report to executive sponsors. Include: number of AI systems inventoried, risk tiers assigned, first Family Test results, and the 90-day roadmap. Executives who see progress continue to sponsor it.

Schedule the first quarterly governance review. Put it on the calendar now — for 90 days from sprint completion. A scheduled review creates a deadline that drives ongoing compliance. What gets scheduled gets done.

Quick Wins Completed

Target: all 5 within 30 days of MVG sprint completion

Glossary

Definitions used throughout this worksheet. These align with the canonical MVG article.

MVG (Minimum Viable Governance). A 90-day, four-phase implementation path (GOVERN → MAP → MEASURE → MANAGE) that produces a defensible AI governance baseline using NIST AI RMF-compatible artifacts at an early maturity stage.

GOVERN (Weeks 1–2). Establish ownership. Build the AI system inventory. Assign a named accountable owner for every system. NIST RMF: GV-1, GV-2, GV-4.

MAP (Weeks 3–6). Risk classification. Apply the Context & Impact Matrix to every inventoried system. Determine which require deeper assessment. NIST RMF: MAP-1, MAP-3, MAP-5.

MEASURE (Weeks 7–10). Performance baselines and drift monitoring. Define what “working as intended” means for each system, and how you will detect when it stops. NIST RMF: MEASURE-1, MEASURE-2, MEASURE-4.

MANAGE (Weeks 11–13). Deployment gate, incident response, sustaining cadence. The control surface that decides what ships and what gets pulled. NIST RMF: MANAGE-1, MANAGE-2, MANAGE-4.

The Family Test. “Would I be comfortable if this AI system made this decision about my family?” Applied at two checkpoints: before adding any system to the inventory, and before opening any deployment gate. If the answer is no, stop and investigate.

Trust Premium. The measurable business advantage that accrues to organizations whose AI systems are governed, auditable, and trustworthy. Quantified in the companion Trust Premium framework.

AAA path (Assess → Align → Assure). The maturity progression that begins after the 90-day MVG sprint completes. Months 3–6 expand MVG artifacts toward full NIST AI RMF alignment.

Evidence Base

This worksheet is the operational layer of a published, sourced framework. The full evidence base, McKinsey/Deloitte/IBM data, and the Air Canada precedent live in the canonical articles below.

Canonical article: Minimum Viable Governance — The 90-Day Implementation Framework — the framework, sources, and the three traps (Maturity, Comprehensiveness, Expertise) that comprehensive frameworks fall into.

Companion frameworks:

The Trust Premium — Why trusted AI is worth more (the “why” behind MVG)
Measuring the Trust Premium — 15-dimension scoring framework, the operational layer above MVG
The Liability Ledger — Quantify the cost of ungoverned AI to defend the MVG investment
Governance Playbook — Five-layer stack for what comes after the 90-day sprint
Change Management: First 100 Days — Stakeholder mapping, cultural transformation, resistance management

Key external sources cited above: IBM 2024 Cost of a Data Breach Report · Vela et al., Nature Scientific Reports, 2022 · Air Canada chatbot ruling (ABA, 2024) · McKinsey State of AI 2024