AI in Practice

Decision Rights, Controls, and Vendor Coverage

Where Compliance Programs are Today

According to Ethisphere’s data from World’s Most Ethical Companies^®, at leading E&C programs:

The data shows that E&C is at the AI table and building literacy, but downstream governance (vendors, partners, and tools procured by the business) lags, exactly in the places where risk concentrates.

WHAT THIS MEANS:

Decision rights exist, but artifacts lag. You can steer AI decisions, but without standard artifacts (model inventory, risk reviews, vendor clauses), your influence won’t scale.
eLearning ≠ control. Employee training is good, but control points (approvals, Human-in-the-Loop [HITL] triggers, monitoring) are what regulators and boards will look for.
The blind spot is with third parties. Most AI capabilities that organizations leverage will arrive via vendors, only 15% coverage in Codes of Conduct is a material exposure.

Where Programs are Today

Ownership without levers

E&C has the mandate: 84% of teams now own third-party risk management. But scale lags: only 58% routinely monitor high-risk vendors and just 14% have audited at least half of their third parties.

In other words, ownership is high while verification remains narrow.

Monitoring is concentrated at the top, audits are sparse, and AI clauses are rare. Closing the gap means moving from awareness to enforceable, AI-specific controls across the full vendor curve.

Governance to Enable Safe Scale

Decision Rights & Operating Model (RACI)

AI governance scales best when everyone knows their job. The following RACI assigns a single Accountable owner and clear Responsible, Consulted, and Informed roles for each governance activity. This allows E&C to move quickly without sacrificing control or questioning ownership. It’s designed for cross-functional collaboration, including E&C, Legal, Risk, IT/Data, Procurement, and business leaders. And it should be mirrored in your intake form, vendor gates, and monthly reporting.

RACI USE CASES FOR AI IN E&C

ROLES & RESPONSIBILITES

R = Responsible; A = Accountable; C = Consulted; I = Informed

ROLES & RESPONSIBILITES

R = Responsible; A = Accountable; C = Consulted; I = Informed

Baseline AI Governance Controls

Minimum controls create a documented trail of accountability: what you approved, why, the safeguards in place, and how outputs are checked. They’re designed to be lightweight but testable and provide easy evidence to auditors, regulators, and your board. Implement them across the organization (including vendors) before expanding to advanced use cases.

Baseline ≠ Basic

Prove governance, don’t just promise it.

AI Policy + “Shadow AI” Addendum

Objective: To set clear guardrails for what’s allowed, what’s not, and which tools or processes are approved

Model/Use-Case Inventory

Objective: To maintain a single source of truth for every AI use case and model touching E&C work

Risk Review

Objective: Conduct lightweight pre-go-live check that confirms legality, fairness, safety, and auditability

Human-in-the-Loop (HITL) Triggers

Objective: To ensure human review for high-impact or high-risk outputs before action

Monitoring & QA

Objective: To verify that AI outputs remain accurate, unbiased, and fit for purpose; and to catch drift early

Vendor & Third-Party Governance

Third parties are where most AI enters the organization. They’re also where risk is concentrated.

Yet, only 15% of programs currently include AI provisions in their Third-Party Code.

This section closes that gap with a simple, repeatable gate: ask the right questions before purchase, bind protections at contract, require assurance evidence before going live, and monitor continuously. Use the same controls for in-house and vendor tools so value is scaled without outsourcing risk.

Gate: No AI-enabled vendor goes live without (a) an AI questionnaire, (b) contract clauses, or (c) assurance evidence
Questionnaire essentials: Data provenance and retention, training data sources, testing/red-team results, bias and robustness methods, explainability, and rollback plan
Contract clauses to discuss with Legal and IT: Permitted AI uses, data location and deletion, sub-processor disclosure, incident notification ≤72h, right to audit or testing artifacts, prohibition on training on your data without explicit consent
Code of Conduct clause: Add an AI clause in your Third-Party or Supplier Code of Conduct to:
- Set a baseline expectation for every vendor upstream of contracts
- Normalize disclosure and extend your governance standards across the supply chain
- Give Procurement/Legal clear footing to require testing evidence, incident notifications, and data-use limits

Examples of Third-Party Codes with AI Provisions

UnitedHealth Group
Westinghouse Nuclear
Booz Allen
Thermo Fisher
Enbrindge
Five9
TIAA

Vendor AI Review Framework

Most AI will enter the organization through vendors, concentrating risk. The following review framework makes AI due diligence a standard gate by plugging into sourcing without slowing the business and giving E&C a consistent and defensible way to approve, track, and roll back vendor AI (if needed).

DOWNLOAD

Full Framework Questionnaire

Dashboard Metrics

GOVERNANCE ADOPTION:

% of AI use cases in inventory
% with completed risk review
time from intake to approval

CONTROL EFFICACY:

% of use cases with HITL
exception rate
incidents reported and resolved

THIRD-PARTY COVERAGE:

% of strategic vendors with AI clauses
% of vendors completing AI questionnaire
remediation turnaround

CAPABILITY:

% of employees trained
number of SMEs with RAI background
training refresher completion