AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News
Research2026-07-08

DAMA UK Case Study Makes the Case for Purchase Order Gateways and 10/20/70 Investment to Fix AI Governance's People Problem

What happened

DAMA UK, the UK chapter of the global data management professional body, published Case Study: Data Governance in the AI Era on July 4, 2026, offering practical implementation guidance for enterprise AI governance programs. The case study advocates constructing audit trails from the first day of AI deployment to ensure traceable and defensible automated decisions, and recommends that Data Protection Officers collaborate formally with AI governance teams to satisfy transparency obligations under automated decision-making rules. It endorses adoption of both the NIST AI Risk Management Framework and ISO/IEC 42001:2023 as complementary risk management structures. The 10/20/70 model proposed in the study allocates only 10 percent of AI investment to technology, 20 percent to data infrastructure, and 70 percent to people and process, including C-suite AI literacy programs. Critically, the study introduces the Purchase Order Gateway as a governance enforcement mechanism, requiring projects to obtain governance approval before funding is released, converting AI governance from a post-deployment audit function into a pre-deployment control.

Why it matters

  • ·The Purchase Order Gateway model directly addresses regulatory exposure by making governance compliance a financial prerequisite, closing the common gap where AI systems are deployed before risk assessments or DPO reviews are completed, which creates retrospective liability under GDPR Article 22 and emerging AI-specific rules.
  • ·The 10/20/70 allocation model exposes a structural operational risk: organizations that over-invest in AI technology relative to people and process controls are likely to fail governance audits not because frameworks are absent but because no one owns, understands, or applies them consistently.
  • ·Formalizing DPO collaboration with AI governance teams is increasingly a regulatory expectation, not a best practice, as ICO guidance, the EU AI Act, and automated decision-making obligations under data protection law all require demonstrable accountability linkages between data privacy and AI deployment decisions.

Governance controls affected

What to do now

  • Audit your current AI project intake process to determine whether governance and DPO review gates exist before funding is approved, and implement a Purchase Order Gateway model if they do not.
  • Review your audit trail design for all active AI systems to confirm that decision logs are created at the point of deployment, not retrofitted after the fact, and that they meet tamper-evidence requirements.
  • Conduct a resource allocation review to assess whether your AI governance budget reflects a 70 percent weighting toward people and process, and identify underfunded areas such as reviewer training, governance ownership, and executive literacy.
  • Map your current governance program against both NIST AI RMF and ISO 42001 to identify framework gaps, and assign ownership for closing those gaps with a defined timeline.
  • Establish a formal collaboration protocol between your DPO and AI governance function, including shared review responsibilities for any AI system making or materially influencing decisions about individuals.

What to watch next

UK organizations should monitor ICO enforcement activity related to automated decision-making transparency, as the ICO's existing AI and data protection guidance creates an enforcement pathway that DAMA UK's recommendations are designed to address proactively. ISO 42001 certification activity is accelerating globally, and organizations that delay framework adoption risk being behind procurement and contractual requirements as enterprise buyers begin requiring certification as a vendor condition. Further DAMA UK guidance or sector-specific elaborations of the 10/20/70 model may follow, and compliance teams should track whether the Purchase Order Gateway concept surfaces in formal regulatory guidance or procurement standards from UK government bodies.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Research2026-07-14

A Five-Phase Blueprint Builds a Full AI Governance Program in Six Months, Offering a Replicable Model for Enterprises Without Dedicated AI Counsel

Fortium Partners published a case study documenting how a Fractional Chief AI Officer constructed an enterprise AI governance program from scratch in six months. The program was grounded in ISO 42001 and the NIST AI Risk Management Framework and delivered a complete operating model including a RACI matrix, three-tier risk classification, AI System Inventory, vendor security review enhancements, and a Center of Excellence training function. The case study presents a five-phase implementation blueprint designed to be adopted by other organizations seeking to right-size governance to actual risk.

Research2026-07-04

Telefonica's Dual-Committee AI Governance Model Sets Implementation Benchmark for EU AI Act Compliance

The AI Company Data Initiative has published a case study report documenting how Telefonica structured its AI governance program, including a tiered employee training curriculum and a dual-committee model pairing monthly operational steering with quarterly strategic management reviews. The report is framed explicitly around EU AI Act compliance obligations. It provides compliance teams with a named-enterprise reference architecture for governance committee design and mandatory ethical awareness training.

Research2026-07-17

UK FCA Mills Review Mandates Independent Annual AI Safety Audits with Attorney General Enforcement and Public Disclosure

The UK Financial Conduct Authority published the Mills Review on July 6, 2026, requiring companies to submit existing AI safety plans to independent annual auditors and disclose the results publicly. The review sets no new substantive safety standards but enforces transparency and validation of plans already in place. Non-compliance exposes firms to Attorney General action, making this a legal enforcement mechanism rather than a soft guidance instrument.