Every major AI governance framework published in the last three years identifies the same problem. AI is moving faster than organizational structures can govern it. The gap between what AI systems can do and what organizations have in place to oversee what they do is widening in most enterprises, and narrowing it requires more than better policies or more frequent committee meetings.

What most frameworks do not address is the structural reason governance fails even when organizations invest in it seriously. The reason is not insufficient commitment. It is architectural. Governance built as a parallel structure alongside an AI adoption program will always lose to the adoption program, because the adoption program has organizational authority and momentum that a compliance layer built beside it cannot match.

The Nested Governance Architecture, developed by Arrell Advisory, addresses this structural problem directly. Rather than building governance as a separate workstream that runs alongside AI adoption, NGA embeds governance within the organizational structures, transformation programs, and risk management infrastructure that already exist and already have authority. Governance that inherits organizational authority does not have to compete with the adoption program. It operates inside it.

The Problem NGA Was Designed to Solve

To understand why NGA is structured the way it is, it helps to understand precisely where conventional AI governance architectures fail.

The conventional approach to enterprise AI governance follows a recognizable pattern. An organization identifies the need for AI governance, typically in response to a regulatory requirement, a board inquiry, or an incident that surfaces a governance gap. A governance function is established, usually within Legal, Compliance, or Risk. That function produces a policy framework, a principles document, and an oversight committee. The committee meets regularly. The policy is communicated to the organization. The governance program is declared operational.

What happens next is predictable. The AI adoption program, which has been running with its own momentum, its own leadership mandate, and its own delivery timelines, continues to run. The governance program, which has authority over the policy but limited authority over the adoption program, attempts to apply governance requirements to a program that was not designed to accommodate them. Friction develops. Workarounds emerge. Governance requirements that create delay or complexity in the adoption program are deprioritized, deferred, or bypassed through informal exception processes that are never formally documented.

NGA was designed to close this gap by changing where governance lives, not just what governance says.

The Architecture: What Nested Means

The term nested describes the core structural principle of the framework. Governance is nested within, rather than built alongside, the organizational structures that have authority over AI adoption and deployment.

In practice this means three things.

First, governance requirements are embedded in the AI adoption program's own mandate rather than imposed on it from a separate function. When an organization's AI adoption program defines its scope, its use cases, its delivery milestones, and its success criteria, governance requirements are part of that definition from the beginning. Not a gate that the adoption program passes through on the way to deployment. A component of the program itself.

Second, governance inherits authority from the organizational structures it is nested within rather than having to build its own authority in competition with them. When the AI adoption program has executive sponsorship, board visibility, and a delivery mandate, the governance embedded within it inherits that sponsorship, visibility, and mandate. Governance does not have to argue for organizational attention. It has it by design.

Third, governance operates across all three pillars of responsible AI simultaneously rather than treating them as separate domains. Organizational transformation and AI strategy, enterprise risk management and AI governance, and data and technical governance are not sequential phases or separate workstreams in NGA. They are interdependent layers that are built in alignment and designed to reinforce each other.

How NGA Aligns with Existing Risk Management Infrastructure

One of the most significant practical advantages of NGA for organizations in regulated industries is its alignment with IT risk management frameworks that already exist and already have organizational standing.

Most large enterprises in financial services, healthcare, and technology have established IT risk management infrastructure. They have risk frameworks, control libraries, audit processes, and accountability structures that have been built over years and have genuine organizational authority. These frameworks were not designed for AI, but they were designed for the governance of technology that introduces organizational risk, and AI governance shares many of the same structural requirements.

NGA is designed to integrate with this existing infrastructure rather than displace it. AI risk categories are mapped to existing control frameworks so that AI governance requirements can be managed within the same risk management processes that govern other technology risks. AI accountability structures are built to align with existing organizational accountability models. AI audit requirements are designed to produce documentation that fits within existing audit processes so that regulators examining AI governance are looking at evidence that connects to a governance infrastructure they already recognize.

This integration significantly reduces the implementation burden of AI governance by building on infrastructure that already exists rather than requiring organizations to build parallel governance infrastructure from scratch. And it gives AI governance the organizational standing of the risk management infrastructure it is integrated with.

NGA in Regulated Industry Contexts

The structural design of NGA makes it particularly well suited to regulated industries, where the governance challenge is most acute and the consequences of governance failure are most significant.

In financial services, organizations deploying AI face regulatory requirements spanning model risk management guidance, fair lending obligations, and the EU AI Act's high-risk classification requirements. NGA addresses these through integration with model risk management frameworks that already exist in most financial services organizations, embedding AI-specific governance requirements within the model validation, documentation, and ongoing monitoring processes that financial services regulators already examine.

In healthcare, organizations integrating AI into clinical and administrative workflows face governance challenges that combine patient safety, privacy, and emerging regulatory requirements for AI-enabled medical applications. NGA addresses these through integration with existing clinical governance and privacy infrastructure, embedding AI oversight requirements within the accountability structures that govern clinical decision-making rather than creating separate AI oversight structures that operate beside clinical governance.

In technology, organizations embedding AI into products and internal operations face a governance environment that is evolving rapidly and varies significantly across jurisdictions. NGA addresses this through a risk-tiered approach that applies governance requirements proportional to the risk level of specific AI applications, drawing on existing product governance and privacy infrastructure.

In each context, the principle is the same: NGA finds the organizational infrastructure that already has authority over the decisions AI is influencing and embeds governance within it, rather than building a parallel governance structure that has to establish its authority from outside.

The Human Layer in NGA

No governance architecture holds over time if it does not reach the human layer, which is where AI outputs meet the human decisions they influence. This is one of the most consistent failure points in enterprise AI governance, and NGA addresses it as a structural component rather than an afterthought.

In NGA, human-layer governance is built through three mechanisms that work together.

Practitioner-level governance standards define what responsible AI use looks like for specific roles in specific contexts. Rather than general principles that practitioners are expected to interpret and apply independently, NGA produces role-specific standards that tell practitioners what governance requirements apply to their specific AI tool use, what verification is required before AI outputs are used in decisions, and what accountability they carry for the decisions those outputs influence.

Upskilling and training programs equip practitioners to govern their own AI use rather than relying entirely on centralized oversight. Practitioners trained on responsible use frameworks understand not just how to use AI tools but how to make responsible decisions about when and how to rely on AI outputs in their specific context.

Prompt governance standards address the generative AI interaction layer specifically, establishing organizational standards for how practitioners direct AI systems in regulated contexts, what information can be included in prompts, what review is required for high-stakes prompt applications, and how prompt-based interactions are documented for accountability purposes.

These three mechanisms together close the gap between governance at the policy level and governance at the point where AI actually operates.

What Implementing NGA Produces

Organizations implementing NGA are not producing a governance document. They are building an operating condition.

The governance assessment, which is the entry point for most NGA implementations, establishes the current governance posture across all three pillars, identifying the specific gaps that represent the highest risk exposure given the organization's AI deployment context and regulatory environment. This assessment produces a prioritized gap map rather than a general governance review, enabling organizations to sequence governance investments based on actual risk rather than framework completeness.

The implementation roadmap, delivered across a structured 90-day initial phase, sequences governance build activities to create accountability from day one rather than producing a governance framework that becomes operational only at the end of a lengthy implementation. Early milestones establish the governance requirements that apply to AI deployments currently in progress, so that governance is influencing live decisions rather than preparing to govern future ones.

The operational infrastructure produced by NGA implementation includes accountability structures with named owners, workflow-integrated governance requirements that create visible checkpoints without prohibitive friction, documentation practices that produce an audit-ready evidence base, and monitoring mechanisms that treat governance as an ongoing operational discipline rather than a point-in-time compliance exercise.

See where your governance posture stands

Take the Responsible AI Transformation Assessment to evaluate your organization's governance posture and identify whether NGA is the right fit for closing the gaps you find.

Dr. Gbemisola Adetayo · Responsible AI Governance Architect · Principal, Arrell Advisory