# AI Governance Backlog: turning risk into actionable work

> An AI Governance Backlog turns abstract risks into concrete, prioritized tasks with owners and closure criteria.

- Author: Viktor Berthelius (BRTHLS)
- Published: 2026-05-10
- Updated: 2026-06-29
- Category: ai operating models
- Tags: ai-governance, operating-model, risk-management
- Language: en
- Canonical: https://www.brthls.com/magazine/ai-governance-backlog-risk-to-work-en
- Source: BRTHLS Magazine — https://www.brthls.com

---

## Problem

Most AI policies don’t fail because they’re poorly written. They fail because they never become work. The document exists, the committee approves it, and teams keep deciding based on local criteria, quarterly urgencies, and informal exceptions.  

Governance that isn’t translated into a backlog doesn’t change the operation.

## Thesis

An AI Governance Backlog turns abstract risk into executable work: controls, decisions, owners, thresholds, and reviews. It’s the difference between having a policy and having a system that changes business behavior.  

Governance isn’t implemented when it’s published. It’s implemented when it enters the work queue with priority, an owner, and a closure criterion.

## Framework

A governance backlog has five types of items:

- **Policy gaps:** decisions that the current policy does not cover.  
- **Control gaps:** known risks without an operational mechanism.  
- **Evaluation gaps:** workflows without metric, threshold, or owner.  
- **Escalation gaps:** cases where no one knows who decides.  
- **Kill-switch gaps:** initiatives that lack a pause or shutdown criterion.  

Each item must be convertible into an action. If it can’t, it’s a concern, not a backlog item.  

Mini-case: a company has a policy that forbids introducing sensitive data into unapproved tools. In practice, no one knows which tools are approved, how to request an exception, or what to do with vendors already used by local teams. When turned into a backlog, three actionable items appear: tool registry, exception workflow, and review of existing vendors. The policy stops being a sentence and becomes an operation.  

**Measurable signal:** percentage of AI risks turned into items with owner, priority, and closure criterion.  

**Posture:** a policy without a backlog is an administrative promise.  

**Breath:** the risk doesn’t disappear just because it’s named in a PDF.

## Anatomy of a good item

A governance item should include:

- risk it reduces
- decision it enables
- operational owner
- affected area
- closure criterion
- review date

Bad example: “Improve AI compliance.”  

Good example: “Define approval workflow for AI tools used with client data; owner Legal Ops; closure when an approved list exists, exception documented, and communication to commercial teams.”

## Prioritization

Don’t prioritize by anxiety. Prioritize by exposure and frequency.

| Factor | Question |
| --- | --- |
| Impact | What breaks if this risk materializes |
| Frequency | How many times it appears in real workflows |
| Reversibility | How much it costs to fix it afterwards |
| Ambiguity | How many teams decide differently today |
| Dependency | Which other controls depend on this |

The best early items are often boring: ownership, inventory, exceptions, thresholds, and kill-switches.

## Common mistake

The anti-example is treating the governance backlog as a security wish list. Then it grows, no one uses it, and the business sees it as a blockage.  

A healthy backlog doesn’t try to control everything. It attacks the ambiguities that generate the most bad decisions.

## Protocol (3 steps)

1. **Extract risks from real decisions.** Don’t start from taxonomies. Start with workflows where AI already decides, recommends, or automates.  
2. **Convert each risk into a closeable action.** If it lacks an owner and closure criterion, reframe it.  
3. **Review the backlog every two weeks.** Add what changes decisions; remove what has no operational impact.

## Related

- [Governance vs Compliance: why your policy decides nothing](/magazine/governance-vs-compliance-policy-decision-making-en)  
- [Rollback Design for AI Workflows: how to shut down without breaking operation](/magazine/ai-workflow-rollback-design-for-safe-automation-en)  
- [Model Routing as Governance: policy of models, not intuition](/magazine/model-routing-as-governance-policy-model-choice-not-gut-en)  

## Next step

If your AI policy has no backlog, you don’t know which part is implemented and which part is only written. We can turn it into an operating system during a [diagnostic](/en/contact).

---

*Translated from the Spanish original with AI assistance and reviewed for accuracy. [Read the original in Spanish](/magazine/ai-governance-backlog-convertir-riesgo-en-trabajo-ejecutable-es).*

---

_Cite as: Berthelius, V. (2026). "AI Governance Backlog: turning risk into actionable work". BRTHLS Magazine. https://www.brthls.com/magazine/ai-governance-backlog-risk-to-work-en_
