As a lead instructor on a course in AI governance, I thought a lot about how smart mid-career professionals can upscale into governance roles. Of course one thing that you can do is take a course on the subject. There’s ours and there are many others. I thought I’d lay out a very simple framework for how someone can get started today.
Let me be clear that the steps below are necessary but not sufficient. You would have to do all these things to become an AI governance professional, but this is just the one-on-one introductory portion.
Learn the frameworks.
Fortunately AI governance professionals don’t start from scratch. Instead we start from some of the leading governance frameworks. There are two that I think everybody should read thoroughly and understand.
The first is the NIST AI risk management framework. This is a voluntary framework coming from the United States government. This tends to be one of the lighter yet still comprehensive frameworks. What you’ll get from your first read-through is just an understanding of how the AI governance profession, and particularly those in government who will ultimately become regulators, think about the issues of AI danger and control of AI systems.
The next key framework is ISO 42001. If you’re coming from a career in GRC, privacy, or information security, you’re likely already familiar with ISO 27001. 47001 is simply the AI governance version of that. This is a certifiable, auditable framework. As such it’s more complicated to implement. It’s also, to be honest, a substantially drier read. That said if you are ever going to work in large or highly regulated industries, or if you are working more globally, this is probably the most important standard for you.
Be aware that the only way to get the official PDF is to pay ISO to get it and it’s not cheap.
Then spend a few minutes researching what are the key standards in your particular industry. For example, here in the U.S. in the finance and banking industry, we have SR 11-7. This is a government standard that applies specifically to AI systems in this industry. If you intend to be a consultant or an attorney in this space, or are working in finance or banking, it’s definitely worth your time to do a thorough review. However if you were in a different industry, this might be one you can set to the side.
Understand the regulations
A substantial amount of the work that AI governance professionals do is compliance. There are a number of new laws at every level of government regulating the use of AI systems. In fact, there are so many that it’s not practical to name or memorize all of them.
Instead here’s what I would suggest:
First you have to understand the EU AI Act. This is the global standard AI regulation.
Make sure that when you research and learn about this, you read recent articles. As of May 2026, the implementation deadlines have changed and they may well change again.
The EU AI Act is important because it sets a global standard. It’s deliberately designed to cast a very wide net so that organizations all over the world have to comply even if they’re not located in the EU. Additionally, many other countries are modeling their regulations around the EU AI Act. Australia and Canada are two examples.
When you actually access the regulation, it may be intimidating at first. It’s quite long and is not written for the novice. What you can do instead of reading the entire thing is just skip to the articles. The preamble gives you good context but is less important. Do read through all of the articles, however. This is actually a great gauge for how much this career may or may not suit you. If you are happy and excited to read legal and regulatory minutia, that’s a positive sign. If this really bores you and you’d rather go outside, that’s its own signal as well.
Past the EU AI Act, think through where you’re likely to get a job and what the regulatory environment there is. If you’re here in the US, make sure you know about the Colorado AI Act and research what California is passing. Again I hesitate to link to that directly because it’s likely to change. It’s great to start with summaries of these regulations, oftentimes from law firm blogs. That said, similar to the EU AI Act, if you’re serious about this profession, it’s worth your time to look up the actual regulations and read them through thoroughly. That’s really the only way of getting a great grounding in what they say.
Build your own demo policies
Now that you’ve done some significant research, read the frameworks, and read the regulations, what should you do next? I’m a strong believer that not only do we learn by doing but we also produce by doing. I think it’s a huge mistake for job seekers in AI governance to go into interviews having never actually done any of the work of AI governance before.
Here’s what I would suggest:
- AI registry: This is a list of all AI systems used in a given organization. When you find your template, you’ll know that there’s a lot more to it. There’s a lot you need to understand and commit to paper about the system itself.
- AI internal use policy: This is a combination of a governance document and a human resources document. It covers how employees, contractors, and vendors within the organization use AI. Importantly, this document can’t simply be a list of things that are banned. Instead, the AI use policy is a culture artifact that balances the risks inherent in AI use with the many rewards. Again, you’ll find templates and examples for this online.
- I would also try to draft at least one significant AI governance policy. The one that I think is most impactful in this situation is a policy on data handling and use. If you come from information security, privacy, or GRC, you’ve probably done documents like this before. You just need to add on the AI-specific twists.
You’re looking for a number of issues, such as:
- How algorithms were trained
- What data was used in the training
- How data is gathered from users and used in production
- How long data is retained and how the organization knows that it has the permission to use that data
As you think about AI agents that operate autonomously, this gets even more complicated. You have to think about the issues of what data the AI system used when it made a certain decision about a certain issue or certain person.
Here’s an example.
Let’s say we are conducting a job search. Our AI algorithm recommends we hire a certain person based on totally allowable, reasonable, and ethical factors. Later, after they’re hired, our HR algorithm learns their ethnicity or their disability status, which would be typical in a hiring process. It’s really important to know and to commit to a potential audit that the system only used allowable or correct data for the hiring decision and then got impermissible data later.
Once you put this policy together, try to show it to someone in your network or someone you work with who has expertise drafting policies. If you’re using this as an artifact in your job search, it’s important that it be very high quality.
At this point you’ve understood the frameworks and regulations, and you’ve drafted a few sample policies. You’re ready for a great role. I do want to say one final time that this is really the one-on-one version. What you would learn doing this work professionally, studying by yourself over several months, or taking a course like the eight-week certification at Proceptual, would be much more significant.
