What Do I Mean When I Say That AI Governance Is A Cluster of Functions

What is AI governance?

I get this question constantly. And I've noticed that the way people ask it reveals a lot about their mental model.

Some ask it like they're asking about a specific job. "What does an AI governance person do?" As if there's one role with a clear job description.

Others ask it like they're asking about a department. "Does your company have AI governance?" As if it's a single function that either exists or doesn't.

Both framings are limiting.

AI governance isn't a job title. It's a cluster of functions , related but distinct , that organizations are figuring out how to staff, structure, and integrate.

Understanding this matters for how you think about the field and how you position yourself within it.

The Simple Definition (And Why It's Insufficient)

At its simplest, AI governance is the work of making sure AI systems are safe, fair, compliant, and aligned with what they're supposed to do.

That definition is true. It's also almost useless for career planning.

"Safe" according to whom? "Fair" by what standard? "Compliant" with which regulations? "Aligned" with whose intentions?

Each of these words points to different expertise, different organizational functions, different career paths. Treating them as one thing collapses important distinctions.

Let me try a more useful framing.

The Four Function Clusters

When I look at how organizations are actually staffing AI governance, I see four distinct function clusters. They overlap. They interact. But they draw on different backgrounds and require different expertise.

Cluster 1: Policy & Compliance

The core question: Are we following the rules?

This cluster focuses on regulatory interpretation, policy development, and compliance verification. People in these roles track regulatory developments (EU AI Act, state laws, sector-specific guidance), translate them into internal policies, and ensure the organization meets its legal obligations.

Typical titles: AI Policy Analyst, AI Compliance Manager, AI Governance Specialist.

Natural backgrounds: Compliance, legal, policy, regulatory affairs.

Cluster 2: Ethics & Responsible AI

The core question: Should we be doing this, and are we doing it in a way that respects affected communities?

This cluster focuses on the normative questions that regulations don't (yet) answer. Bias assessment. Fairness auditing. Impact evaluation. Stakeholder engagement. These roles often involve translating abstract ethical principles into concrete assessment criteria.

Typical titles: AI Ethics Lead, Responsible AI Program Manager, AI Fairness Specialist.

Natural backgrounds: Ethics, social science, UX research, human rights, policy.

Cluster 3: Risk & Security

The core question: What can go wrong, and how do we prevent it?

This cluster focuses on identifying vulnerabilities before they're exploited , both technical vulnerabilities (can the model be manipulated? can it leak data?) and operational vulnerabilities (what happens when the system fails? who's accountable?). This is where AI red teaming, security testing, and risk frameworks live.

Typical titles: AI Risk Manager, AI Security Specialist, AI Red Team Lead.

Natural backgrounds: Cybersecurity, risk management, software engineering, penetration testing.

Cluster 4: Audit & Assurance

The core question: Can we prove to others that we're doing what we claim?

This cluster focuses on verification and documentation , producing evidence that AI systems meet stated standards, for regulators, boards, customers, or the public. These roles often involve developing assessment methodologies, conducting audits, and creating documentation trails.

Typical titles: AI Auditor, AI Assurance Lead, Algorithm Accountability Specialist.

Natural backgrounds: Auditing, quality assurance, internal controls, technical writing.

The Money Question

People always ask about compensation. Here's what I can tell you, with the caveat that ranges vary significantly by location, company size, and specialization. Adjust 10-20% down for non-hub markets. Add 10-20% for companies where AI is the core product.

The Two Paths In

Here's something I've observed about how people enter AI governance.

There are essentially two paths, and they require inverting what you need to learn.

Path 1: Technical to AI Governance

If you're a software engineer, data scientist, ML engineer, or security professional, you already understand how AI systems work. Your challenge is learning the governance layer, the frameworks (NIST AI RMF, EU AI Act), the assessment methodologies, the translation between technical reality and business/regulatory requirements.

You're most naturally positioned for the Risk & Security cluster, though you can pivot to others.

Path 2: Non- Technical to AI Governance

If you're from compliance, risk, legal, policy, audit, or HR, you already understand governance. Your challenge is building AI literacy , understanding how these systems work at a conceptual level, what can go wrong, what questions to ask technical teams.

You're most naturally positioned for Policy & Compliance or Audit & Assurance, though the Ethics cluster is also accessible.

Both paths share one requirement: the ability to translate between technical teams and business stakeholders. This translation skill, making technical concepts accessible without losing accuracy, making business requirements implementable without losing context, is the core competency.

What's Driving Demand Now

Three forces are creating demand for these functions right now.

Regulation is crystallizing. The EU AI Act is in effect. US state laws are multiplying. The gray zone where companies could self-govern is shrinking. Compliance isn't optional.

Failures are documented. We now have case law, the biased hiring algorithms, the chatbot lawsuits, the discriminatory healthcare algorithms. These cases justify why the governance function exists.

Deployment is scaling. When AI was limited to specialized applications, governance could be ad hoc. When it's embedded across the organization, you need systematic approaches. You need dedicated roles.

An Invitation to Think Differently

I started by saying that "What is AI governance?" reveals a lot about how people think about the field.

Here's how I'd suggest thinking about it:

Don't ask "What is AI governance?" Ask "Which AI governance function aligns with my background and interests?"

Don't ask "How do I get into AI governance?" Ask "What's the shortest path from my current expertise to a specific function cluster?"

Don't ask "Is AI governance a good career?" Ask "Which of these functions is likely to grow, and which matches my strengths?"

The field is real. The demand is real. But it's not one thing.

It's a cluster of functions, still being defined, with boundaries still being drawn.

Understanding that gives you a more useful map.