Featured image for the blog post on governing the iuse of GenAI in project management

Generative AI Governance for Project Teams: A Strategic Imperative for UK/US Compliance

02/01/2025 | Blog

Introduction: Bridging Innovation and Responsibility

The advent of Generative AI (GenAI) has fundamentally reshaped the landscape of enterprise operations, offering project teams unprecedented capabilities. From automating the creation of complex project documentation and drafting sophisticated communication plans to performing advanced risk modeling and resource allocation, GenAI tools are rapidly becoming indispensable assets. This power, however, is inextricably linked to a complex set of risks. The speed of GenAI adoption often outpaces the establishment of robust, project-level governance, creating significant legal, ethical, and operational exposure that can erode stakeholder trust and jeopardise strategic objectives.

For organisations operating in or across the UK and US markets, the challenge is compounded by a diverging regulatory environment. The C-suite is tasked with balancing innovation with strategic risk, Project Managers must ensure successful, compliant execution, and Compliance Officers are responsible for navigating a patchwork of evolving regulations. This article posits that effective GenAI governance is a strategic imperative that must be operationalised at the project level, requiring a cohesive, collaborative effort from all three stakeholder groups. Governance, in this context, is the essential foundation for scaling GenAI safely and realising its full return on investment.

 

The Strategic Imperative: Navigating the Generative AI Risk Landscape

The primary reason for embedding governance within project teams is the necessity of mitigating the multifaceted risks inherent in GenAI deployment. These risks extend beyond traditional IT security concerns and fall broadly into four categories:

Operational Risk

This category encompasses risks related to the quality and reliability of GenAI outputs. The most publicised is the phenomenon of “hallucination,” where models generate plausible but factually incorrect information. For a project team, this can lead to flawed decision-making, incorrect resource allocation, or the creation of misleading deliverables. Furthermore, model drift, where a model’s performance degrades over time due to changes in input data or the operating environment, can silently undermine project quality and predictability.

Legal and Compliance Risk

This is arguably the most immediate concern for Compliance Officers. GenAI models, trained on vast, often unsourced datasets, introduce significant risks related to Intellectual Property infringement. Project teams must be vigilant that model outputs do not inadvertently reproduce copyrighted material. Equally critical is the risk of data leakage, where sensitive or proprietary information, including Personally Identifiable Information, is inadvertently submitted to a public-facing model, violating data protection regulations such as the UK’s GDPR.

Ethical and Societal Risk

Ethical considerations are paramount, particularly for C-suite executives concerned with brand reputation and societal impact. Algorithmic bias is a persistent threat, where biases present in the training data are amplified by the model, leading to unfair or discriminatory outcomes in areas like hiring, lending, or resource distribution. Project teams must implement mechanisms to test for and mitigate these biases to ensure that the use of GenAI aligns with the organisation’s core values and regulatory expectations for fairness.

Security Risk

Beyond traditional cybersecurity, GenAI introduces novel attack vectors. Prompt injection allows malicious actors to manipulate a model’s behavior through specially crafted inputs, potentially leading to unauthorised data access or the generation of harmful content. Model poisoning involves corrupting the training data to compromise the model’s integrity. Project teams must adopt a security-by-design approach, recognising that the model itself is a new attack surface.

 

Regulatory Context: A Transatlantic View (UK vs. US)

The strategic challenge for global organisations is the lack of a unified international regulatory standard. The UK and US have adopted distinct, yet complementary, approaches to AI governance, both of which demand proactive project-level compliance.

The United States has largely favored a voluntary, sector-specific, and risk-based approach. The [NIST AI Risk Management Framework (AI RMF)][1] serves as the de facto standard, providing a structured methodology for organisations to manage risks associated with AI systems. The AI RMF is built around four core functions: Govern, Map, Measure, and Manage.  Project Managers can directly integrate this into their project lifecycle.

In contrast, the United Kingdom has adopted a principles-based, pro-innovation stance, as outlined in its 2022 White Paper on AI Regulation [2]. Rather than creating a single, centralised regulator, the UK system relies on existing sector-specific regulators (e.g., the Information Commissioner’s Office (ICO) for data protection, the Financial Conduct Authority (FCA) for financial services) to apply five core principles: safety, transparency, fairness, accountability, and contestability. This decentralised model places a greater burden on project teams to interpret and apply these high-level principles to their specific use cases.

 

The following table summarises the key differences and implications for project teams:

Feature

United States (NIST AI RMF)

United Kingdom (Principles-Based)

Regulatory Model

Voluntary, Risk-Based Framework

Pro-Innovation, Sector-Specific Principles

Key Document

AI Risk Management Framework (AI RMF)

White Paper on AI Regulation (5 Principles)

Focus for Project Managers

Integrating Govern/Map/Measure/Manage into the project lifecycle.

Translating high-level principles (e.g., fairness, transparency) into project-specific guardrails and controls.

Compliance Driver

Industry best practice, contractual requirements, and emerging state-level legislation.

Existing sector-specific regulators (e.g., ICO, FCA) applying general principles to AI use cases.

Gudance on How to Govern GenAI Use in Projects Specifically

High level

None

 

Operationalising Governance: Important Considertions Project Teams

Enterprise-level governance frameworks, such as those proposed by leading consultancies [3], must be translated into actionable steps for project teams. This operationalization is the crucial link between C-suite strategy and compliant execution. We adapt the five foundational pillars of AI governance to the project environment:

AI Organisation and Accountability

Governance begins with clear ownership. At the project level, this means defining roles and responsibilities specifically for AI usage in projects. The AI Assistance Plan (recommended in the AI Project Governance Framework) includes a section for Roles and Responsibilities.  In also includes:

  • AI Assistance Objectives
  • AI Tools to be used and their use cases
  • Key Constraints (tool-based constraints and/or usage-based constraints)

 

Legal and Regulatory Compliance

Project teams are the frontline defense against legal exposure. The focus here is on managing inputs and validating outputs:

  • Data Provenance and Licensing: Before any data is used to fine-tune a model or as a prompt input, the team must verify its source and licensing terms. This is particularly important for projects that need to ensure strict controls over personal data.
  • Output Validation for IP: A mandatory check must be implemented to screen GenAI outputs for potential IP infringement, especially when the output is intended for external use or publication. This includes checking for verbatim or near-verbatim reproduction of existing works.

 

Ethics, Transparency, and Interpretability

Ethical governance is a continuous process, not a one-time audit. Project teams must embed ethical checks into their workflow:

  • Bias Mitigation Testing: Teams must establish a process to test model outputs for bias, particularly in sensitive domains. This involves defining metrics for fairness and documenting the results of bias assessments.
  • Human-in-the-Loop (HITL): For all high-risk GenAI applications (e.g., automated decision-making, critical risk assessments), a HITL mechanism must be mandated. This ensures that a qualified human reviews, validates, and takes ultimate responsibility for the final output, thereby mitigating the risk of unmonitored algorithmic error.

 

Data, AI Ops, and Infrastructure

This focuses on the technical controls necessary for auditability and security. Project teams must ensure that their use of GenAI is auditable from end-to-end:

  • Secure Data Handling: When using sensitive data as input, teams must employ techniques like data masking or tokenisation to protect the underlying information from the model and the service provider.
  • Model Lineage and Auditability: The project’s infrastructure must be capable of tracking and logging the entire lifecycle of a GenAI output: which model version, with which specific prompt, produced which output, and when. This complete audit trail is essential for post-incident analysis and demonstrating compliance to regulators [4].

 

AI Security

Project teams must be trained to recognise and defend against GenAI-specific security threats:

  • Prompt Safety Training: All team members must be trained on the risks of prompt injection and best practices for crafting secure, non-malicious prompts.
  • Securing the GenAI Supply Chain: Project Managers must vet any third-party GenAI models or APIs used in the project, ensuring they meet the organisation’s security standards and that contractual terms address liability and data handling.

 

Integrating Governance into the Project Lifecycle (A Practical Roadmap)

For the Project Manager, governance should not be a parallel administrative task but an integrated component of the standard project lifecycle. By embedding governance checks at each stage, teams can proactively manage risk rather than reactively addressing failures.

 

Phase 1: Initiation & Definition

The governance process begins before the first line of code is written or the first prompt is submitted.

  • Mandatory AI Use Case Assessment: The team must conduct a formal assessment to determine the risk and value of the proposed GenAI use case. High-risk applications (e.g., those involving PII or critical decision-making) require heightened governance controls and C-suite sign-off.
  • Defining the “Acceptable Use” Policy: Based on the risk assessment, the team defines the specific boundaries for GenAI use within the project, including which data sources are permissible and which models are approved.

 

Phase 2: Planning & Design

Governance informs the technical architecture and workflow design.

  • Identifying GenAI Touchpoints: The project plan must explicitly map every point where a GenAI tool interacts with data or produces a deliverable. Each touchpoint is a potential risk vector that requires a specific control.
  • Designing the HITL Workflow: The team designs the Human-in-the-Loop process, specifying who is responsible for the review, what criteria they use for validation, and how the final human approval is logged.

 

Phase 3: Execution & Monitoring

This is the phase of continuous enforcement and vigilance.

  • Enforcing Output Validation and Logging: Automated checks should be implemented to scan GenAI outputs for red flags (e.g., high similarity to copyrighted text, presence of PII). All inputs, outputs, and validation results must be logged.
  • Continuous Monitoring: Project teams must monitor model performance for signs of drift or unexpected behavior. This includes tracking key performance indicators (KPIs) related to accuracy, bias metrics, and compliance with the acceptable use policy.

 

Phase 4: Closing & Review

Governance extends beyond project delivery to ensure organizational learning and future compliance.

  • Post-Mortem Governance Review: The team conducts a formal review of the AI governance process, assessing its effectiveness, identifying control failures, and documenting lessons learned.
  • Archiving Model Lineage and Audit Logs: All audit logs, model versions, and governance documentation must be securely archived. This is crucial for demonstrating due diligence in the event of a future regulatory inquiry or legal challenge.

 

Conclusion: Governance as an Enabler of Innovation

Generative AI offers a profound opportunity to enhance project efficiency and innovation. However, this opportunity is conditional upon the establishment of rigorous, project-level governance. For the C-suite, this means recognizing that investment in governance infrastructure is an investment in strategic resilience. For Compliance Officers, it means moving beyond abstract policy to provide clear, actionable guidance tailored to the project environment. And for Project Managers, it means embracing governance not as a bureaucratic hurdle, but as a core component of quality assurance and risk management.

 

By operationalizing the five pillars of governance and integrating them seamlessly into the project lifecycle, organizations can transform GenAI from a potential liability into a reliable, strategic asset. The future of successful project delivery in the age of AI will belong to those who master the art of governing their innovation with precision and foresight.

 

References

[1] National Institute of Standards and Technology (NIST). Artificial Intelligence Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce, 2023. [https://www.nist.gov/itl/ai-risk-management-framework]

[2] Department for Science, Innovation and Technology (DSIT). AI regulation: a pro-innovation approach. UK Government White Paper, 2023. [https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach]

[3] Deloitte. Generative AI Governance Considerations. [https://www.deloitte.com/us/en/services/consulting/blogs/human-capital/ai-governance-framework.html]

[4] Cloud Security Alliance (CSA). The Explosive Growth of Generative AI: Security and Compliance Considerations. [https://cloudsecurityalliance.org/blog/2025/02/20/the-explosive-growth-of-generative-ai-security-and-compliance-considerations]

[5] Project Management Institute (PMI). AI Data Governance Best Practices for Security and Quality. [https://www.pmi.org/blog/ai-data-governance-best-practices]

[6] Databricks. A Practical AI Governance Framework for Enterprises. [https://www.databricks.com/blog/practical-ai-governance-framework-enterprises]

Found out more about AI Project Governance certification

with APMG International

AIPGF APMG Foundation Badge
AI Project Governance Practitioner AIPGF Badge APMG International
Find out more
Prev Post

The AI Project Governance Framework (AIPGF) offers a sensible methodology for facilitating ethical, efficient and effective human-AI project collaboration.  

  • Can be integrated with a chosen project management methodology or approach, such as Agile, PRINCE2, PMBOK or hybrid approaches.
  • Provides structured and scalable AI governance, supporting projects and programmes of varying size, complexity, risk and AI adoption maturity.
  • Facilitates and encourages a high standard of ethical, efficient and effective use of AI in projects and programmes.

By implementing the Framework, organisations can systematically govern AI use across their portfolio of projects and programmes, as their AI adoption scales and as AI tools evolve.  The accompanying  AI Project Governance Capability Maturity Model (AIPG-CMM) can be used to establish maturity benchmarks and actions towards continuous improvement.

Disclaimer

The AIPGF is intended to provide practical guidance for governing the use of AI in projects and programmes. The author (Emanuela Giangregorio) expressly disclaims all liability to any person or organisation arising directly or indirectly from the use of, or for any errors or omissions in, the AIPGF guidance. The adoption and application of the guidance is at organisation discretion and is their sole responsibility.   

Navigation

© Copyright since 2025 Aikaizen Limited. All Rights Reserved.

 Aikaizen Limited is a company registered in England and Wales, and trades as Project Management in Practice (PMIP).

WordPress Cookie Plugin by Real Cookie Banner