Considerations for creating an Al governance and safeguards framework
Throughout 2025 and early 2026, a team of AI-focused security professionals in the Health-ISAC Artificial Intelligence Working Group came together to create a white paper offering guidance on developing AI governance frameworks. The resulting white paper supplies a sample AI Acceptable Use Policy and detailed guidance on managing AI risks. It sets clear definitions of responsible use of generative AI and LLMs, prohibiting exposure of PHI, PII, and confidential data to public tools, and requiring authorization, oversight, and human review of AI outputs in clinical, HR, legal, and financial contexts.
Some features of the document include:
- Formal AI governance structure. The paper lays out a concrete AI Governance Committee model with cross functional representation (legal, privacy, security, technology, data science, business, ethics) that reports to senior leadership or the Board. It defines responsibilities, example metrics, and emphasizes that governance is a must have, not optional.
- A pillar based AI Governance Framework. The document describes a seven pillar framework: legislation/regulation/policy, AI privacy and ethics, use case governance, model lifecycle governance, contracting and third party onboarding, AI incident response and breach management, and AI training and education. Each pillar has specific objectives and owners.
- Practical roadmap for implementation. An implementation roadmap breaks the work into four phases: Initiation (committee, principles, inventory), Risk and Impact Assessment (DPIAs, bias audits, security reviews), Framework Deployment (policies, use case registration, lifecycle controls), and Monitoring and Review (periodic reviews, retraining, audits).
- Detailed, reusable AI Acceptable Use Policy. The paper includes a full sample policy with purpose and scope, guiding principles, transparency and ethics, accountability and oversight, data privacy and security, confidentiality, acceptable and prohibited uses, enforcement, and definitions, plus a table of “allowed vs not allowed” for public AI tools.
- Eight AI risk categories are mapped to specific safeguards. It systematically covers data privacy and security, supply chain and third party risk, model and output risk, bias and fairness, regulatory and compliance, security vulnerabilities, governance and oversight risk, and shadow AI, and pairs each with concrete safeguards such as data minimization, SBOMs, vendor due diligence, red teaming, contractual controls, and shadow AI detection.
Authors: Cohen, Luda (AbbVie); Mourad, Carole (Bio Bridge Global); Naik, Shrikanth (Abbott); Streelman, Jeff (SpendMend)
Content Contributors: Murphy, Bill (LeanTaaS), Gosnell, Joe (Tucson Medical Center)
TLP:WHITE This report may be shared without restriction.
