§ Perspectives · AI Governance · July 2, 2026

The five stages of AI governance.

Discover → Assess → Establish → Prove → Sustain — the lifecycle underneath every credible AI-governance program, in plain terms.

By Lindsay Hiebert · Founder · CISSP

Strip the acronyms away and every serious approach to AI governance — the frameworks regulators publish, the standards auditors use, the curricula executive programs teach — moves through the same five stages. Not because anyone copied anyone, but because the work has a natural order: you can’t assess what you haven’t found, can’t establish rules for risks you haven’t weighed, can’t prove what you never wrote down, and can’t sustain a program that was only ever a snapshot.

SanctumShield uses its own neutral names for these stages — Discover, Assess, Establish, Prove, Sustain — and they map cleanly onto the phase structure of the NIST AI RMF (Govern / Map / Measure / Manage), ISO/IEC 42001, and the executive AI-governance curricula now emerging from academic institutions. Same arc, different labels. Here’s what each stage asks for — and, honestly, where SanctumShield is strong and where it’s still building.

1. Discover — see the whole AI footprint, not just the part you remember

What the stage needs: an AI footprint map, a shadow-AI inventory, a gap-priority matrix, and a stakeholder map — a real picture of where AI lives, including what nobody wrote down.

How SanctumShield produces it: the free Shadow AI Risk Calculator plus network-log analysis — observation over attestation — across the four-layer risk surface, matched against a 72-endpoint AI registry and an 80-plus-tool catalog, with gap findings ranked by impact in the Executive Risk Report. The log analysis works only on destination hostnames you choose to export and share — SanctumShield never reaches into your network.

Honest coverage: Strong on footprint, shadow-AI, and gap prioritization. The stakeholder map is on the active roadmap.

2. Assess — weigh the risk, including fairness

What the stage needs: a risk assessment plus a fairness / bias audit, pre-committed ethical red lines, and a non-discrimination check.

How SanctumShield produces it: the Executive Risk Report — five findings, impact-first severity, and toxic-combination analysis — anchored to real clauses.

Honest coverage: Strong on security and regulatory risk. Fairness / non-discrimination is the stage we are investing in most: a dedicated Algorithmic Discrimination Governance Gap finding type and an AUP fairness-controls appendix, anchored to Colorado SB 24-205, EU AI Act Article 10, NYC Local Law 144, EEOC guidance, and NIST AI RMF MEASURE-2.11. Some ships today; the full fairness appendix is on the near-term roadmap, labeled as such.

3. Establish — write the rules and name who decides

What the stage needs: a governance charter, an AI governance council, decision rights (a RACI matrix), and a policy framework.

How SanctumShield produces it: the AI Acceptable Use Policy — generated and clause-anchored, not started from a blank page — which is the policy framework, including a roles section.

Honest coverage: Strong on the policy framework. The explicit council charter + decision-rights (RACI) matrix are being added to the artifact set; roadmap-labeled where not yet shipping.

4. Prove — the part almost nothing else gives you

What the stage needs: model cards, decision logs, a regulatory compliance map, and an audit trail.

How SanctumShield produces it: a verification URL — third-party-queryable for five years — plus observation-over-attestation log analysis and a multi-framework clause map, delivered as the Executive Risk Report.

Honest coverage: This is where SanctumShield is stronger than a workshop or a consultant binder. A course teaches you to template evidence; SanctumShield produces evidence an outsider can independently verify. The one template-style item still on the roadmap is a model-card generator.

5. Sustain — governance is a film, not a photograph

What the stage needs: a vision statement, a 90-day plan with owners, quick wins, a communications plan, and a governance health scorecard.

How SanctumShield produces it: the Executive Risk Report's 90-day plan and quick wins, the Board Memo (a CEO-voice vision in one page), and a monthly registry + regulatory refresh that is the review cadence — the operational form of Due Diligence.

Honest coverage: Strong on plan, vision, and cadence. The quarterly governance health scorecard and a formal stakeholder comms plan are on the roadmap.

Why the parallel matters — and where the tooling fits. If you’ve taken (or are considering) an executive AI-governance course, you’ll recognize this arc — that’s the point. Executive education builds the judgment to lead governance and walks you through building the playbook by hand. SanctumShield generates and verifies that same playbook, across Discover → Assess → Establish → Prove → Sustain, in about ten minutes — and adds the one thing a workshop structurally can’t: a third-party-verifiable artifact that’s still true next quarter. Education and tooling are complementary; you want both. See the full stage-to-artifact mapping, read why judgment is not evidence, or run the free Shadow AI Risk Calculator to get an observed — not self-reported — picture of your exposure.

Free Shadow AI Risk Audit

See what your current stack is missing — in 12 questions.

The SanctumShield free Shadow AI Risk Calculator runs in your browser. No account, no email, no credit card. Twelve questions, instant risk score, three primary findings tailored to what you submit.

Perspectives · a standalone essay outside the numbered CISO Learning Journey · see the full blog →

The Five Stages of AI Governance: Discover, Assess, Establish, Prove, Sustain — SanctumShield