Seven Phases of AI Governance for Local Government

A Practical Framework for Agencies Beginning Their AI Journey

Government Technology  |  AI Governance  |  Public Sector

AI is already inside your agency. Vendors are embedding it into the software you use every day — permitting systems, HR platforms, records management tools, and public safety software. In most cases, no one asked. It arrived as a feature update, buried in a release note, with no governance framework in place to receive it.

At the same time, regulations are moving fast. California’s Civil Rights Council implemented binding AI employment regulations in October 2025. Dozens of additional state and local AI laws are in various stages of development. The agencies that will navigate this landscape successfully are not the ones that adopt AI fastest — they are the ones that build the right governance foundations first.

What follows is a condensed version of a practical, phased governance framework developed from real public-sector cybersecurity and advisory experience. It is designed for the city manager, IT director, HR leader, or department head who needs a clear, easy to understand, actionable path — not an academic exercise.

The Core Principle: Governance Before Tools

The most common mistake organizations make is adopting AI tools before establishing the governance infrastructure to use them responsibly. Policies written after deployment are reactive. Data classified after AI ingestion is too late. Vendor contracts negotiated without AI governance language leave agencies legally exposed.

This framework is sequenced deliberately. Each phase builds on the one before it. The goal is not to slow down AI adoption — it is to make adoption sustainable, defensible, and aligned with the communities these agencies serve.

Phase 1: Establish Governance Authority First

Before any technical work begins, designate who is responsible for AI governance in your organization. This may be a named AI Governance Officer, an AI Steering Committee, or a hybrid model. The specific structure matters less than the fact that accountability exists. Without it, governance activities have no center of gravity, decisions stall, and there is no clear point of contact when regulators come asking. Establish a recurring executive reporting cadence from day one — even if early reports are brief. AI governance without executive visibility and informing elected officials is governance in name only.

Phase 2: Data Governance and Classification Must Come First

AI cannot operate safely or compliantly without governed, classified data. Before activating any AI feature, conduct a thorough assessment of where your data lives, how it flows, who owns it, what regulatory requirements apply to it, and which data might be inadvertently exposed to AI systems. Define sensitivity labels — public, internal, confidential, restricted — and educate every employee on how to handle data accordingly. This is the foundation. Everything else depends on it.

Phase 3: Start with Problems, Not Tools

Conduct structured interviews with department leaders to identify real operational challenges that AI might address. For each candidate use case, assess feasibility, operational impact, risks, staffing implications, and full cost — including ongoing expenses for in-house staff or MSP consulting support. Compile the results into an AI Use Case Roadmap, have leadership formally prioritize it, and use it to drive every subsequent resource and tooling decision. Agencies that skip this step end up with duplicate tools, misaligned spending, and AI deployments that solve problems no one had, and, in the end, without a goal.  Funding and resources become wasted efforts.

Phase 4: Build Policy and Vendor Governance Around Your Use Cases

Only after your data governance is established and your use cases are defined should you develop formal AI governance policies. Policies written in the abstract tend to be ignored. Policies built around real, approved use cases get used. Alongside internal policy, embed AI governance requirements language directly into vendor contracts — including mandatory disclosure of sub-processors and data residency/sovereignty, notification obligations if their AI systems are attacked or compromised, resiliency, recovery and liability terms for discriminatory or harmful AI outputs. Agencies that assume vendor contracts handle these issues are almost always wrong.

Phase 5: Organizational Change Management Is Not Optional

The most technically sound AI governance framework will fail if employees do not understand it, trust it, or know what it requires of them. Develop a layered internal communications strategy tailored to different audiences — frontline staff, supervisors, and executives each need different messages. Pair it with role-appropriate training that covers data handling requirements, how to recognize and report unexpected AI behavior, and what the governance policies actually require in practice. Change management is not soft. In local government, it is often the difference between a governance program that lives on paper and one that actually changes behavior.

Phase 6: Regulatory Compliance Requires a Monitoring Function, Not a One-Time Review

A single legal review at the time of AI deployment is not sufficient. California’s AI regulatory landscape alone — covering employment discrimination, automated decision systems, data privacy, and civil rights — is evolving continuously. Assign ongoing responsibility for regulatory monitoring, maintain an internal AI regulatory tracker, conduct periodic reviews with qualified legal counsel, and build civil rights and algorithmic fairness impact assessments into your use case evaluation process. The cost of falling behind is not theoretical: it includes legal exposure, audit findings, loss of public trust, and — in systems that affect critical services — real harm to real people.

Phase 7: Build AI-Specific Incident Response Before You Need It

Traditional cybersecurity incident response plans were not designed for AI-specific failure modes: model poisoning, data corruption through adversarial inputs, rogue agentic AI behavior, or model collapse. Develop AI-specific runbooks that define what normal AI behavior looks like, how anomalies are detected, what triggers a shutdown or rollback of AI agent access and actions, and what the communication obligations are internally and externally. Complement this with red-team and blue-team exercises and annual tabletop simulations that involve IT, legal, HR, and leadership together. The organizations that respond well to AI incidents are the ones that have rehearsed them.

This Is a Governance Model, Not a Checklist

What distinguishes this framework from a deployment checklist is its cyclical nature. Each phase requires a scheduled review cadence, named accountability, and ongoing adaptation. Monthly executive reporting, quarterly roadmap reviews, annual red team exercises, and full governance audits — these are not nice-to-haves. They are what separates a governance program that holds up under regulatory scrutiny from one that looks good on paper until something goes wrong.

Local government agencies are under real pressure to demonstrate responsible AI stewardship to their constituents, their oversight bodies, and their regulators. The agencies that build this foundation now — before the pressure becomes a crisis — will be far better positioned to capture the genuine operational benefits that AI can deliver, while protecting the public trust that makes those agencies effective in the first place.

Responsible AI adoption is not primarily a technology challenge. It is a governance, accountability, and culture challenge. Technology is the easy part.

About the Author Eudora Fleischman – Managing Director of Artemis Technology Advisors and Retired Infrastructure and Cybersecurity Manager & CISO.  Eudora is a government cybersecurity and AI governance advisor with 31 years of technical and leadership experience and 21 of those years working with public-sector organizations on cybersecurity GRC, data security, regulatory compliance, organizational resilience, disaster recovery and responsible technology adoption.