Enterprise Patterns
How Microsoft, IBM, Salesforce, and Google structure their AI governance.
Microsoft
Microsoft's AI governance is one of the most publicly documented enterprise examples. The company publishes an annual Responsible AI Transparency Report (first issued in 2024) and makes its Responsible AI Standard publicly available.
Structure
- Office of Responsible AI (ORA). Sets company-wide internal policies, defines governance structures, provides resources to adopt responsible AI practices, reviews sensitive use cases, and helps shape public policy. Reports to the Board of Directors.
- Responsible AI Council. A senior-leadership forum led by CTO Kevin Scott and Vice Chair and President Brad Smith. Provides strategic guidance and executive sponsorship.
- Division-level leaders. Responsible AI CVPs in each division operationalize the Responsible AI Standard within their business units.
- Champion network. Champions embedded across the company support impact assessments and local implementation.
- Aether Committee. Researchers in the AI Ethics and Effects in Engineering and Research (Aether) Committee, Microsoft Research, and engineering teams keep the responsible AI program on the leading edge.
Key Practices
- Responsible AI Standard v2. A set of company-wide requirements covering fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. Applied across all AI products and services.
- Impact assessments. Required for AI systems, with workflow tooling to register projects and route reviews to the appropriate specialists.
- Specialist routing. Security, privacy, and responsible AI experts are involved for sensitive or generative AI use cases.
- Red-teaming at scale. In 2024, Microsoft's AI Red Team conducted 67 operations across flagship models including the Phi series and Copilot tools, stress-testing for vulnerabilities and misuse.
- Annual transparency reporting. Public reporting on governance activity, risk management, and program evolution. The 2025 report introduced a Frontier Governance Framework for managing risks from frontier AI models.
Lesson for Your Council
Microsoft demonstrates the hybrid model at scale: central policy authority (ORA), division-level accountability (CVPs), a champion network for operational reach, and a research arm (Aether) that keeps governance current. The annual transparency report is worth studying as a model for your own reporting.
IBM
IBM's AI Ethics Board, founded in 2019, is one of the longest-running enterprise AI governance bodies. IBM published a five-year anniversary retrospective in November 2024 documenting the Board's evolution.
Structure
IBM's governance framework operates through four distinct roles:
- Policy Advisory Committee. Senior leaders responsible for regulatory strategy, risk tolerance, and oversight of the overall AI ethics program.
- AI Ethics Board. A central, cross-disciplinary body co-chaired by IBM's Chief Privacy and Trust Officer and global AI ethics leader. The Board reviews AI use cases, sets ethics policies, and makes governance decisions. It includes a diverse set of stakeholders from across the company.
- AI Ethics Focal Points. Business unit representatives trained in AI ethics who serve as first points of contact. When an ethics issue is identified, the Focal Point for that business unit initiates an assessment, triages low-risk cases, and escalates higher-risk cases to the Board.
- Advocacy Network. A grassroots-level network of employees who share and promote IBM's technology ethics principles within their teams and scale awareness across the organization.
Key Practices
- Top-down and bottom-up. The Board and Focal Points work together in both directions. The Board sets policy and reviews escalations; Focal Points surface concerns from the front lines.
- Responsible Technology Board. Enterprise-wide standards and guidance are coordinated through this broader board, which covers AI alongside other emerging technology ethics concerns.
- Academic collaboration. IBM partners with the Notre Dame-IBM Tech Ethics Lab for applied research and best practices in technology ethics.
- Continuous evolution. Over five years, the Board evolved from a reactive review body to what IBM describes as a "proactive and agile integrated AI governance mechanism" that provides risk assessment, education, and tooling.
Lesson for Your Council
IBM's four-role model shows how to create clear separation of concerns: strategic oversight (Policy Advisory Committee), centralized review (Board), operational embedding (Focal Points), and cultural scaling (Advocacy Network). The Focal Point role maps directly to the Champion Networks pattern in this toolkit.
Salesforce
Salesforce governs AI through its Office of Ethical and Humane Use (OEHU), which translates the company's trust commitments into operational governance.
Structure
- Office of Ethical and Humane Use. Guides responsible development and deployment of AI, both in Salesforce's own products and for customers using Salesforce AI features. Led by a Chief Ethical and Humane Use Officer.
- Board-level oversight. The Cybersecurity and Privacy Committee of Salesforce's Board of Directors meets quarterly with the Chief Ethical and Humane Use Officer to review trusted AI priorities.
- Executive integration. The OEHU has regular interactions with the executive leadership team for policy and product review and approval.
- Multi-layer governance. Day-to-day operational reviews, executive accountability, and independent external input each play a role, with these structures guiding decision-making and surfacing risk across AI systems.
Key Practices
- Trusted AI Principles. Five guiding principles covering human rights protections, privacy by design, protection from harm, data provenance and transparency, and equal access to technology.
- AI Acceptable Use Policy. Defines clear boundaries for AI use, including required practices (disclosure, human oversight) and restricted high-risk uses (fully automated high-impact decisions).
- Responsible AI governance page. Publicly documents how governance is structured and how policy is implemented.
- OECD transparency reporting. Salesforce participates in the G7 Hiroshima AI Process transparency framework.
Lesson for Your Council
Salesforce shows that governance is most effective when it is embedded in how products are built, not layered on top. The direct line from the OEHU to the Board's Cybersecurity and Privacy Committee is a strong model for executive accountability. If your council is looking for a template for board-level reporting, Salesforce's structure is worth studying.
Google published its AI Principles in 2018 and has released annual Responsible AI progress reports since 2019, with the sixth report published in 2024 and the seventh in 2026.
Structure
Google's governance is operationalized through a multi-layered approach that spans the entire model lifecycle. Rather than publishing a single governance org chart, Google describes its approach through its AI Responsibility Lifecycle, a four-phase process:
- Research. Responsible AI considerations are integrated from the earliest research stages.
- Design. Products are designed with safety, fairness, and transparency as requirements.
- Govern. Risk assessment, testing, red-teaming, and structured review before deployment.
- Share. Post-launch monitoring, transparency reporting, and public sharing of tools and learnings.
Key Practices
- End-to-end lifecycle. Responsibility is not a single review gate. It spans from early research through post-launch monitoring, with safety and security checks at each phase.
- Rigorous evaluation. AI risks are identified through research, external expert input, and red-teaming. Systems are evaluated against safety, privacy, and security benchmarks before release.
- Post-launch monitoring. Deployed systems are continuously monitored, with remediation processes for issues discovered after launch.
- Secure AI Framework (SAIF). Google's framework for securing AI systems, which this toolkit references in the Security Review section.
Lesson for Your Council
Google reinforces that councils must run both front-door review (pre-deployment) and ongoing monitoring (post-deployment). Approval is not the finish line. The lifecycle framing is a useful mental model for explaining to stakeholders why governance does not end at launch.
Sources
- Microsoft Responsible AI Principles and Approach: microsoft.com/en-us/ai/principles-and-approach
- Microsoft Responsible AI Standard v2 (PDF): cdn-dynmedia-1.microsoft.com
- Microsoft Responsible AI Transparency Report: microsoft.com/en-us/corporate-responsibility/responsible-ai-transparency-report
- IBM, "A look into IBM's AI ethics governance framework": ibm.com/think/insights/a-look-into-ibms-ai-ethics-governance-framework
- IBM, "Reflecting on the Five-Year Anniversary of IBM's AI Ethics Board": ibm.com/think/insights/Reflecting-on-IBM-AI-Ethics-Board
- IBM, "Balancing innovation and trust": ibm.com/think/insights/balancing-innovation-and-trust
- IBM AI Ethics Board Five-Year Anniversary Report (PDF): ibm.com/downloads/documents/us-en/107a02f5d048f2e2
- Salesforce Office of Ethical and Humane Use: salesforce.com/company/ethical-and-humane-use
- Salesforce Responsible AI Governance: salesforce.com/company/ethical-and-humane-use/responsible-ai-governance
- Salesforce Trusted AI Principles: salesforce.com/blog/meet-salesforces-trusted-ai-principles
- Salesforce OECD G7 Hiroshima AI Process Transparency Report: transparency.oecd.ai
- Google AI Principles: ai.google/principles
- Google, "Responsible AI: Our 2024 report and ongoing work": blog.google
- Google AI Responsibility 2024 Update (PDF): ai.google/static/documents/ai-responsibility-2024-update.pdf
- Google Secure AI Framework (SAIF): safety.google/cybersecurity-advancements/saif