Govern a GenAI chatbot
A GenAI assistant, whether it answers customers or helps staff, is one of the most common AI systems an organisation needs to govern. This guide takes one from unmanaged to governed.
When to use this
Section titled “When to use this”You have deployed, or are about to deploy, a chatbot or copilot built on a language model: customer support, internal knowledge, complaint handling, document Q&A or similar.
What you will produce
Section titled “What you will produce”A registered, risk-tiered chatbot with documented transparency and oversight controls, supporting evidence, and, if it can take action, enforced runtime governance.
- Register it. Add the assistant in AI System Records with a named owner and a model card capturing the model, provider and intended use.
- Run intake. In AI Use Case Intake, capture purpose, users, data exposure and oversight, and flag public-facing use, personal data and any retrieval (RAG) sources. Confirm the risk tier.
- Route it. Most customer-facing assistants route to GTSAF for depth and the EU AI Act for transparency obligations.
- Evidence the key controls. Through the Evidence Tracker, capture: disclosure that users are interacting with AI, human-oversight and escalation paths, content and safety controls, and data-handling for any retrieved sources.
- Decide if it acts. If the assistant only answers, you are largely done. If it can take action (issue refunds, change records, call tools), govern it as an agentic workflow: register it in Agentic CISO and enforce action through Gateway.
- Track and report. Raise findings for any gaps, work them on the Remediation Roadmap, and report posture via reporting.
Modules and frameworks involved
Section titled “Modules and frameworks involved”AI System Records, intake & risk tiering, GTSAF, EU AI Act, evidence & findings, and the agentic stack if the assistant takes action.
- Govern an agentic workflow: if your assistant can act.
- EU AI Act readiness: the transparency obligations in depth.
- Scenario guides: the full set.