Skip to main content
COMPEL Body of Knowledge
Get Certified Platform
AITGP M3.3-Art16 v1.0 Reviewed 2026-04-06 Open Access
M3.3 Advanced Technology Architecture for AI at Scale
AITGP · Governance Professional

Recursive Governance — Governing the Governance AI

Recursive Governance — Governing the Governance AI — Technology Architecture & Infrastructure — Advanced depth — COMPEL Body of Knowledge.

8 min read Article 16 of 16 Model Produce

This article addresses the paradox of meta-governance: who governs the governors, and how?

The Recursive Paradox

The paradox is straightforward: if AI governance is important enough to warrant a dedicated function, tools, and processes, then the AI tools used by that function are important enough to warrant governance. But if the governance function governs its own tools, who checks the checkers?

This is not a hypothetical concern. Consider three failure scenarios:

Scenario 1: Classification Drift. A risk classification assistant gradually drifts toward classifying systems as lower risk than they warrant, because the training data over-represents low-risk systems (which are more common). The governance team, relying on the assistant’s suggestions, does not notice the drift because they use the assistant to prioritise which systems to review manually — creating a feedback loop where under-classified systems receive less scrutiny, reinforcing the misclassification.

Scenario 2: Compliance Theatre. A compliance gap analyser reports that 95% of AI systems are fully compliant. The board is reassured. But the analyser has a blind spot: it does not check for a recently enacted regulatory requirement because its requirement database has not been updated. The organisation is non-compliant with a significant obligation but believes it is in full compliance.

Scenario 3: Report Hallucination. A stakeholder report generator produces a quarterly board report that includes a plausible-sounding statement about fairness metric trends. The statement is factually incorrect — the generator interpolated between data points in a way that created a misleading trend line. The governance team reviews the report for format and coherence but does not independently verify every claim against the raw data.

Each scenario illustrates the same structural risk: governance AI can produce wrong outputs that look right, and the people best positioned to catch the errors are the same people who rely on the tool.

Principles of Recursive Governance

The COMPEL meta-governance principles provide the foundation for recursive governance:

Principle 1: Register and Classify

Every AI tool used by the governance function must be registered in the organisation’s AI system inventory — the same inventory that tracks business AI systems. It receives a risk classification based on the same criteria: what decisions does it influence, who is affected, what is the consequence of error?

Governance AI tools are typically classified as medium risk. They influence governance decisions (risk classification, compliance assessment, resource allocation) that affect the entire AI portfolio. Their errors can cascade through the governance process. But they do not directly affect individual rights or make autonomous decisions — those remain with human governance professionals.

Principle 2: Independent Oversight

The governance function should not be the sole assessor of its own tools. Independent oversight mechanisms include:

Internal audit. The internal audit function should include governance AI tools in its audit programme, evaluating their accuracy, reliability, and governance compliance.

External review. Periodic independent review of governance AI tools by qualified external assessors provides a check on internal blind spots.

Governance committee oversight. The governance committee (or board-level AI oversight body) should receive regular reports on governance AI tool performance, including accuracy metrics, override rates, and identified limitations.

Principle 3: Accuracy Benchmarking

Governance AI tool outputs must be systematically compared to expert human judgments:

Classification accuracy. Sample 50–100 AI systems per quarter. Have the governance AI classify them and have a human expert independently classify them. Measure agreement rate, false-high rate (AI suggests lower risk than the expert), and false-low rate (AI suggests higher risk than the expert). False-high is the dangerous direction.

Gap detection recall. Have the compliance gap analyser assess a set of systems, then have an independent audit team assess the same systems. Measure how many gaps the AI found that the audit confirmed (precision) and how many the audit found that the AI missed (recall).

Report accuracy. For each report generated, randomly verify 5–10 factual claims against the raw data. Track the error rate over time.

Principle 4: Transparent Limitations

Governance AI tools should be more transparent about their limitations than any other AI system in the organisation, because their limitations directly affect governance quality:

Publish model cards for governance AI tools that document: training data sources, known limitations, accuracy benchmarks, failure modes, and the types of governance decisions the tool should and should not inform.

Display confidence indicators on every output. A risk classification suggestion should indicate the model’s confidence level. A compliance gap analysis should flag areas where coverage is uncertain.

Maintain a known limitations register that is reviewed at every governance committee meeting.

Principle 5: Human Override Authority

Human governance professionals must retain meaningful authority to override governance AI outputs, and the exercise of that authority must be tracked:

Override rates should be monitored. If governance professionals override fewer than 5% of AI recommendations, investigate whether rubber-stamping is occurring. If they override more than 30%, the AI tool is not providing sufficient value.

Override rationale must be documented. This creates a training signal for improving the governance AI and an audit trail for understanding governance decisions.

Override analysis should feed back into the AI tool: are overrides concentrated in specific system types, risk categories, or regulatory domains? This reveals where the AI tool needs improvement.

Principle 6: Separation of Roles

The team that develops and maintains the governance AI tool should be distinct from the team that uses it for governance decisions. This separation prevents the developers from adjusting the tool to produce the outputs the governance team expects rather than the outputs the evidence supports.

If full separation is not feasible (often the case in smaller organisations), implement compensating controls: require external review of the tool’s accuracy, rotate the governance team members who interact with the tool, and ensure the governance committee receives unfiltered accuracy reports.

Principle 7: Graceful Degradation

What happens when the governance AI tool is unavailable, produces obviously incorrect outputs, or is under review? The governance function must have manual fallback procedures:

  • Manual risk classification using documented criteria (not ad hoc judgment)
  • Manual compliance assessment using regulatory checklists
  • Manual report generation from raw data sources

These manual procedures serve two purposes: they provide continuity when the AI tool is unavailable, and they provide an independent baseline against which AI tool performance can be benchmarked.

Implementing Recursive Governance in Practice

The Governance AI Governance Board

Establish a small oversight body (3–5 people) specifically responsible for the governance of governance AI tools. This body should include: a member of the governance team (as a user), a technical representative (who understands the tool’s architecture), a member of internal audit (for independent oversight), and ideally an external advisor.

This body meets quarterly to review: accuracy benchmarks, override analyses, known limitations, planned changes, and any incidents involving governance AI tools.

The Annual Recursive Audit

Once per year, conduct a comprehensive audit of all governance AI tools. The audit should:

  1. Verify that all governance AI tools are registered in the AI system inventory
  2. Confirm that risk classifications are current and appropriate
  3. Evaluate accuracy benchmarks against target thresholds
  4. Review override patterns and rationale
  5. Assess whether known limitations have been communicated to all governance AI users
  6. Verify that manual fallback procedures are documented and recently tested
  7. Evaluate whether the governance AI tools comply with the same policies they are used to enforce

The recursive audit should be conducted by internal audit or an external assessor — not by the governance team itself.

The Meta-Governance Maturity Journey

Recursive governance is not an all-or-nothing proposition. Organisations progress through maturity levels:

Level 1: Unaware. Governance AI tools are used but not recognised as AI systems requiring governance.

Level 2: Registered. Governance AI tools are registered in the AI inventory and assigned risk classifications.

Level 3: Monitored. Accuracy benchmarks are established and reported. Override rates are tracked.

Level 4: Governed. Independent oversight mechanisms are in place. The governance AI governance board is operational. Recursive audits are conducted annually.

Level 5: Exemplary. The governance function’s own AI governance practices are held up as the standard for the rest of the organisation. The governance function models the governance it preaches.

The aspiration is level 5: the governance function should be the best-governed AI deployer in the organisation, not the exception to its own rules.

This article is part of the COMPEL Body of Knowledge v2.5 and supports the AI Transformation Governance Professional (AITGP) certification.