Why Big Banks and Telecom Companies Are Rethinking How They Govern AI
Two major corporations operating across multiple countries have published detailed blueprints for how they govern artificial intelligence systems internally, and their approach challenges the assumption that regulation alone can manage AI risk. Banco Bradesco, one of Brazil's largest financial institutions, and TELUS, a Canadian telecommunications company, have documented their multi-tiered governance structures in a new case study report, revealing how cross-functional committees, role-specific training, and human-rights safeguards embedded throughout the AI development lifecycle can reduce regulatory exposure and operational risk.
The report, released by the AI Company Data Initiative, comes at a critical moment. Regulators worldwide, including those enforcing the EU AI Act, are increasingly scrutinizing how organizations actually govern AI systems internally. The case studies show that both Banco Bradesco and TELUS separated strategic oversight from operational execution, with defined review cadences and clear accountability chains. This structural separation appears to be emerging as a practical standard that compliance teams can benchmark against.
What Makes Internal AI Governance Different From Regulatory Compliance?
A growing body of research suggests that internal governance structures represent a layer of risk management that external regulation cannot fully address. The Oxford Internet Institute's Ethics in AI program has argued that corporate governance structures, including internal decision rights, executive accountability, and board-level oversight, shape deployment behavior in ways that compliance alone cannot reach. Organizations relying solely on regulatory compliance are leaving structural risk unaddressed.
The distinction matters because regulators are beginning to expect organizations to demonstrate that governance is embedded at every stage of AI system development, not just addressed through policy documents. Both Banco Bradesco and TELUS developed role-specific training programs rather than relying on generalized AI literacy initiatives. This targeted approach reduces the risk of misuse and accountability gaps across business units, and organizations using single, generalized training modules may find those programs inadequate under regulatory or auditor review.
How Should Organizations Structure Their AI Governance Committees?
- Two-Tier Committee Model: Separate strategic steering committees from operational review committees, with the strategic tier handling long-term policy and the operational tier conducting quarterly reviews of AI system performance, risk thresholds, and incident management.
- Human-Rights Safeguards at Every Lifecycle Stage: Embed human-rights considerations as mandatory checkpoints throughout AI system development, deployment, and monitoring, rather than addressing them only at the policy level or as an afterthought.
- Role-Specific Training Programs: Develop differentiated training curricula aligned to the specific responsibilities of each group interacting with AI systems, such as data scientists, product managers, compliance officers, and business unit leaders.
- Quarterly Operational Review Cadence: Establish a regular review schedule at the operational committee level with defined agenda items covering risk thresholds, incident review, and policy updates.
- Clear Escalation Paths and Decision Rights: Document who has authority to approve, pause, or reject AI system deployments, and ensure escalation procedures are defined for high-risk decisions.
The Banco Bradesco and TELUS case studies provide concrete examples of how these structures work in practice across multiple jurisdictions. Both organizations operate in heavily regulated industries, financial services and telecommunications respectively, where governance failures carry significant reputational and legal consequences. Their documented approaches suggest that a formalized two-tier structure is not just a compliance checkbox but a practical necessity for managing AI risk at scale.
What Are Regulators Watching For?
Compliance teams should be aware that regulators in the EU and Latin America have signaled increasing interest in using enterprise implementation evidence to inform guidance on what constitutes adequate governance structure. This means that organizations demonstrating governance architectures aligned with the multi-tiered committee model documented in the Banco Bradesco and TELUS case studies may face less scrutiny during regulatory reviews and audits.
The report also notes that enforcement actions and supervisory reviews in Brazil and Canada, where these two organizations operate, may increasingly reference governance architecture expectations that align with the documented model. In other words, regulators are moving beyond asking whether organizations have policies and are now asking whether they have the right structural mechanisms in place to enforce those policies.
Beyond the Banco Bradesco and TELUS case studies, other frameworks are emerging to help organizations build governance from the ground up. Bluewave Technology Group has published a phased 90-day implementation guide for enterprise AI governance programs, covering scope-setting, working group formation, AI use policy drafting, and AI system inventory in the first phase, followed by ownership structures, approval tollgates, observability, and security alignment in subsequent phases. This sequential approach is positioned as a practical starting point for organizations that have not yet formalized AI governance without overengineering early controls.
Protiviti has also released a comprehensive AI governance guide covering executive accountability, committee structures, and scalable AI model intake processes for enterprise organizations. The guide is aimed at US-based enterprises navigating the absence of a single prescriptive federal AI standard, synthesizing foundational governance practices into an FAQ-style reference for compliance and risk teams.
Why Does This Matter Now?
The timing of these case studies and implementation guides reflects a broader shift in how regulators and organizations think about AI risk. For years, the focus was on external regulation and compliance frameworks. But the Banco Bradesco and TELUS case studies suggest that internal governance structures may be equally important, if not more so. Organizations that can demonstrate they have formalized governance mechanisms in place, with clear decision rights, regular review cadences, and human-rights safeguards embedded throughout the AI lifecycle, are better positioned to navigate regulatory scrutiny and reduce deployment risk.
Compliance teams should monitor whether other major industry initiatives publish comparable case study reports, as this evidence base will likely inform how regulators define governance expectations in the coming months. The AI Company Data Initiative may release additional sector-specific case studies covering industries beyond financial services and telecommunications, which would allow compliance teams to benchmark against peers more precisely and understand how governance structures should adapt to different regulatory environments and business models.