Perspectives

Proportionate by design: governing AI without the friction

Back in 2021, I wrote a series of weeknotes during my time at Homes England about how restrictive and slow governance can lead to shadow IT (when people adopt technology without the knowledge or approval of their digital teams). Fast forward five years, and we’re seeing a similar pattern repeat with AI. So what does proportionate AI governance look like? And how can governance enable innovation projects in government?

Shadow IT: a symptom, not the cause

It was the height of lockdown; digital tools had become accessible enough that colleagues across the department were installing their own software, commissioning their own builds and standing up their own solutions, outside the formal governance routes.

At the time, I argued that this was a symptom rather than the cause. It was that our own governance processes, including the digital front door and the Discovery, Alpha, Beta phases, were moving at a pace that put colleagues off, so they found their own way around it by using low-code solutions. The answer was lean assurance and clear architectural guardrails that let people move quickly within safe boundaries.

This behaviour is rearing its head once again with AI, but the stakes are higher. When governance isn’t right, it can slow people down or encourage them to find ways around it. What’s changed is what they can now build. The instinct to find a workaround for slow governance is the same. The potential impact is not.

This post is about a less obvious version of that problem. We tend to assume that more governance means more safety, so when AI raises the stakes, we just add more layers, and the layers themselves carry a cost that is easy to miss. Past a certain point, they can make the work less safe, not more.

The burden of layers

As many civil servants will know, capacity is not easy to come by. Layers of governance consume the attention of those who understand the model, data, service, and the users it affects. A team preparing for multiple gates spends a lot of time writing business cases, reporting packs and board papers.

That effort required is not insignificant. Every hour spent satisfying a gate is an hour not spent on the important work: testing the model on real cases, checking how it behaves for the groups most likely to be harmed, and monitoring it once it is live. The assurance work and the delivery work draw on the same limited pool of expert time, and the paperwork usually wins, because it has a deadline and a board attached to it.

In a recent survey we ran with government Deputy Directors, we had expected reputational risk to be the key factor slowing down innovation projects. In fact, respondents ranked governance processes as the single biggest barrier to greater AI use.

The gap between guidance and reality

This is, in fact, what the Government AI Playbook asks for. It sets out ten principles, and a single instruction runs through all of them: controls should scale with risk. Light-touch assurance for low-risk uses, heavier assurance for the consequential ones. At the heart of this is proportionality, and the reason for it is precisely the one above.

The difficulty is the gap between what the guidance asks for and what happens in practice. Across government right now, viable AI use cases are getting stuck in the gates and processes: spend controls, service assessments, departmental assurance boards, programme governance reviews, etc. A low-risk productivity tool can end up consuming the same effort as a citizen-facing advisory service, which means the effort that should have gone to the risky case was spent on the safe one instead.

This is a familiar story from the digital transformation era. Strategy moved at one pace, delivery at another, and governance sat between them, adding cost. The GOV.UK Service Manual sets out what good governance does: it stays simple and supportive, trusts individuals, and gives decision-making authority to teams so they can focus on delivering.

The framework was right for the problem it was built for. Spend Controls, Service Assessments, the Service Standard and the Technology Code of Practice professionalised digital delivery over the past 15 years. They suited transactional digital services delivered in a relatively repeatable pattern you could specify up front.

But these gates add layers which overlap. A team can find itself clearing Spend Controls, a programme board, a data protection review and a Service Assessment, each owned by a different function, each asking overlapping questions, without much visibility of the others. This is where the capacity drain is strongest. Evidence is repackaged repeatedly, and multiple rounds of expert attention are devoted to the path through the gates rather than to the service itself.

What proportionate AI governance looks like

Fixing this means pointing assurance efforts at the right things, which means redesigning specific gates to fit the work, the way the Service Standard was a redesign for digital services.

The Playbook describes a number of risk tiers, with the appropriate level of assurance for each.

Lower risk: such as internal productivity tools and drafting assistance, needs lightweight documentation, standard information security controls and clear guidance on the limitations.
Medium risk: such as decision support for caseworkers and triage, needs a Data Protection Impact Assessment, a bias assessment, defined human review points and audit logging.
Higher risk: such as automated decisions affecting individuals and citizen-facing agents, need the full treatment: a complete impact assessment, independent review, continuous monitoring and senior accountability.

Underpinning this should be a multidisciplinary team of senior leaders who provide one coherent assurance route rather than five overlapping ones, with the relevant functions in the room together.

A new approach: Test and Learn

If the problem is that limited assurance effort is being spent in the wrong places, the answer is not to abandon assurance. It is to concentrate it on the projects with the highest associated risk.

Test and Learn is becoming a recognised way of working across central and local government and was formally published as an annex to the Magenta Book in May 2026.

Policies have traditionally been designed in detail before implementation, with evaluation arriving after substantial investment, by which point it is costly to discover an assumption was wrong. Test and Learn tests the riskiest assumptions early, through small, real-world experiments, learns from what happens, and adjusts before committing to a large-scale rollout and formal evaluation.

Test and Learn organises work into four connected stages: Explore, Co-design, Test and Grow, supported throughout by adaptive governance and multidisciplinary teams. Lightweight methods are used to assess feasibility early, and formal evaluation is reserved for when the design is stable.

This maps well to innovation delivery, such as AI. You do not need a complete business case to begin. You need a clear outcome, an honest list of your riskiest assumptions, and a small, controlled way to test them. For an AI use case, the riskiest assumptions are usually familiar: whether the model is accurate enough on real cases, whether staff trust it and use it as intended, whether it behaves acceptably for the groups most likely to be harmed, and whether it holds up in production rather than in the demo.

The critical part is in setting decision criteria before you test, documenting what you change, and being willing to stop a promising idea that does not work. Done that way, Test and Learn is the bridge between an early AI idea and a prototype you can trust. It‘s a better route than making every team go through the same heavy process.

What leaders need to do

So how can you move the effort to where it matters?

Audit where the effort goes: Take a handful of AI use cases and, for each, look at where your team’s assurance effort was spent. How much of it reached the service, and how much went on the path through the gates? The answer tells you which assurance process is draining the most effort, and which to fix first.

Fix the gates you own: You may not own Spend Controls or the Service Standard, but you almost certainly own something: a board you chair, a sign-off you can simplify, a business case template you can rewrite, a risk threshold you set. Identify the smallest change to a gate you control that would unlock the most bogged-down team and make it better.

Adopt a Test and Learn approach to AI: Give teams a recognised, proportionate path from idea to scale, using the Test and Learn stages rather than requiring full certainty in the business case. Agree on the riskiest assumptions and the decision criteria up front, test them on a small scale, and reserve formal evaluation for the point at which the design is stable. This is governance that the government already endorses, so you are adapting existing guidance rather than inventing your own.

The next step in governance excellence

None of this is new. It builds on what the government has been getting better at for a decade through the DDaT function and the Service Standard. The leaders who want to move fastest on AI will treat this governance conundrum with the seriousness it deserves.