Skip to content

A Responsible AI Framework for Leadership Development: The Governance Canvas

Ashish Manchanda
Ashish Manchanda 15 min read
A Responsible AI Framework for Leadership Development: The Governance Canvas

Ask most HR leaders what their AI governance policy covers and you’ll hear a familiar list: hiring tools, monitoring software, data handling, model risk. Ask whether it covers the manager who opened a chatbot last night to work out how to word a performance conversation, and the room tends to go quiet. That second thing is happening at scale, in every company, and almost no one is governing it.

This is the second piece in a series on AI governance for people management. The first established the premise: your managers are already being coached by AI on feedback, tough calls, and people decisions, whether or not you sanctioned it. This piece is about what to do with that fact, and it offers a working artifact rather than a policy memo or a ban. A way to govern the coaching conversation itself.

The governance gap no one is naming

When a manager asks a model how to handle an underperformer, that’s a leadership-development event, and it happens with no supervision at all. Someone with authority over another person’s livelihood is getting advice on how to use it, and acting on what comes back. We govern the tools that screen resumes and the software that watches keystrokes. We have almost nothing for the tool that shapes how a manager talks to a struggling report.

The trust data explains why this matters. In McKinsey’s Superagency in the Workplace research, 71% of employees said they trust their own employer to deploy AI responsibly, yet among the C-suite leaders who benchmark their AI, only 17% rank measuring fairness, bias, transparency, and privacy as a top priority. Read those two numbers together. People are extending trust to their organizations faster than the leaders deploying AI are building the safeguards that would justify it.

Support is thin even where it should run deepest. Gallup’s February 2026 research found that fewer than 1 in 3 employees strongly agree their manager actively supports their use of AI at work. If active support is that rare, deliberate governance of how managers themselves use AI on people is rarer still. The gap is simple to state: this coaching is happening everywhere, and there’s no structure around it.

Why this isn’t a security question

The reflex when unsanctioned AI use surfaces is to route it to the security team: lock down the data, block the domains, maybe run a detection sweep. That response answers a real question, just not this one. When a manager pastes three sentences about a struggling employee into a chatbot and acts on the reply, no data has necessarily leaked and no policy line has visibly been crossed.

What’s happened is that a person got coached on one of the most consequential moments of their job, invisibly, to a standard no one set. Security frameworks have no hook for that, because the risk lives somewhere they don’t look. It lives in a leadership-development activity that no one designed, running behind a chatbot interface. The World Economic Forum’s AI at Work 2026 report makes the same point at the enterprise level: trust and human oversight are what gate adoption, even where the technical capability is already there. The tools work. What’s missing is the governance that makes people comfortable relying on them.

Why the existing playbooks don’t fit

Search for guidance and you land in one of two camps, neither written with HR in mind. Together they explain why L&D leaders keep coming up empty.

The principle lists

The first camp is the HR-AI-ethics post: fairness, transparency, accountability, privacy, four or five words on a slide. The principles are correct and almost entirely unactionable. None of them tells a manager whether to run Thursday’s redirect conversation past a human first, or tells HR what to do when the same model hands four managers the identical performance-plan script. A principle you can’t apply to a specific coaching conversation stays a poster on the wall.

The compliance frameworks

The second camp is the enterprise governance stack: NIST’s AI Risk Management Framework, ISO/IEC 42001, the EU AI Act. These are serious documents, and they matter. They were built for model risk, security exposure, and legal classification, and they’re aimed at a CISO or a general counsel. Ask any of them whether a particular manager should have gotten AI help drafting a termination rationale, and they have nothing specific to offer. They govern the system. They don’t reach the conversation.

Both camps miss the same thing: the single activity happening at scale inside every organization right now, a manager being coached by AI on how to handle a person. That’s the space the Canvas governs.

Introducing the AI Governance Canvas for Leadership Development

The AI Governance Canvas for Leadership Development is built to be filled in. Print it, put it on a whiteboard, or project it in a meeting; whatever gets it in front of the people who have a stake in the answer, then work through it with them. It has eight dimensions, and each one is a question you answer for your own organization, in your own words, with a named owner.

It doesn’t replace the standards. NIST, ISO, and the EU AI Act still govern the model and the enterprise underneath it. The Canvas sits one layer up, at the point where a manager and an AI are talking about a real employee, which is exactly the layer none of those frameworks reaches.

The Canvas: 8 dimensions

Start with the whole picture. Each row is a dimension and the question it forces you to answer. The detail sits below, but this table is the artifact you can hand to a task force and start filling in.

DimensionThe governing question it forces you to answer
1. VisibilityWhat does the AI see about your people before it advises a manager?
2. Human OversightWhere must a human sign off before AI-shaped advice becomes a people decision?
3. TransparencyDo the coachee and HR know AI was involved in the advice a manager acted on?
4. Privacy TieringIs this self-directed development, or a decision that lands on someone else?
5. Coaching Quality and ConsistencyWhat does good advice look like here, and is the AI held to that bar?
6. AuditabilityCan you reconstruct what advice a manager received before they acted, for the decision-linked tier?
7. Memory and RetentionWhat does the AI remember, and for how long?
8. Vendor and Model AccountabilityWhen the vendor updates the model, would you know your coaching standard just shifted?

1. Visibility

Before an AI can advise a manager on how to handle someone, it needs context about that someone. What performance history, personal circumstances, review notes, or private detail does the manager paste in, and what does the model take in to shape its answer? This dimension governs the inputs, the raw material the AI sees about a real person who never agreed to be described to a machine. Decide what context is fair to feed it, and what should never leave the manager’s own head.

2. Human Oversight

Advice can be AI-assisted. The decision cannot be AI-made. This is the line between a manager using a model to think through a redirect conversation and a model effectively deciding that someone lands on a performance plan. Name the moments where a human has to sign off before AI-shaped advice becomes a real people action, a PIP, a promotion case, a termination, and make that sign-off explicit rather than assumed. This is the dimension with the most human weight, and it’s worth reading alongside where the line falls between AI and human coaching, because the two do genuinely different jobs.

3. Transparency

Does the person on the receiving end know that the feedback, the plan, or the phrasing came partly from a machine? Does HR? Transparency governs disclosure, whether AI involvement in a manager’s advice gets named or stays hidden. You don’t have to surface every prompt, but you do have to decide the threshold at which silence about AI’s role stops being reasonable, and who is responsible for naming it when it crosses that line.

4. Privacy Tiering

Here’s the axis no standard draws. A manager quietly working on their own listening habits is doing something categorically different from a manager using AI to build the case for someone’s dismissal. The first is self-directed development and should stay private, the way you’d never demand a transcript of someone’s coaching sessions or their notes from a leadership course. The second is decision-linked. It lands on another person, and HR has a legitimate interest in how it was reached.

Privacy Tiering asks you to sort every AI-assisted coaching interaction into one of those two buckets, because the rules that follow are opposite. Self-directed coaching stays private to the manager. Assigned or decision-linked coaching gives HR summaries and engagement signals, not transcripts. Get this sort right and half the other dimensions resolve themselves, because the tier tells you how much visibility is appropriate in the first place.

5. Coaching Quality and Consistency

Before you can judge whether AI coaching is any good, you have to define what good looks like for your managers. A report underperforms. A conflict flares. A promotion case sits on the edge. What should a manager actually do in each one? Set that bar, then ask whether the AI advice managers are already getting clears it or falls short. This is also where equity lives: check whether the model is giving systematically different advice about different people, because a coach that quietly varies its counsel depending on who’s being described has stopped being consistent and started being biased. For the fuller picture of what purpose-built AI coaching is meant to do, we’ve written it up separately.

6. Auditability

For the decision-linked tier, can you reconstruct what advice a manager received before they acted on it? That’s the whole ask. Self-directed sessions never enter this picture. What matters is a documentation habit, enough of a trail that a contested call can be explained months later, when the decision gets questioned and someone needs to know what informed it. The bar sits well short of a certification or a compliance department: a record of what got written down for the calls that touch someone’s job.

7. Memory and Retention

What does the AI remember about a manager’s development, and for how long? A coaching tool that holds context across months is more useful than one that forgets every session. But persistence is also a commitment. Decide how long a manager’s development history should live, when it gets deleted, and whether the manager has consented to it being kept at all. Make that call on purpose. Left alone, retention just becomes whatever default the tool a manager happened to open shipped with.

8. Vendor and Model Accountability

When the vendor quietly updates the model, would you know your coaching standard just shifted? Most teams wouldn’t. This is the dimension everyone forgets, because the tool looks identical the morning after an update while the advice it gives has moved underneath them. The coaching your managers relied on last quarter can change without notice, and if no one owns the question, no one notices until a manager acts on guidance you’d no longer endorse. Assign ownership of the coaching standard itself, so a change in the model triggers a review of whether the advice still meets your bar.

How to run your task force through the Canvas

The Canvas is meant to be worked through in a room, together. Put four people in that room: your HR or L&D lead, a manager who actually uses AI for people conversations, someone from Legal, and someone from IT. Go dimension by dimension, and for each one land on a single answer you can stand behind and a name who owns it. The output you want is one page per dimension, each carrying an answer the group agreed on out loud and the person accountable for it. That’s the whole deliverable, and no policy PDF is required to produce it.

Start with Privacy Tiering and Human Oversight. Those are the two dimensions with the least existing precedent to borrow from, the places where you can’t lift a standard off the shelf, and getting them right shapes how every other box gets answered. If the room can agree on which coaching is private and where a human must sign off, the rest of the Canvas becomes a series of smaller, easier calls.

Where the standards fit

You’ll notice these dimensions echo work that already exists, and they should. The NIST AI Risk Management Framework organizes AI governance into Govern, Map, Measure, and Manage, a useful shape for how a Canvas conversation gets structured. ISO/IEC 42001 sets out vendor and lifecycle oversight, which feeds straight into the Vendor and Model Accountability dimension. The OECD AI Principles put transparency and human oversight first among their commitments, which validates dimensions two and three. And the EU AI Act classifies employment and performance-monitoring AI as high-risk, with the compliance timeline still phasing in and recently pushed toward late 2027, though exact dates remain in flux.

These govern the model and the enterprise. The Canvas governs the coaching conversation. A company can be fully aligned with NIST and the EU AI Act at the model layer and still have no answer to whether a manager should have run that redirect past a human first. That’s the gap between the two, and it’s what the Canvas exists to close.

What this looks like in practice

None of this requires new software to begin; it requires HR and L&D to decide, out loud, what they want AI coaching to do and where the human stays in charge. A sanctioned coaching layer is one way to give managers a version they can point to instead of whatever model they reach for privately, which is the case we make for Risely’s AI coach, Merlin and lay out point by point in Risely versus ChatGPT for coaching. For the reader building the internal argument, the business case for leadership development is where the Canvas turns into a budget conversation. Decide what you’d endorse before you decide what you’d buy.

Frequently Asked Questions

What is a responsible AI framework for HR and L&D?

A responsible AI framework for HR and L&D governs how AI is used specifically in people development: coaching, feedback, and manager capability-building. It's distinct from AI governance for hiring, monitoring, or IT security risk, which existing frameworks already cover. The gap it fills is the coaching conversation itself, where a manager gets AI advice on how to handle a real person.

How do you govern AI coaching for managers?

You govern it by answering a short set of questions before the advice becomes action: what the AI sees about your people (Visibility), where a human must sign off before AI-shaped advice becomes a people decision (Human Oversight), whether the coachee and HR know AI was involved (Transparency), and what the AI remembers over time (Memory and Retention). Those four apply to every AI-assisted coaching interaction, and they're the spine of the Governance Canvas.

What should an AI coaching policy cover?

At a minimum: which coaching is self-directed versus decision-linked, what a human must approve before an AI-assisted recommendation becomes a formal action like a PIP or promotion, how coaching quality is defined and held to a bar, and who is accountable if the underlying model or vendor changes. A useful policy reads as one page of answered questions per dimension, not a long compliance document.

What's the difference between self-directed and assigned AI coaching for privacy?

Self-directed coaching, where a manager works on their own development, should stay private to that manager. Assigned or decision-linked coaching, tied to a formal people decision, should give HR visibility into summaries and engagement, not full transcripts. Sorting every coaching interaction into one of those two tiers is the Privacy Tiering dimension of the Canvas, and no existing standard draws that line.

Do NIST, ISO 42001, or the EU AI Act already cover this?

They govern the model and the enterprise: risk management (NIST AI RMF), vendor and lifecycle oversight (ISO/IEC 42001), and high-risk classification for employment-related AI (EU AI Act, with its timeline still phasing in). None of them governs the specific coaching conversation between a manager and an AI tool. That's the gap the Canvas fills, and it's why the two are complementary rather than competing.

Talk to Merlin

Get personalized coaching on the skills covered in this article — powered by AI that understands your context.

Try Merlin Free
Ashish Manchanda

Written by

Ashish Manchanda

MBA, HEC Paris. Founder & CEO, Risely. Former corporate strategist (Lafarge, Paris) and PE consultant.

Ashish wrote his first lines of code at Oracle, spent four years doing corporate strategy for Lafarge in Paris after an MBA at HEC, advised PE funds on where to put their money at Boston Analytics, and somewhere along the way noticed the same problem everywhere: companies invest millions in hiring great people and almost nothing in helping their managers lead them. He built Risely to fix that. Having personally coached over 300 managers and leaders, when he writes about leadership challenges, it comes from watching them play out across boardrooms in eight countries, engineering floors, coaching conversations, and his own startups.

Try Merlin Free Try Merlin Free