Ask most HR leaders what their AI governance policy covers and you’ll hear a familiar list: hiring tools, monitoring software, data handling, model risk. Ask whether it covers the manager who opened a chatbot last night to work out how to word a performance conversation, and the room tends to go quiet. That second thing is happening at scale, in every company, and almost no one is governing it.
This is the second piece in a series on AI governance for people management. The first established the premise: your managers are already being coached by AI on feedback, tough calls, and people decisions, whether or not you sanctioned it. This piece is about what to do with that fact, and it offers a working artifact rather than a policy memo or a ban. A way to govern the coaching conversation itself.
The governance gap no one is naming
When a manager asks a model how to handle an underperformer, that’s a leadership-development event, and it happens with no supervision at all. Someone with authority over another person’s livelihood is getting advice on how to use it, and acting on what comes back. We govern the tools that screen resumes and the software that watches keystrokes. We have almost nothing for the tool that shapes how a manager talks to a struggling report.
The trust data explains why this matters. In McKinsey’s Superagency in the Workplace research, 71% of employees said they trust their own employer to deploy AI responsibly, yet among the C-suite leaders who benchmark their AI, only 17% rank measuring fairness, bias, transparency, and privacy as a top priority. Read those two numbers together. People are extending trust to their organizations faster than the leaders deploying AI are building the safeguards that would justify it.
Support is thin even where it should run deepest. Gallup’s February 2026 research found that fewer than 1 in 3 employees strongly agree their manager actively supports their use of AI at work. If active support is that rare, deliberate governance of how managers themselves use AI on people is rarer still. The gap is simple to state: this coaching is happening everywhere, and there’s no structure around it.
Why this isn’t a security question
The reflex when unsanctioned AI use surfaces is to route it to the security team: lock down the data, block the domains, maybe run a detection sweep. That response answers a real question, just not this one. When a manager pastes three sentences about a struggling employee into a chatbot and acts on the reply, no data has necessarily leaked and no policy line has visibly been crossed.
What’s happened is that a person got coached on one of the most consequential moments of their job, invisibly, to a standard no one set. Security frameworks have no hook for that, because the risk lives somewhere they don’t look. It lives in a leadership-development activity that no one designed, running behind a chatbot interface. The World Economic Forum’s AI at Work 2026 report makes the same point at the enterprise level: trust and human oversight are what gate adoption, even where the technical capability is already there. The tools work. What’s missing is the governance that makes people comfortable relying on them.
Why the existing playbooks don’t fit
Search for guidance and you land in one of two camps, neither written with HR in mind. Together they explain why L&D leaders keep coming up empty.
The principle lists
The first camp is the HR-AI-ethics post: fairness, transparency, accountability, privacy, four or five words on a slide. The principles are correct and almost entirely unactionable. None of them tells a manager whether to run Thursday’s redirect conversation past a human first, or tells HR what to do when the same model hands four managers the identical performance-plan script. A principle you can’t apply to a specific coaching conversation stays a poster on the wall.
The compliance frameworks
The second camp is the enterprise governance stack: NIST’s AI Risk Management Framework, ISO/IEC 42001, the EU AI Act. These are serious documents, and they matter. They were built for model risk, security exposure, and legal classification, and they’re aimed at a CISO or a general counsel. Ask any of them whether a particular manager should have gotten AI help drafting a termination rationale, and they have nothing specific to offer. They govern the system. They don’t reach the conversation.
Both camps miss the same thing: the single activity happening at scale inside every organization right now, a manager being coached by AI on how to handle a person. That’s the space the Canvas governs.
Introducing the AI Governance Canvas for Leadership Development
The AI Governance Canvas for Leadership Development is built to be filled in. Print it, put it on a whiteboard, or project it in a meeting; whatever gets it in front of the people who have a stake in the answer, then work through it with them. It has eight dimensions, and each one is a question you answer for your own organization, in your own words, with a named owner.
It doesn’t replace the standards. NIST, ISO, and the EU AI Act still govern the model and the enterprise underneath it. The Canvas sits one layer up, at the point where a manager and an AI are talking about a real employee, which is exactly the layer none of those frameworks reaches.
The Canvas: 8 dimensions
Start with the whole picture. Each row is a dimension and the question it forces you to answer. The detail sits below, but this table is the artifact you can hand to a task force and start filling in.
| Dimension | The governing question it forces you to answer |
|---|---|
| 1. Visibility | What does the AI see about your people before it advises a manager? |
| 2. Human Oversight | Where must a human sign off before AI-shaped advice becomes a people decision? |
| 3. Transparency | Do the coachee and HR know AI was involved in the advice a manager acted on? |
| 4. Privacy Tiering | Is this self-directed development, or a decision that lands on someone else? |
| 5. Coaching Quality and Consistency | What does good advice look like here, and is the AI held to that bar? |
| 6. Auditability | Can you reconstruct what advice a manager received before they acted, for the decision-linked tier? |
| 7. Memory and Retention | What does the AI remember, and for how long? |
| 8. Vendor and Model Accountability | When the vendor updates the model, would you know your coaching standard just shifted? |
1. Visibility
Before an AI can advise a manager on how to handle someone, it needs context about that someone. What performance history, personal circumstances, review notes, or private detail does the manager paste in, and what does the model take in to shape its answer? This dimension governs the inputs, the raw material the AI sees about a real person who never agreed to be described to a machine. Decide what context is fair to feed it, and what should never leave the manager’s own head.
2. Human Oversight
Advice can be AI-assisted. The decision cannot be AI-made. This is the line between a manager using a model to think through a redirect conversation and a model effectively deciding that someone lands on a performance plan. Name the moments where a human has to sign off before AI-shaped advice becomes a real people action, a PIP, a promotion case, a termination, and make that sign-off explicit rather than assumed. This is the dimension with the most human weight, and it’s worth reading alongside where the line falls between AI and human coaching, because the two do genuinely different jobs.
3. Transparency
Does the person on the receiving end know that the feedback, the plan, or the phrasing came partly from a machine? Does HR? Transparency governs disclosure, whether AI involvement in a manager’s advice gets named or stays hidden. You don’t have to surface every prompt, but you do have to decide the threshold at which silence about AI’s role stops being reasonable, and who is responsible for naming it when it crosses that line.
4. Privacy Tiering
Here’s the axis no standard draws. A manager quietly working on their own listening habits is doing something categorically different from a manager using AI to build the case for someone’s dismissal. The first is self-directed development and should stay private, the way you’d never demand a transcript of someone’s coaching sessions or their notes from a leadership course. The second is decision-linked. It lands on another person, and HR has a legitimate interest in how it was reached.
Privacy Tiering asks you to sort every AI-assisted coaching interaction into one of those two buckets, because the rules that follow are opposite. Self-directed coaching stays private to the manager. Assigned or decision-linked coaching gives HR summaries and engagement signals, not transcripts. Get this sort right and half the other dimensions resolve themselves, because the tier tells you how much visibility is appropriate in the first place.
5. Coaching Quality and Consistency
Before you can judge whether AI coaching is any good, you have to define what good looks like for your managers. A report underperforms. A conflict flares. A promotion case sits on the edge. What should a manager actually do in each one? Set that bar, then ask whether the AI advice managers are already getting clears it or falls short. This is also where equity lives: check whether the model is giving systematically different advice about different people, because a coach that quietly varies its counsel depending on who’s being described has stopped being consistent and started being biased. For the fuller picture of what purpose-built AI coaching is meant to do, we’ve written it up separately.
6. Auditability
For the decision-linked tier, can you reconstruct what advice a manager received before they acted on it? That’s the whole ask. Self-directed sessions never enter this picture. What matters is a documentation habit, enough of a trail that a contested call can be explained months later, when the decision gets questioned and someone needs to know what informed it. The bar sits well short of a certification or a compliance department: a record of what got written down for the calls that touch someone’s job.
7. Memory and Retention
What does the AI remember about a manager’s development, and for how long? A coaching tool that holds context across months is more useful than one that forgets every session. But persistence is also a commitment. Decide how long a manager’s development history should live, when it gets deleted, and whether the manager has consented to it being kept at all. Make that call on purpose. Left alone, retention just becomes whatever default the tool a manager happened to open shipped with.
8. Vendor and Model Accountability
When the vendor quietly updates the model, would you know your coaching standard just shifted? Most teams wouldn’t. This is the dimension everyone forgets, because the tool looks identical the morning after an update while the advice it gives has moved underneath them. The coaching your managers relied on last quarter can change without notice, and if no one owns the question, no one notices until a manager acts on guidance you’d no longer endorse. Assign ownership of the coaching standard itself, so a change in the model triggers a review of whether the advice still meets your bar.
How to run your task force through the Canvas
The Canvas is meant to be worked through in a room, together. Put four people in that room: your HR or L&D lead, a manager who actually uses AI for people conversations, someone from Legal, and someone from IT. Go dimension by dimension, and for each one land on a single answer you can stand behind and a name who owns it. The output you want is one page per dimension, each carrying an answer the group agreed on out loud and the person accountable for it. That’s the whole deliverable, and no policy PDF is required to produce it.
Start with Privacy Tiering and Human Oversight. Those are the two dimensions with the least existing precedent to borrow from, the places where you can’t lift a standard off the shelf, and getting them right shapes how every other box gets answered. If the room can agree on which coaching is private and where a human must sign off, the rest of the Canvas becomes a series of smaller, easier calls.
Where the standards fit
You’ll notice these dimensions echo work that already exists, and they should. The NIST AI Risk Management Framework organizes AI governance into Govern, Map, Measure, and Manage, a useful shape for how a Canvas conversation gets structured. ISO/IEC 42001 sets out vendor and lifecycle oversight, which feeds straight into the Vendor and Model Accountability dimension. The OECD AI Principles put transparency and human oversight first among their commitments, which validates dimensions two and three. And the EU AI Act classifies employment and performance-monitoring AI as high-risk, with the compliance timeline still phasing in and recently pushed toward late 2027, though exact dates remain in flux.
These govern the model and the enterprise. The Canvas governs the coaching conversation. A company can be fully aligned with NIST and the EU AI Act at the model layer and still have no answer to whether a manager should have run that redirect past a human first. That’s the gap between the two, and it’s what the Canvas exists to close.
What this looks like in practice
None of this requires new software to begin; it requires HR and L&D to decide, out loud, what they want AI coaching to do and where the human stays in charge. A sanctioned coaching layer is one way to give managers a version they can point to instead of whatever model they reach for privately, which is the case we make for Risely’s AI coach, Merlin and lay out point by point in Risely versus ChatGPT for coaching. For the reader building the internal argument, the business case for leadership development is where the Canvas turns into a budget conversation. Decide what you’d endorse before you decide what you’d buy.
