AI Governance
The AI Governance suite is how Novantra lets your organization use AI deliberately rather than accidentally. It is the layer where AI capabilities are registered, authorized, constrained, and audited. Every AI use is bounded by an authorization and produces evidence.
This section is separate from the rest of the governance modules because AI governance is its own concern with its own primitives. Where Controls and Risks govern operational and security posture, AI Governance governs the use of AI itself: what AI systems your organization runs, who can invoke them, what they’re allowed to do, and what trail they leave.
The shape of AI governance in Novantra
| Module | What it owns |
|---|---|
| AI Systems | The registry of AI capabilities your organization has registered: the in-product Copilot, Document Intelligence, any third-party AI assistants. |
| Use Authorizations | Who is authorized to use which AI system for what purpose. Without an authorization, the system cannot be invoked. |
| AI Providers | The upstream AI providers (model vendors, hosted-AI services) the workspace is connected to. Connection lifecycle, credentials, rotation. |
| Governance Copilot | The in-product Copilot for governance work: drafting, summarizing, analyzing. With profiles that scope what it does. |
| Document Intelligence | Document understanding (OCR, classification, extraction) for documents in the workspace. With profiles per document type. |
| Action Policies | What AI is allowed to do: which actions it can suggest, which it can perform autonomously, which require human approval. |
| Runs & Evidence | The audit trail. Every AI run, every suggestion, every applied change, every reviewer decision is recorded as evidence. |
The customer’s mental model
Three things matter most:
- Authorization gates use. An AI system that’s registered but not authorized for a specific person and purpose cannot be invoked by that person for that purpose. Authorizations are explicit and audited.
- Actions are governed. Every action the AI is allowed to take is described by an action descriptor and gated by an action policy. The set of actions is finite, known, and reviewable.
- Every AI activity leaves evidence. The run, the inputs, the model output, the suggestions, the human decisions, the eventual applied changes — all captured as audit-grade records that feed back into the rest of the governance program.
Together, these three properties make AI use demonstrable. Not just “we use AI”; “here is what we use it for, here is who’s authorized, here is what it produced, here is who reviewed it.”
Where AI fits in the rest of governance
AI activity touches the rest of the governance program:
- Findings raised by AI surface in Findings.
- Risks identified through AI analysis can land in Risks.
- Evidence claims generated or supported by AI live in Evidence.
- Document Intelligence outputs feed Document Governance.
- AI provider connections that go down are surfaced through Monitoring and may create Incidents.
AI Governance doesn’t sit in a corner. It’s the discipline around an interface layer between machines that do work and humans that govern that work.
Cloud and Sovereign
Both deployments support the AI Governance suite. The difference:
- Cloud customers can choose Novantra-managed AI provider connections or bring their own.
- Sovereign installs run AI provider connections entirely on the customer side. The AI activity itself happens on the provider; what stays in the workspace is the governance evidence.
Either way, the workspace never holds raw provider credentials in plaintext; they live in the install’s key management layer.
Where to start
If your organization is rolling out AI Governance for the first time:
- Register your providers through AI Providers so the workspace can talk to them.
- Register the AI systems you intend to run through AI Systems.
- Define authorizations through Use Authorizations so members can actually invoke them.
- Pick your action policies through Action Policies — start restrictive; widen as trust grows.
- Configure the Copilot and Document Intelligence profiles through Governance Copilot and Document Intelligence.
- Review the audit trail through Runs & Evidence as activity flows.
The defaults are deliberately conservative. New AI systems can’t be used until they’re authorized. New actions can’t fire until they’re policied. New providers can’t serve until they’re validated and activated.