APMG AI Project Governance Framework (AIPGF) Foundation Quick Reference

Compact AIPGF Foundation reference for AI project governance lifecycle, roles, artifacts, risks, controls, and scenario decisions.

Exam Orientation

This independent Quick Reference supports candidates preparing for the APMG International APMG AI Project Governance Framework (AIPGF) Foundation exam, code AIPGF Foundation. Use it to revise how AI projects should be governed, not just how AI models are built.

Foundation-level questions usually reward the answer that:

  • Protects business value, accountability, and stakeholder trust.
  • Uses evidence, risk assessment, and governance controls before action.
  • Recognizes that AI outputs are probabilistic and data-dependent.
  • Escalates significant ethical, legal, security, safety, or reputational concerns.
  • Maintains human accountability even when AI supports decisions.

Core AIPGF Exam Lens

ConceptWhat to remember for the examCommon trap
AI project governanceDirection, oversight, decision rights, assurance, and control for AI-enabled initiativesTreating governance as only documentation or approval bureaucracy
AI project managementDay-to-day planning, delivery, coordination, issue management, and reportingConfusing project manager authority with governance board accountability
Responsible AIPractices that address fairness, transparency, accountability, safety, privacy, and human impactAssuming a technically accurate model is automatically responsible
AssuranceIndependent or objective confidence that controls, evidence, and decisions are adequateLeaving assurance until the end of the project
Human oversightDefined human review, intervention, appeal, and accountability mechanismsSaying “the AI decided” as if accountability moved to the system
Data governanceOwnership, quality, provenance, access, retention, and permitted use of dataStarting model development with unclear data rights or quality
Model governanceControl of model design, validation, approval, deployment, monitoring, change, and retirementTreating the model as a one-time deliverable
Benefits governanceEnsuring AI use remains aligned to expected value and measurable outcomesOptimizing technical metrics while business benefits disappear

AI Projects vs Conventional IT Projects

AreaConventional project emphasisAI project governance emphasis
RequirementsOften definable upfrontMay evolve through experimentation and data discovery
OutputsUsually deterministic if coded correctlyProbabilistic, confidence-based, and error-prone
Main dependencySoftware design and buildData suitability, model behavior, context, and monitoring
TestingFunctional and non-functional testingAlso bias, drift, explainability, robustness, safety, and misuse testing
ChangeRequirements, scope, design, configurationAlso data changes, model retraining, thresholds, prompts, features, and operating context
AcceptanceMeets specified requirementsMeets business, risk, ethical, performance, and oversight criteria
OperationStable once deployed, subject to supportNeeds ongoing monitoring for drift, degradation, and unintended consequences
AccountabilityUsually clear through system ownershipMust remain explicit despite automated or AI-assisted decisions

Governance Lifecycle Reference

Use this lifecycle map to reason through AIPGF Foundation scenarios. The exam is likely to ask what should happen next, which artifact is most relevant, or which governance control is missing.

    flowchart LR
	    A[Idea or AI opportunity] --> B[Initial governance screening]
	    B --> C[Business case and risk profile]
	    C --> D[Data readiness and feasibility]
	    D --> E[Design and build]
	    E --> F[Validation and assurance]
	    F --> G[Approval to deploy]
	    G --> H[Operate and monitor]
	    H --> I[Change, retrain, or retire]
	    H --> C
Lifecycle pointGovernance questionKey evidenceTypical decision
Idea / opportunityIs AI appropriate for the problem?Problem statement, expected value, alternatives, affected stakeholdersProceed to assessment, refine, or reject
Initial screeningIs this use high impact, sensitive, or risky?Risk triage, stakeholder impact, data sensitivity, regulatory contextSet governance level and escalation route
Business caseIs the value worth the risk and cost?Benefits case, costs, assumptions, risk appetite, success measuresApprove discovery or request more evidence
Data readinessIs data lawful, relevant, representative, and usable?Data provenance, quality assessment, access controls, permitted useApprove data use, remediate, or stop
FeasibilityCan AI meet the required performance and control needs?Prototype results, constraints, explainability needs, operating contextContinue, change approach, or abandon AI option
Design / buildAre controls built into the solution?Architecture, model approach, human oversight, security, loggingContinue with controlled development
ValidationDoes the solution meet acceptance and risk criteria?Test results, bias checks, validation report, assurance findingsApprove, remediate, or reject
Deployment approvalIs operational ownership ready?Runbook, monitoring plan, rollback plan, training, support modelGo live, defer, or pilot only
OperationIs the AI still safe, useful, and controlled?Monitoring results, incidents, drift indicators, benefit trackingContinue, adjust, retrain, suspend
RetirementShould the AI be decommissioned?Obsolescence, unacceptable risk, replaced process, benefits reviewRetire, archive evidence, update controls

Governance Roles and Accountability

Role names can vary by organization. For exam scenarios, focus on accountability, decision rights, and independence.

Role / bodyPrimary governance responsibilityShould not be confused with
SponsorOwns the business justification, funding, and senior commitmentThe technical model owner
Governance board / steering groupMakes or endorses major decisions, monitors risk and value, resolves escalationsThe delivery team doing the work
Project managerPlans and controls delivery, coordinates stakeholders, manages issues and risksFinal owner of all AI ethical or business risk
Business owner / product ownerDefines business need, value, acceptance criteria, and operational fitData scientist optimizing only model performance
Data ownerAuthorizes data use, ensures data responsibilities are clearData engineer who only prepares pipelines
Data stewardManages data quality, definitions, lineage, and stewardship activitiesSponsor or project manager
AI / ML leadLeads model approach, experimentation, performance evaluation, technical feasibilityIndependent assurance function
Responsible AI / ethics leadAdvises on fairness, transparency, accountability, and human impactA substitute for sponsor accountability
Risk / compliance / legal specialistsAdvise on obligations, risk exposure, controls, and escalationDelivery resources who accept project risk alone
Security / privacy specialistsAssess confidentiality, access, threat, privacy, and misuse controlsGeneral IT support
Assurance / audit reviewerProvides objective review of governance evidence and controlsThe team marking its own work without independence
Model owner in operationOwns model performance, monitoring, change, and retirement after go-liveOriginal project team after closure
End users / SMEsValidate operational practicality, user impact, and decision workflowPassive recipients of the solution

Accountability Rules to Remember

ScenarioBest governance interpretation
AI recommends a decision but a human approves itThe human and organization remain accountable; oversight must be meaningful
Vendor supplies the AI modelThe adopting organization still needs governance, assurance, and risk ownership
Model is highly accurate in testingApproval still needs business, ethical, operational, and monitoring evidence
Data is available but provenance is unclearDo not assume it can be used; investigate ownership, permission, quality, and risk
Project team wants to bypass review to meet deadlineGovernance should protect value and trust; escalate material risk

Key Artifacts and When to Use Them

ArtifactPurposeHigh-yield exam cue
AI opportunity statementDefines the problem, expected outcome, and why AI may help“What problem are we solving?”
Business caseJustifies investment, benefits, options, risk, and affordability“Should this initiative proceed?”
Governance planDefines decision points, roles, escalation, assurance, and reporting“Who approves and controls what?”
Stakeholder mapIdentifies affected groups, influence, concerns, and engagement needs“Users or impacted parties were not consulted”
Risk registerRecords AI, project, operational, ethical, security, and compliance risks“A risk has been identified and needs ownership”
Data management planDefines data sources, quality, ownership, access, retention, and controls“Data is central to feasibility”
Data quality assessmentAssesses completeness, accuracy, representativeness, timeliness, and bias“Model results may reflect poor data”
Data provenance / lineage recordShows origin, transformations, and permitted use“Where did this data come from?”
Model design recordCaptures selected approach, assumptions, features, constraints, and rationale“Why was this model approach chosen?”
Model card or equivalent summarySummarizes intended use, limitations, performance, risks, and monitoring“Users need to understand model limits”
Validation reportShows testing against acceptance, risk, and performance criteria“Can this be approved?”
Bias / fairness assessmentExamines disparate impact or unfair outcomes for affected groups“Some groups may be disadvantaged”
Explainability assessmentDetermines whether outputs can be understood sufficiently for the use case“Decision makers need reasons, not just scores”
Human oversight planDefines review, intervention, appeal, and override mechanisms“Humans need to remain in control”
Security assessmentIdentifies threats, vulnerabilities, access controls, and misuse scenarios“Could the model or data be attacked?”
Deployment planDefines release approach, readiness, training, support, and communication“Move from project to operation”
Rollback / contingency planDefines how to suspend or revert if unacceptable behavior occurs“What if the model causes harm?”
Monitoring planDefines metrics, thresholds, drift checks, incidents, and review cadence“How do we know it remains fit?”
Change control recordControls changes to model, data, prompts, thresholds, integrations, or use“Something material is changing”
Benefits realization planTracks expected value after delivery“Did the AI produce the intended benefit?”
Lessons learnedCaptures governance, technical, and stakeholder learning“Improve future AI projects”

AI Risk and Control Matrix

Risk areaExample riskGovernance controls
Strategic misalignmentAI is used because it is fashionable, not because it solves a business problemClear problem statement, options analysis, business case challenge
Value uncertaintyBenefits cannot be measured or are based on unrealistic assumptionsBenefits map, measurable outcomes, staged funding, review gates
Data qualityIncomplete, inaccurate, stale, or inconsistent data weakens outputsData profiling, cleansing plan, data owner sign-off
Data representativenessTraining data does not reflect the population or operating contextSampling review, bias analysis, SME validation
Data provenanceUnknown source, unclear permission, or untrusted lineageProvenance records, permitted-use checks, access approvals
Privacy / confidentialitySensitive data is exposed or used beyond approved purposePrivacy review where applicable, minimization, masking, access control
Bias / unfairnessOutcomes disadvantage individuals or groupsFairness assessment, diverse validation, human review, appeal process
Lack of explainabilityUsers cannot understand or challenge AI-supported decisionsExplainability requirements, model summaries, reason codes, user guidance
Automation biasUsers over-trust AI outputTraining, confidence indicators, human challenge process
Model driftPerformance degrades as data or environment changesMonitoring thresholds, drift detection, retraining criteria
Concept driftThe meaning of the prediction target changes over timePeriodic business review, SME review, recalibration
Security threatModel, data, prompts, or APIs are attacked or misusedThreat assessment, access control, logging, adversarial testing
Generative AI hallucinationAI produces plausible but false contentSource verification, human review, restricted use cases, output warnings
Inappropriate autonomyAI takes action without sufficient human controlDecision authority matrix, manual approval, kill switch
Vendor dependencyThird-party AI limits transparency, portability, or assuranceSupplier due diligence, contractual controls, exit plan
Operational readinessSupport team cannot maintain or monitor the AI serviceRunbooks, ownership transfer, training, support model
Reputational harmAI decision causes loss of trustStakeholder engagement, communications plan, escalation protocol
Uncontrolled changeModel is retrained or tuned without approvalModel change control, versioning, audit trail
Decommissioning gapRetired AI leaves unmanaged data, access, or decisionsRetirement plan, archive evidence, revoke access, update processes

Decision Tables: What Should Happen Next?

Project Start and Feasibility

Situation in a questionBest next actionWhy
Business wants AI but problem is vagueClarify problem, outcomes, and alternativesGovernance starts with purpose, not technology
AI is proposed for a sensitive decisionPerform impact and risk assessment; set stronger governanceHigher impact needs stronger oversight
Data availability is unknownAssess data sources, ownership, quality, and permitted useAI feasibility depends on data
Prototype looks promising but uses unapproved dataPause or constrain use until data approval is resolvedGood results do not override governance
Benefits are unclearStrengthen business case and measurable benefitsProject should not proceed on novelty alone
Stakeholders may be harmed by errorsDefine oversight, appeal, safeguards, and acceptance thresholdsHarm potential changes governance requirements

Delivery and Validation

Situation in a questionBest next actionWhy
Accuracy is below acceptance thresholdInvestigate data, model, features, and criteria before deploymentDo not approve unfit performance
Accuracy is high but bias concerns existPerform fairness and impact assessmentOverall performance may hide group-level harm
Team wants to skip validation to meet deadlineEscalate risk; maintain validation gateGovernance protects value and accountability
Model is hard to explain but affects important decisionsAssess explainability needs and add human oversight or change approachExplainability requirement depends on use and impact
Scope changes to a new user groupReassess data representativeness, risks, and acceptance criteriaNew context can change model behavior
Supplier claims model is proprietary and cannot be reviewedSeek sufficient assurance through documentation, testing, contracts, or alternativesVendor secrecy does not remove governance duty

Deployment and Operation

Situation in a questionBest next actionWhy
Operational owner is not identifiedDo not complete handover until ownership is assignedAI needs post-project accountability
No monitoring thresholds are definedCreate monitoring and escalation criteria before go-liveDrift and degradation must be detectable
Model behavior changes after deploymentTreat as incident or change; investigate drift and impactOperational AI must be controlled
Users rely blindly on recommendationsImprove training, user interface cues, and oversight processReduces automation bias
New data source is addedReassess data governance, quality, bias, and securityData change can change outcomes
Model is no longer delivering benefitsReview business case; adjust, retrain, replace, or retireGovernance includes continued value

Governance Gates and Approval Evidence

GateApprove when evidence showsDo not approve when
Proceed to discoveryProblem, sponsor, expected value, and initial risk are understoodAI is a solution looking for a problem
Proceed to data useData ownership, access, quality, provenance, and permitted use are acceptableData rights or quality are unclear
Proceed to buildFeasibility, approach, roles, controls, and success criteria are definedTeam lacks acceptance criteria or risk controls
Proceed to validationModel and solution are ready for structured testingTesting is informal or undocumented
Proceed to deployValidation, assurance, monitoring, support, training, and rollback are readyNo operational owner or monitoring plan exists
Continue in operationBenefits, performance, risk, and controls remain acceptableDrift, incidents, or harm exceed thresholds
RetireReplacement, decommissioning, data handling, and records are controlledSystem is simply abandoned

Tailoring Governance Effort

AIPGF-style exam scenarios often test proportionality: governance should be sufficient for risk, not identical for every project.

Factor increasing governance intensityWhy it matters
High impact on individuals, safety, finance, employment, health, access, or rightsErrors may cause serious harm
Sensitive or personal dataHigher privacy, confidentiality, and trust implications
Automated decisions with limited human reviewAccountability and appeal risks increase
Low explainability in a high-impact contextHarder to challenge or justify outcomes
External users or public exposureReputational and stakeholder trust risk increases
Novel data, new model type, or new operating contextUncertainty is higher
Third-party or opaque AI componentsAssurance may be harder
Frequent model updates or retrainingStronger change control is needed
Regulatory, contractual, or audit scrutinyEvidence and traceability become more important
Lower-risk AI use may allowHigher-risk AI use usually needs
Lightweight documentationFormal governance plan and approvals
Limited pilotStructured impact assessment
Basic monitoringDefined thresholds, incident routes, and assurance
Informal stakeholder reviewFormal stakeholder engagement and communication
Standard project change controlModel, data, prompt, threshold, and use-case change control

Agile, Predictive, and Hybrid Delivery

Delivery approachWhen useful for AI projectsGovernance caution
Agile / iterativeData exploration, prototyping, model improvement, user feedbackIteration does not remove approval gates or risk controls
PredictiveFixed compliance, procurement, infrastructure, deployment, or assurance milestonesOverly rigid planning may ignore discovery uncertainty
HybridMost AI projects: iterative technical work inside controlled governance stagesGovernance must define what can iterate and what needs approval

Exam Distinctions

Question wordingBetter answer
“The team has learned the original model approach will not work”Reassess options, update business case/risk, and seek appropriate approval
“The sprint produced a better model using extra data”Check data approval, quality, provenance, and change control
“The sponsor wants a fixed date and fixed performance guarantee before discovery”Explain uncertainty, use staged feasibility, and define decision gates
“Agile team says governance slows innovation”Tailor governance, but keep accountability, risk, and assurance controls

Human Oversight Reference

Oversight levelDescriptionSuitable when
Human-in-the-loopHuman reviews before action is takenDecisions are important, contestable, or error-sensitive
Human-on-the-loopAI acts, but humans monitor and can interveneLower-risk automated operation with clear alerts and controls
Human-over-the-loopHumans set policy, thresholds, and audits but do not review each caseLow-impact or highly controlled contexts
No meaningful oversightHuman cannot understand, challenge, or interveneUsually a governance red flag in higher-impact scenarios

Oversight Quality Checks

  • The human has authority to override the AI.
  • The human has enough information to challenge the output.
  • Review is timely enough to prevent harm.
  • Escalation and appeal routes are clear.
  • User training addresses over-reliance and limitations.
  • Oversight is documented and monitored.

Model Validation and Monitoring Metrics

The Foundation exam is not a data science certification, but candidates should recognize why governance decisions cannot rely on a single metric.

Metric / evidenceWhat it indicatesGovernance caution
AccuracyOverall proportion of correct predictionsCan hide poor performance for minority or critical cases
PrecisionHow many positive predictions were correctImportant when false positives are costly
Recall / sensitivityHow many actual positives were foundImportant when false negatives are costly
F1 scoreBalance of precision and recallUseful when classes are imbalanced, but still context-dependent
False positive rateHow often negative cases are wrongly flaggedMay create unnecessary intervention or unfair burden
False negative rateHow often positive cases are missedMay create safety, loss, or missed-opportunity risk
Confusion matrixBreakdown of correct and incorrect classificationsMore informative than accuracy alone
CalibrationWhether confidence scores reflect actual likelihoodImportant when users rely on probabilities
Drift indicatorsWhether input data or performance changes over timeKey for post-deployment monitoring
User override rateHow often humans reject AI outputMay indicate trust, usability, or performance issues
Incident reportsHarm, near misses, or unexpected behaviorShould trigger review and possible escalation

Key formulas:

\[ \text{Precision} = \frac{TP}{TP + FP} \]\[ \text{Recall} = \frac{TP}{TP + FN} \]\[ \text{F1} = 2 \times \frac{\text{Precision} \times \text{Recall}}{\text{Precision} + \text{Recall}} \]

Where:

  • TP = true positives.
  • FP = false positives.
  • FN = false negatives.
  • TN = true negatives.

Risk Prioritization Formulas

Use risk formulas only as decision aids. Governance decisions also require judgment, accountability, and risk appetite.

\[ \text{Risk exposure} = \text{Probability} \times \text{Impact} \]\[ \text{Expected monetary value} = \text{Probability} \times \text{Financial impact} \]
Formula useExam interpretation
Higher probability and higher impactPrioritize treatment and escalation
Low probability but severe harmMay still require senior attention
Risk above toleranceEscalate or add controls; do not ignore
Residual risk remains after treatmentMust be accepted by the appropriate authority

Change Control for AI Projects

AI change control covers more than code.

Change typeWhy it mattersGovernance response
New training dataMay alter bias, performance, or permitted useReassess data governance and validation
Model retrainingMay change behavior even if code is unchangedVersion, test, approve, and document
Threshold adjustmentChanges false positives and false negativesReview business impact and acceptance criteria
Prompt change in generative AIMay change outputs unpredictablyTest, version, and control prompt changes
Feature changeMay introduce bias, leakage, or new dependenciesValidate and review explainability
New user groupOriginal validation may not applyReassess representativeness and impact
New business purposeData permission and risk profile may changeRevisit business case and governance approval
Vendor model updateBehavior may change outside the project teamRequire notification, testing, and assurance
Integration changeDownstream process risk may changeUpdate testing, security, and support plans

Common Exam Traps

Trap answerWhy it is weakStronger exam answer
“Deploy because the prototype works”Prototype evidence is not full governance evidenceValidate, assure, approve, and prepare operations
“Let the technical team decide ethical acceptability”Ethics and impact need broader accountabilityInvolve accountable governance roles and stakeholders
“Accuracy is enough”AI quality includes fairness, robustness, explainability, and contextUse risk-based acceptance criteria
“The vendor is responsible for governance”The adopting organization remains accountablePerform due diligence and retain oversight
“Agile means no formal controls”Agile delivery still needs governance gatesTailor controls to risk and lifecycle
“Human oversight exists because a person is nearby”Oversight must be meaningful and empoweredDefine review, override, and escalation
“Retraining is routine maintenance”Retraining can materially change decisionsUse model change control
“No incidents means no monitoring needed”Problems may be undetected without monitoringDefine metrics, thresholds, and review cadence
“Bias is only a data science issue”Bias affects stakeholders, trust, and governanceCombine technical assessment with business and ethical review
“Documentation is optional if the team is expert”Governance requires traceability and evidenceRecord decisions, assumptions, tests, and approvals

Scenario Answering Checklist

When a question asks what the project manager, sponsor, or governance body should do next, scan for these triggers.

If the scenario mentions data

Ask:

  • Who owns the data?
  • Is use permitted for this purpose?
  • Is the data representative and good enough?
  • Are sensitive fields controlled?
  • Is lineage documented?
  • Could data encode bias or historical unfairness?

If the scenario mentions model performance

Ask:

  • Which metric matters for the business decision?
  • What are the costs of false positives and false negatives?
  • Are results consistent across relevant groups?
  • Has the model been validated independently or objectively?
  • Are thresholds and acceptance criteria agreed?
  • Is there a plan to monitor degradation?

If the scenario mentions stakeholders

Ask:

  • Who is affected by the AI output?
  • Have users and impacted groups been consulted appropriately?
  • Is there a communication and training plan?
  • Can decisions be challenged or appealed?
  • Are responsibilities clear after deployment?

If the scenario mentions pressure to proceed

Ask:

  • What evidence is missing?
  • Is the risk within tolerance?
  • Who has authority to accept the residual risk?
  • Is escalation required?
  • Can a limited pilot reduce uncertainty safely?

If the scenario mentions operation

Ask:

  • Who owns the model after project closure?
  • What monitoring thresholds are defined?
  • What happens when thresholds are breached?
  • How are incidents, drift, retraining, and retirement handled?
  • Are benefits still being realized?

Compact “Best Answer” Heuristics

If two answers seem plausiblePrefer the answer that
Action vs assessmentAssesses material AI risk before irreversible action
Technical fix vs governance responseAdds accountability, evidence, and controls, not just model tuning
Speed vs assuranceProtects value, safety, and trust over schedule pressure
Local team decision vs escalationEscalates when risk exceeds authority or tolerance
Deployment vs pilotUses pilot when uncertainty is high and risk can be contained
More data vs better data governanceConfirms data quality, rights, and representativeness first
Automation vs human oversightMaintains meaningful human accountability in higher-impact contexts
One-time approval vs lifecycle controlIncludes monitoring, change control, and retirement

Final Revision Checklist

Before exam day, be able to explain:

  • Why AI governance is needed beyond normal project governance.
  • How business value, risk appetite, assurance, and accountability guide decisions.
  • Which roles own sponsorship, delivery, data, model operation, assurance, and oversight.
  • Which artifacts provide evidence at each governance gate.
  • Why data provenance, quality, bias, and permitted use are early feasibility concerns.
  • Why validation must cover performance, fairness, explainability, security, and operational readiness.
  • Why deployment approval requires monitoring, support, rollback, and ownership.
  • How model drift, retraining, threshold changes, and vendor updates are controlled.
  • How to choose the next best action in risk, change, stakeholder, and assurance scenarios.

Practical Next Step

Use this Quick Reference as a checklist while answering scenario-based practice questions for the APMG International APMG AI Project Governance Framework (AIPGF) Foundation exam. After each question, identify the missing governance evidence, the accountable role, the relevant artifact, and the safest next decision.