APMG AI Project Governance Framework (AIPGF) Practitioner Quick Reference
Compact AIPGF Practitioner reference for AI project governance, lifecycle gates, roles, artifacts, risks, assurance, and scenario decisions.
Exam Identity and Practitioner Lens
Use this independent Quick Reference for candidates preparing for APMG International’s APMG AI Project Governance Framework (AIPGF) Practitioner exam, exam code AIPGF Practitioner.
Practitioner-style questions usually test applied judgment: which governance action, artifact, role, escalation, or control best fits the scenario. The strongest answer is normally the one that is proportionate, evidence-based, value-linked, risk-aware, and accountable.
Core Answer Pattern
| Step | Ask | Strong practitioner response |
|---|---|---|
| 1. Identify context | Is this idea, feasibility, development, deployment, operation, or change? | Match the action to the lifecycle point. Do not jump to deployment, procurement, or escalation too early. |
| 2. Confirm value | What business outcome or public/service value justifies AI? | Validate the business case and benefits before technical optimization. |
| 3. Classify risk | Who could be affected? How autonomous, novel, opaque, or sensitive is the use case? | Tailor governance intensity to impact and uncertainty. |
| 4. Check evidence | What artifact proves readiness? | Require data, model, security, human oversight, testing, and benefits evidence as applicable. |
| 5. Assign accountability | Who can accept the decision or residual risk? | Keep decision rights with the proper sponsor, board, owner, or assurance function. |
| 6. Decide next action | Continue, remediate, escalate, pause, or stop? | Prefer controlled progression over unmanaged experimentation. |
AI Project Governance Decision Path
flowchart TD
A[AI idea, project issue, or change request] --> B{Clear business outcome and owner?}
B -- No --> B1[Clarify objective, benefits, sponsor, and success measures]
B -- Yes --> C{AI is justified over simpler options?}
C -- No --> C1[Reassess solution approach or stop AI route]
C -- Yes --> D{Impact, uncertainty, or autonomy is significant?}
D -- Low --> D1[Use proportionate controls and standard project governance]
D -- High --> E[Complete risk, data, ethics, security, and assurance checks]
E --> F{Evidence supports next stage?}
F -- No --> F1[Remediate, time-box discovery, or escalate]
F -- Yes --> G{Residual risk within delegated authority?}
G -- No --> G1[Escalate to appropriate governance body or sponsor]
G -- Yes --> H[Authorize next stage with monitoring and change controls]
Lifecycle Governance Map
| Lifecycle point | Governance question | Key evidence/artifacts | Common trap | Best next action |
|---|---|---|---|---|
| Idea / mandate | Is there a justified need for AI? | Problem statement, objectives, sponsor, initial benefits hypothesis | Starting with model choice or vendor demo | Clarify outcome, users, decision context, and whether AI is appropriate |
| Feasibility | Is the use case viable, valuable, and governable? | Business case, options analysis, initial risk/impact assessment | Treating proof of concept as approval for production | Time-box feasibility and define stage-gate evidence |
| Data readiness | Is data suitable, authorized, representative, and controlled? | Data inventory, provenance, lineage, quality report, data management plan | Assuming more data automatically improves fairness or performance | Fix data issues before model claims are accepted |
| Solution design | Are architecture, oversight, explainability, security, and integration addressed? | Solution design, control design, human oversight model, threat model | Designing governance after build completion | Build controls into design, not as late documentation |
| Development / experimentation | Are experiments traceable and bounded? | Experiment logs, version control, model registry, test datasets | Unmanaged notebooks, undocumented feature changes | Maintain reproducibility and decision records |
| Validation | Does the system perform acceptably for intended use and affected groups? | Evaluation report, bias/fairness testing, robustness tests, user acceptance evidence | Relying only on aggregate accuracy | Validate against business, ethical, operational, and subgroup criteria |
| Authorization / deployment | Is release justified with residual risk understood? | Go/no-go recommendation, deployment plan, rollback plan, operational readiness checklist | Sponsor pressure overrides unresolved assurance findings | Authorize only within delegated tolerances or escalate |
| Operation | Is the AI system still performing safely and usefully? | Monitoring dashboard, incident log, drift reports, benefits tracking | Treating deployment as project closure with no model ownership | Monitor performance, harms, drift, and benefit realization |
| Change / retraining | Does the change alter risk, behavior, users, or accountability? | Change request, impact reassessment, updated model/system card | “It is only a retrain” avoids change control | Reassess based on effect, not label |
| Retirement | Should the AI capability be decommissioned or replaced? | Retirement plan, data retention/disposal evidence, transition plan | Keeping unused models active indefinitely | Retire safely, preserve records, and protect users/data |
Governance Roles and Accountability
| Role or group | Primary accountability | Practitioner exam cue | Avoid this error |
|---|---|---|---|
| Sponsor / senior responsible owner | Business justification, benefits, funding, acceptance of business risk within authority | Benefits unclear, strategic alignment questioned, funding decision needed | Making the project manager own business justification alone |
| Project board / governance board | Stage authorization, tolerances, escalation decisions, continued viability | Residual risk exceeds delegated limits; go/no-go decision needed | Escalating every routine technical issue |
| Project manager | Delivery control, issue/risk management, coordination, reporting, escalation | Work is off plan, evidence missing, unresolved dependencies | Personally accepting ethical, legal, or strategic risk outside authority |
| Product owner / business owner | Requirements, user value, prioritization, operational fit | Conflicting feature priorities or acceptance criteria | Optimizing model metrics while ignoring user workflow |
| Data owner | Data access, permitted use, quality expectations, retention constraints | New dataset, unclear provenance, access request | Assuming the AI team can use any available data |
| Data steward / data governance lead | Metadata, lineage, quality rules, data handling controls | Inconsistent labels, missing provenance, quality defects | Treating data cleaning as a purely technical task |
| AI / ML lead | Model design, training approach, technical evaluation, reproducibility | Model performance, feature engineering, experiment control | Deciding production risk without governance input |
| Security lead | Threat modeling, access control, secure deployment, adversarial risk | API exposure, model theft, prompt injection, supply chain issue | Addressing security only after deployment |
| Privacy / legal / compliance specialist | Interpretation of applicable obligations and compliance risks | Personal, sensitive, regulated, or cross-border data concern | Inventing legal conclusions without specialist input |
| Ethics / responsible AI reviewer | Fairness, accountability, transparency, human impact, contestability | Potential harm, vulnerable groups, opaque automated decisions | Treating ethics as optional communication activity |
| Independent assurance / audit | Objective review of controls, evidence, and governance operation | High-impact release or unresolved control weakness | Having only the build team validate its own work |
| Operations / service owner | Production support, monitoring, incidents, service continuity | Model is live or about to be handed over | Closing project without operational ownership |
| Supplier / vendor manager | Third-party obligations, service levels, assurance access, exit planning | Black-box model, SaaS AI, external data processor | Assuming supplier reputation removes due diligence |
Artifact Selection Matrix
| Artifact | Use when | What it proves | High-yield distinction |
|---|---|---|---|
| AI use case brief | Early idea or mandate | Problem, decision context, users, intended value | Prevents technology-first project initiation |
| Business case | Funding, prioritization, continuation, stage approval | Value, cost, risk, options, disbenefits, benefits owner | A technically feasible AI model is not automatically a viable project |
| AI risk / impact assessment | Any meaningful AI use case; especially high impact, autonomous, sensitive, or novel | Risk level, affected groups, control needs, escalation route | Drives proportional governance intensity |
| Stakeholder analysis | Users, affected parties, operators, regulators, support teams, or impacted communities are unclear | Interests, influence, communication and engagement needs | Affected people may not be system users |
| Data management plan | Data is collected, reused, acquired, transformed, or retained | Source, permissions, quality, lineage, retention, access control | Data governance starts before model training |
| Data quality report | Model depends on dataset reliability | Completeness, consistency, bias, label quality, missingness | Clean-looking data may still be unrepresentative |
| Model card / system card | Model/system behavior must be explained to governance, operators, or stakeholders | Intended use, limitations, metrics, training data summary, risks | Documentation should support decisions, not just describe algorithms |
| Evaluation and test strategy | Before accepting model performance or release | Test methods, acceptance criteria, subgroup performance, robustness | Accuracy alone is rarely enough |
| Human oversight plan | Humans review, approve, override, or contest AI outputs | Decision rights, escalation, competence, workload, override process | “Human in the loop” is not effective if humans cannot challenge outputs |
| Security threat model | AI system is exposed, integrated, high value, or supplier-based | Attack surfaces, controls, monitoring, response | AI adds threats such as data poisoning, model extraction, prompt injection |
| Responsible AI / ethics assessment | Harms, fairness, transparency, vulnerable users, or significant autonomy are present | Ethical risks, trade-offs, mitigations, accountability | Ethics is a governance input, not public relations |
| Deployment and rollback plan | Production release or major change | Release steps, fallback, monitoring, owner, support readiness | Production readiness includes failure handling |
| Monitoring plan | Live AI service, changing data, model drift risk | Metrics, thresholds, alerts, ownership, review cadence | Monitoring must include business and harm indicators, not only uptime |
| Incident response plan | AI failure could harm users, operations, trust, or compliance | Detection, triage, escalation, containment, communication | AI incidents can be model, data, security, or human-process failures |
| Benefits realization plan | Business case benefits must be tracked after delivery | Baseline, target, owner, measurement method, review point | Model performance is not the same as realized benefit |
| Change control record | Retraining, threshold change, new data, new users, or supplier update occurs | Impact assessment, approval, traceability | “Minor technical change” can be major governance change |
Tailoring Governance Intensity
| Factor increasing governance intensity | Why it matters | Stronger controls to consider |
|---|---|---|
| High impact on people, rights, access, safety, money, employment, or essential services | Consequences of error or unfairness are greater | Formal impact assessment, independent assurance, explicit board approval |
| High autonomy | Less human correction before harm occurs | Human oversight design, fail-safe controls, tighter monitoring |
| Sensitive or personal data | Higher privacy, security, and trust risk | Data minimization, access controls, provenance, specialist review |
| Vulnerable or disadvantaged affected groups | Harm may be uneven or harder to contest | Fairness testing, stakeholder engagement, accessible redress |
| Novel model, novel data, or novel use case | Historical assurance evidence is weaker | Time-boxed discovery, staged gates, pilot limits |
| Opaque model or black-box supplier | Harder to explain, validate, and challenge | Explainability requirements, supplier assurance, operational limits |
| Dynamic environment | Drift and decay are more likely | Monitoring thresholds, retraining triggers, change control |
| Integration with critical systems | Failure can cascade | Resilience, rollback, service continuity, security testing |
| Regulatory, contractual, or reputational exposure | Accountability extends beyond the project team | Specialist review, evidence retention, formal approvals |
| Low organizational readiness | Users may misuse or over-trust outputs | Training, communication, adoption controls, support model |
Common Scenario Decisions
| Scenario cue | Weak answer | Strong AIPGF Practitioner-style action |
|---|---|---|
| Sponsor wants rapid deployment before validation is complete | Accept the pressure because benefits are urgent | Explain missing evidence, assess risk, seek appropriate governance decision, and do not bypass required assurance |
| Proof of concept achieved high accuracy | Move straight to production | Confirm production data, controls, monitoring, security, user workflow, and benefits case |
| Dataset has missing fields and uncertain provenance | Train anyway and document later | Pause or time-box investigation; establish provenance, quality, permitted use, and remediation |
| Model performs worse for a subgroup | Report only overall metric | Investigate cause, assess fairness and impact, adjust data/model/process, and escalate if residual risk is material |
| New dataset becomes available | Add it to improve performance | Reassess permitted use, quality, bias, lineage, and change impact before use |
| Supplier offers a proprietary black-box model | Accept supplier assurance at face value | Require evidence, contractual controls, explainability/operational limits, and exit arrangements |
| Human reviewers always accept AI recommendations | Claim oversight exists | Investigate automation bias, improve training/interface, define override expectations, and monitor reviewer behavior |
| Model drift alert triggers | Ignore until next planned review | Triage as operational issue; assess impact, rollback/retrain if needed, record decision |
| Benefits are not being realized despite good model metrics | Improve algorithm only | Revisit workflow, adoption, baseline, user behavior, and benefits ownership |
| Risk exceeds project manager tolerance | Project manager decides alone | Escalate to the role/body with authority to accept, reduce, transfer, or reject residual risk |
| A change affects users, data, or decision thresholds | Treat as routine technical update | Use change control and update risk, testing, documentation, monitoring, and approvals |
| Users do not understand AI output | Add technical model details | Provide role-appropriate explanation, limitations, confidence guidance, and escalation route |
| Incident causes incorrect decisions | Retrain quietly | Contain, assess harm, communicate as required by governance route, preserve evidence, fix root cause |
Change Control for AI Systems
| Change type | Reassessment needed? | Include these roles | Evidence to update |
|---|---|---|---|
| Code defect fix with no behavioral change | Light, unless controls or outputs change | AI lead, project/service owner, tester | Change log, regression test evidence |
| Retraining on refreshed data for same use | Yes, because behavior can change | AI lead, data owner, service owner | Data quality, evaluation report, model/system card |
| New data source | Yes | Data owner, privacy/compliance as applicable, AI lead | Data provenance, permitted use, quality, risk assessment |
| Feature engineering change | Yes, if explainability, fairness, or performance changes | AI lead, data steward, responsible AI reviewer | Evaluation, fairness checks, documentation |
| Decision threshold change | Yes, often material | Business owner, AI lead, risk owner | Impact analysis, false positive/false negative trade-off |
| New user group or population | Yes, high importance | Sponsor, stakeholder lead, responsible AI reviewer | Impact assessment, subgroup testing, communications |
| New purpose or business process | Treat as new or materially changed use case | Sponsor, board, risk/compliance specialists | Business case, risk assessment, governance approvals |
| Increased automation / reduced human review | Yes, high importance | Sponsor, operations, risk, ethics, assurance | Oversight plan, risk acceptance, monitoring thresholds |
| Supplier model version change | Yes, depending on impact | Supplier manager, AI lead, security, service owner | Supplier release notes, test results, assurance evidence |
| Decommissioning or replacement | Yes | Service owner, data owner, sponsor | Retirement plan, data disposal/retention evidence, transition plan |
Responsible AI Controls
| Principle | Practical control | Evidence to look for | Common trap |
|---|---|---|---|
| Accountability | Named owners for business outcome, data, model, risk, and operation | RACI, governance approvals, decision logs | “The algorithm decided” is treated as accountability |
| Transparency | Clear explanation of intended use, limitations, and decision influence | Model/system card, user guidance, communication plan | Giving users technical detail that does not help them act |
| Fairness | Test for uneven error rates or harmful outcomes across relevant groups | Fairness analysis, subgroup metrics, mitigation records | Relying on overall performance only |
| Privacy and data governance | Minimize data, control access, confirm provenance and permitted use | Data management plan, access logs, lineage | Using available data without confirming suitability |
| Robustness and safety | Test failure modes, edge cases, drift, and resilience | Robustness tests, monitoring plan, incident process | Assuming test performance remains stable in production |
| Security | Protect data, model, pipeline, prompts, APIs, and outputs | Threat model, secure architecture, vulnerability testing | Treating AI security as ordinary application security only |
| Human agency and oversight | Enable meaningful review, override, escalation, and challenge | Oversight plan, training, audit of override behavior | Human review is nominal or overloaded |
| Contestability | Allow affected parties or users to question outcomes | Appeals or review route, support scripts, audit trail | No route to correct harmful or incorrect outputs |
| Proportionality | Match controls to risk, impact, and uncertainty | Tailoring record, risk acceptance rationale | Applying either no governance or excessive bureaucracy |
| Sustainability and maintainability | Consider operating cost, environmental/resource burden, lifecycle support | Architecture and operations assessment | Selecting a model that cannot be supported responsibly |
Risk Reference
| Risk category | Example causes | Impact | Controls |
|---|---|---|---|
| Strategic / value risk | Weak business case, AI not needed, benefits unclear | Waste, reputational damage, opportunity cost | Options analysis, benefits owner, stage reviews |
| Data risk | Poor quality, biased labels, uncertain provenance, unauthorized use | Inaccurate or unfair outputs, compliance issues | Data governance plan, quality checks, lineage, access controls |
| Model risk | Overfitting, poor calibration, low robustness, opaque logic | Wrong decisions, inconsistent behavior | Validation, stress testing, explainability, model documentation |
| Fairness / ethics risk | Uneven performance, proxy variables, harmful automation | Discrimination, loss of trust, user harm | Impact assessment, subgroup testing, oversight, redress |
| Security risk | Data poisoning, model extraction, prompt injection, insecure APIs | Breach, manipulation, service compromise | Threat modeling, secure pipeline, monitoring, access control |
| Operational risk | Drift, poor handover, weak incident response, support gaps | Service failure, accumulating harm | Monitoring, runbooks, ownership, rollback |
| Change risk | Retraining changes behavior, supplier update, new context | Undetected degradation or new harm | Change control, regression testing, reauthorization |
| Supplier risk | Black-box model, unclear data use, lock-in, weak assurance | Loss of control, hidden obligations, poor exit options | Due diligence, audit evidence, contract controls, exit plan |
| Stakeholder risk | Low adoption, poor understanding, over-trust, resistance | Benefits not realized, misuse | Engagement, training, clear guidance, feedback channels |
| Governance risk | Unclear accountability, weak escalation, missing evidence | Unauthorized risk acceptance | RACI, decision records, stage gates, independent assurance |
Useful Formulas
Use formulas only when the scenario provides the variables and asks for prioritization, risk exposure, project control, or evaluation metrics.
\[ \text{Risk Exposure} = P(\text{event}) \times \text{Impact} \]\[ \text{Expected Monetary Value} = P(\text{outcome}) \times \text{Monetary Impact} \]\[ \text{Cost Performance Index} = \frac{\text{Earned Value}}{\text{Actual Cost}} \]\[ \text{Schedule Performance Index} = \frac{\text{Earned Value}}{\text{Planned Value}} \]\[ \text{Precision} = \frac{TP}{TP + FP} \]\[ \text{Recall} = \frac{TP}{TP + FN} \]\[ F_1 = 2 \times \frac{\text{Precision} \times \text{Recall}}{\text{Precision} + \text{Recall}} \]Metric Interpretation
| Metric | Plain meaning | Governance caution |
|---|---|---|
| Accuracy | Share of correct predictions | Can hide poor performance on minority classes or high-impact cases |
| Precision | Of positive predictions, how many were correct | Important when false positives cause harm or cost |
| Recall / sensitivity | Of actual positives, how many were found | Important when missed cases are harmful |
| False positive rate | How often negatives are incorrectly flagged | May create unfair burden, cost, or unnecessary intervention |
| False negative rate | How often positives are missed | May create safety, access, or service failure risk |
| F1 score | Balance between precision and recall | Useful when classes are imbalanced, but still not a business outcome |
| Calibration | Whether confidence scores reflect real likelihood | Poor calibration can mislead human decision-makers |
| Drift | Change in data, concept, or performance over time | Requires monitoring, thresholds, and response ownership |
| Latency | Time to produce output | May affect user workflow, safety, or service levels |
| Explainability | Ability to understand key factors or rationale | Must fit the audience and decision context |
Agile, Predictive, and Hybrid Delivery
| Situation | Better delivery stance | Governance implication |
|---|---|---|
| Uncertain data quality or model feasibility | Time-boxed agile discovery | Permit learning, but keep boundaries, records, and decision gates |
| Stable compliance, procurement, or infrastructure requirements | Predictive or controlled planning | Define approvals, dependencies, evidence, and acceptance criteria early |
| AI model development inside a regulated or high-impact service | Hybrid | Iterate technically, but retain formal governance gates |
| Frequent model experimentation | Agile technical workflow | Version experiments, document assumptions, and prevent uncontrolled production use |
| Production deployment and operational handover | Controlled release management | Require readiness, rollback, monitoring, and support ownership |
| Benefits realization after launch | Iterative improvement | Track outcomes and adjust workflow, model, or adoption plan |
Agile Governance Traps
- Agile does not remove the need for risk assessment, data controls, or authorization.
- A sprint review is not the same as independent assurance.
- A working model is not the same as an operationally safe service.
- Backlog priority should consider risk, value, dependencies, and governance evidence.
- Technical experimentation should be sandboxed and traceable.
Stage-Gate Readiness Checklist
| Gate | Minimum readiness questions |
|---|---|
| Start feasibility | Is the problem clear? Is AI plausibly justified? Is there a sponsor and benefits hypothesis? |
| Start development | Is data access authorized? Are quality and provenance understood? Are evaluation criteria defined? |
| Start validation | Are model versions, test data, expected performance, and acceptance thresholds documented? |
| Deploy pilot | Is scope limited? Are users briefed? Are monitoring, fallback, and incident routes in place? |
| Full production | Are residual risks accepted by the right authority? Are operations, support, monitoring, and benefits tracking ready? |
| Continue operation | Are performance, fairness, drift, incidents, and benefits still acceptable? |
| Major change | Has the change been classified and reassessed? Are documentation and approvals updated? |
| Retire | Are users transitioned, data handled appropriately, records preserved, and dependencies removed? |
Stakeholder and Communication Reference
| Stakeholder group | Needs | Useful evidence or communication |
|---|---|---|
| Sponsor / governance board | Value, risk, options, tolerances, decision request | Business case, risk summary, stage report, recommendation |
| End users | How to use outputs, limitations, escalation route | User guidance, training, confidence/limitations explanation |
| Affected parties | How decisions affect them and how to challenge errors | Clear notices, review/appeal route, support process |
| Operations and support | How to monitor, triage, and restore service | Runbook, incident plan, monitoring thresholds |
| Data owners | How data is used, protected, retained, and changed | Data management plan, lineage, access records |
| Compliance / legal / privacy specialists | Facts needed to interpret obligations | Data flows, purpose, controls, risk assessment |
| Security team | Attack surfaces, access paths, deployment model | Threat model, architecture, vulnerability results |
| Assurance / audit | Objective evidence of control design and operation | Decision logs, approvals, tests, monitoring records |
| Supplier manager | Obligations, assurance evidence, change and exit controls | Supplier documentation, contract controls, service reports |
Benefits and Value Control
| Item | Good practice | Exam cue |
|---|---|---|
| Benefit definition | Measurable outcome with baseline, target, owner, and review date | “Improve decisions” is too vague |
| Benefit owner | Business role accountable for realization | Project team cannot realize operational benefits alone |
| Leading indicators | Adoption, cycle time, accuracy, recall, user compliance, override rates | Indicators help but do not prove final value |
| Disbenefits | Negative outcomes that may occur even if project succeeds | Increased workload, user mistrust, unfair burden |
| Value-risk trade-off | Compare benefit against residual risk and cost of controls | High performance may not justify unacceptable harm |
| Benefits review | Continue after deployment | Project closure is not the end of benefits governance |
Supplier and Third-Party AI Governance
| Supplier issue | Governance response |
|---|---|
| Proprietary or black-box model | Define minimum explainability, testing, monitoring, and assurance evidence required |
| Supplier uses customer data for improvement | Confirm permitted use, controls, and opt-in/opt-out position through appropriate review |
| Model updates are controlled by supplier | Require notification, versioning, test evidence, rollback, and change impact review |
| Service-level dependency | Define availability, incident, support, and continuity expectations |
| Exit or lock-in risk | Plan data export, replacement approach, knowledge transfer, and termination handling |
| Unclear intellectual property or data rights | Seek specialist review before commitment |
| Supplier claims compliance generally | Ask for evidence specific to the use case, data, deployment, and operating context |
Assurance and Escalation
When to Escalate
Escalate when:
- Residual risk exceeds delegated authority or tolerance.
- Business case viability is uncertain or benefits no longer justify risk.
- Data use, fairness, privacy, security, or ethics concerns cannot be resolved by the team.
- Required evidence for a stage gate is missing or disputed.
- Model behavior changes materially after retraining, new data, or supplier update.
- An incident causes or could cause harm, service failure, or loss of trust.
- Stakeholder objections reveal a material impact not previously assessed.
- A decision requires acceptance by a sponsor, governance board, or specialist authority.
When Not to Escalate
Do not escalate merely to avoid routine management responsibility. Handle within the team when the issue is inside delegated limits, controls are known, and no material change to risk, scope, benefits, or accountability is involved.
Common Exam Traps
| Trap | Better reasoning |
|---|---|
| “AI is innovative, so it should be used.” | Confirm AI is justified against simpler, safer, cheaper options. |
| “The model is accurate, so it is ready.” | Check data, fairness, robustness, security, oversight, operations, and benefits. |
| “The project manager can accept the risk.” | Risk acceptance must match delegated authority and governance structure. |
| “A pilot success authorizes full deployment.” | Production needs operational readiness, wider impact assessment, monitoring, and approval. |
| “Human oversight solves accountability.” | Oversight must be meaningful, trained, resourced, and auditable. |
| “Supplier assurance removes customer responsibility.” | The organization still needs use-case-specific governance and evidence. |
| “More data reduces bias.” | More data can amplify bias if source, labels, or representation are flawed. |
| “Documentation can be completed later.” | Key artifacts support decisions before progression. |
| “Agile means governance can be lightweight always.” | Governance is tailored to risk, not delivery style. |
| “No personal data means no ethical risk.” | AI can still create unfair, unsafe, opaque, or harmful outcomes. |
| “Retraining is routine maintenance.” | Retraining can change behavior and may require reassessment. |
| “Explainability is only for technical staff.” | Explanations must be useful to decision-makers, users, affected parties, and governance bodies. |
Final Revision Checklist
Before answering a scenario question, check:
- What lifecycle point is the project in?
- What decision is being asked: proceed, pause, remediate, escalate, approve, or stop?
- Is the business outcome clear and still justified?
- Is AI appropriate compared with non-AI alternatives?
- Which risks are material: data, model, ethics, security, operations, supplier, stakeholder, or benefits?
- What evidence is missing?
- Which role has authority to decide or accept residual risk?
- Is the proposed action proportionate to impact and uncertainty?
- Does the answer preserve traceability, accountability, and monitoring?
- Does the answer avoid overreacting, bypassing controls, or solving governance issues with technical fixes only?
Practical Next Step
Use this Quick Reference to identify weak areas, then complete scenario-based practice for the APMG AI Project Governance Framework (AIPGF) Practitioner exam. For each question, explain why the best answer is the most proportionate governance action and why the distractors are too early, too late, under-controlled, over-escalated, or outside the role’s authority.