Bizzdesign Unify: An AI-native platform for faster, better transformation decisions.
Summary
What you'll learn in this guide:
- Why governing AI requires a different approach from managing a conventional application portfolio, and what that means in practice.
- How to structure an AI portfolio so that every use case, feature, model, and technology is visible, accountable, and traceable from business intent down to the technology stack.
- Who needs to be involved and what each role is responsible for.
- A seven-step process for bringing the AI portfolio under governance, from the first application assessment through to a complete, connected view of the full AI architecture.
- What a governed portfolio makes possible: responsible AI practices, better risk and investment decisions, and the ability to direct resources toward the initiatives that matter most.
AI has entered the enterprise faster than the organizational discipline to manage it has developed. Business units adopt AI through embedded functionality, decentralized experimentation, and business-led tools, often outside any formal approval process. The result is an AI landscape that's difficult to see clearly and harder still to govern.
Without a shared framework to track and govern it, fundamental questions become difficult to answer: What AI do we have? Who approved it? Where is it permitted to operate? What business priority does it support? And is it working?
Answering those questions is what AI portfolio governance is for. It's the coordinated oversight of AI use cases, features, applications, models, and technologies, giving organizations a consistent way to understand what AI they have, who is accountable for it, where it may be used, and whether it's aligned to business strategy. Enterprise architecture (EA) and strategic portfolio management (SPM) provide the foundation to make that work, linking business use cases and capabilities to the applications, features, models, and technologies that support them so that regulatory exposure can be managed and investment decisions made on solid ground.
This guide explains how, covering the foundations of effective AI portfolio governance, the building blocks that need to be connected, the roles responsible for governing them, and a seven-step process for bringing the AI portfolio into view and keeping it under governance.
The Three Foundations of Effective AI Portfolio Governance
Effective AI portfolio governance depends on several forms of insight working together. Organizations need visibility across the AI landscape, a clear connection between AI activity and business priorities, and the traceability required to understand dependencies, assess risk, and guide portfolio decisions.
AI Portfolio Transparency. Knowing where AI is being used across the organization, which models and technologies are being implemented, whether they're approved, and in which locations and jurisdictions they may be used.
AI Portfolio Alignment. Understanding organizational AI use cases and their enabling applications, and connecting them to business capability priorities so that AI investments are demonstrably tied to business strategy. This is also where business stakeholders can understand what AI makes possible for the capabilities and processes they're responsible for, and where they can engage in shaping how it's used.
AI Portfolio Management. Establishing clear traceability from AI use cases all the way down to the underlying models, applications, and technologies that support them, enabling organizations to assess regulatory and investment risk and make defensible portfolio decisions.

When these three foundations are in place, organizations have a single source of truth for AI, with the business and IT context, impact and dependency analysis, and decision support needed to govern AI responsibly and demonstrate its value to stakeholders.
The Four Building Blocks of an AI Portfolio
We all work with application portfolios. But an AI portfolio is different. An application is a discrete, definable object. It supports a business process, has a budget owner, and end-users know its name. Once you agree on what counts as an application, the portfolio fills with comparable entities that can be governed consistently.
AI doesn't work that way. Take something as straightforward as a customer support chatbot. At the business level, it's an AI use case: a defined application of AI to achieve a business goal. The chatbot itself is an AI feature, a business instantiation of AI technology provided by an application. It runs on an AI model, say GPT-4 or Claude, a program trained on data to recognize patterns and perform tasks autonomously. And that model relies on AI technologies, such as text classification, machine translation, and question answering, to function.
That's four distinct layers, or architecture artifacts, within the same capability, all needing to be understood, documented, and governed separately. Miss any one of them and your picture of the portfolio is incomplete. Put simply, the AI use case captures why AI is being used, the AI feature describes how AI functionality is delivered to the business, the AI model performs the underlying computational work, and the AI technology describes the task capability the model provides.
In AI portfolio management, each of these artifacts is captured as an object class, a structured category with its own set of defined attributes. All four share a common foundation:
- ID, Name, and Description
- Status: Draft, Under Review, Approved, Declined, or Retired
- Allowed and Disallowed Locations, defining the jurisdictions where each is permitted to operate
And each carries attributes specific to its role:
- AI Use Case: Defines the business goal being pursued, the business capabilities and AI features involved, the associated risk level, the locations where it may be used, and its architecture, legal, data privacy, and security approval status.
- AI Feature: Describes how AI is applied within the business, whether the feature is enabled, the model and AI technologies it uses, and the application that provides it.
- AI Model: Documents the model's status and permitted locations, together with its performance, ethical and data privacy checks, known limitations, and associated components and AI technologies.
- AI Technology: Identifies the task-performing technology involved, such as machine translation, text classification, or question answering, the locations where it may be used, and the AI models that provide it.

The result is a connected architecture that traces each business capability and AI use case to the AI feature, providing application or component, underlying AI model, and AI technology involved.
In summary: AI portfolio management captures each layer of the AI landscape as an object class with its own defined attributes, approval status, and permitted locations. The AI use case defines the business goal being pursued. The AI feature describes how AI functionality is delivered. The AI model performs the underlying computational work. The AI technology describes the task capability the model provides. Combined, they create a connected architecture traceable from business capability down to the technology stack.
Who Is Responsible for AI Portfolio Governance?
A governed AI portfolio requires clear ownership of its individual assets and oversight across the portfolio as a whole. Without it, the governance framework exists on paper but doesn't hold in practice.
At the business level, AI use cases need owners who understand what the AI is being used for and can drive the approval process. In most organizations this means multiple Application Owners, each responsible for flagging AI-enabled applications within their area and defining their AI-driven features and capabilities. They're typically the closest to how AI is being used day to day, making them essential for maintaining an accurate picture of what's in the portfolio.
The feature layer needs someone who understands how AI capability is being delivered through applications and components. Technology Architects handle this, identifying the underlying technologies behind AI models and categorizing what's in use across the organization. Without this role, the technical layer of the portfolio stays invisible.
Sitting across the full picture is the Chief Technology Officer and AI Competency Center, seeking visibility into where AI is being used and ensuring adoption stays aligned with business goals and architecture strategy. They're the function that connects individual initiatives to the broader organizational direction.
Enterprise Architects bring it together at the structural level, designing the framework for AI adoption, setting standards, and assessing strategic and technical alignment across all four layers. They also connect AI use cases to business capabilities and portfolio priorities, making sure governance decisions are grounded in enterprise context.
And cutting across everything are Risk and Compliance Managers, ensuring AI usage complies with security policies, data privacy standards, and regulatory requirements. As frameworks like the EU AI Act come into force, this role is becoming increasingly central, supporting consistent risk assessment across use cases, models, and technologies.
None of these roles work well in isolation. The shared view of the portfolio is what allows them to function as a governance system rather than separate functions doing their own thing. Building that shared view is what the seven steps below are designed to do.
In summary: AI portfolio governance is a shared responsibility. Application Owners document how AI is used, Technology Architects identify the underlying technologies and dependencies, Enterprise Architects establish the portfolio structure and standards, technology and AI leadership maintain strategic oversight, and Risk and Compliance teams assess regulatory, privacy and security requirements. A shared portfolio view allows these roles to operate as one governance system.
How to Build a Governed AI Portfolio in 7 Steps
Most of the AI this process surfaces is already in the organization. These seven steps bring it into view and put it under governance, each one building on the last.
Step 1: Application Assessment
The Application Owner, or several depending on the size of the organization, leads this step, flagging all applications that are providing AI features. It's often the step that surfaces just how widespread AI adoption already is, including applications that have had AI embedded in them without ever being formally documented or approved.
The objective: Establish a reliable view of the applications and components currently providing or embedding AI functionality.
What to do:
- Review the application portfolio for products with embedded AI functionality, including capabilities introduced through vendor updates
- Consult application owners, procurement records, technology teams, and business functions to identify AI tools acquired or deployed outside the normal IT process
- Flag each application or component that provides an AI feature, including functionality that is experimental, disabled, or awaiting approval
- Record the accountable owner, current lifecycle status, and whether the AI functionality is in use
Questions worth asking:
- Does the application provide functionality that depends on an AI model or AI technology?
- Did the AI functionality go through a formal assessment, or did it enter through an existing product or a local business decision?
- Who is accountable for the application and the AI functionality it provides?
The decision: Confirm which applications and components must enter the governed AI portfolio and assign responsibility for maintaining their records.
The output: A validated inventory of applications and components providing AI functionality, with ownership and current review status recorded.
Step 2: AI Feature Inventory
For each AI-enabled application identified in Step 1, document the AI features it provides and assess their risk levels. This is where the AI Feature layer gets populated in earnest, with risk ratings assigned and compliance exposure identified against relevant regulatory frameworks.
The objective: Document the individual AI capabilities provided through each application and establish an initial view of their risk.
What to do:
- Identify each AI feature separately rather than treating the application as a single AI asset.
- Describe what the feature does, who uses it, and how it supports the business.
- Record whether the feature is enabled or disabled and whether it's experimental or in production.
- Document the data involved and assign an initial risk level using the organization's relevant assessment criteria.
Questions worth asking:
- What business task or activity does the feature support?
- What data does it use or generate?
- Does it influence decisions affecting customers, employees, or other stakeholders?
- Does it operate autonomously, or is human review required?
- What regulatory, legal, privacy, or security exposure may arise?
- Which AI model powers this feature, and has it been approved for use in this organization?
- In which locations or jurisdictions is this feature permitted to operate, and are there any where it's explicitly disallowed?
The decision: Determine the level of review and governance required for each AI feature based on its use, data, and potential impact.
The output: A documented inventory of AI features with a defined purpose, owner, status, and initial risk classification.
Step 3: Application Mapping
Assign AI features to their providing applications, establishing the formal relationship between each feature and the application that delivers it. This creates the traceability needed to understand dependencies and assess the impact of any change.
The objective: Create a dependable link between each AI feature and the application or component through which it's delivered.
What to do:
- Assign each AI feature to its providing application and, where relevant, the underlying component.
- Record whether the capability is embedded in the application, developed internally, or provided through an external service.
- Identify applications that provide multiple AI features and features that depend on shared components.
- Validate the relationships with application and technology owners.
Questions worth asking:
- Which application makes the feature available to the business?
- Which component, platform, or service enables it?
- Is the feature native to the application or dependent on a third party?
- Would changing or retiring the application affect other AI features or use cases?
- Are several applications providing substantially similar functionality?
The decision: Confirm the authoritative application and component relationships for each feature and identify any duplicated or critical dependencies requiring further review.
The output: A traceable map connecting AI features to their providing applications and components.
Step 4: Business Impact
Document the AI use cases being used by the business and the AI features that enable them. This is also the step where the approval process gets defined: who has authority to approve AI use cases, what criteria apply, and what the workflow looks like across the organization.
The objective: Connect AI activity to business goals and capability priorities, and determine whether each use case has a sound strategic and investment case.
What to do:
- Document the business goal each AI use case is intended to achieve.
- Link the use case to the relevant business capabilities and the AI features that enable it.
- Define the expected outcome and the evidence that will be used to assess value.
- Assess whether the use case overlaps with existing initiatives, applications, or capabilities.
- Define the architecture, legal, data privacy, security, location and business approval requirements.
- Record the decision to proceed, scale, pause, revise, or retire the use case.
Questions worth asking:
- Which business capability or strategic priority does the use case support?
- What business outcome is expected and how will success be assessed?
- Is the organization already funding or operating a similar use case?
- Do the expected benefits justify the cost, complexity, and risk?
- Which roles must review and approve it?
The decision: Decide whether the use case should proceed, scale, remain experimental, be revised, paused, or retired based on its strategic fit, expected value, duplication, and risk.
The output: A governed set of AI use cases connected to business priorities, enabling features, expected outcomes, and documented approval and investment decisions.
Step 5: AI Model Inventory
Create an inventory of AI models with approval status, documenting which models may be used and in which locations or jurisdictions. Organizations frequently have limited visibility into which models are in use and whether they've been formally sanctioned. This step addresses that directly.
The objective: Establish an authoritative inventory of AI models and the conditions under which each may be used.
What to do:
- Identify the AI models used by the features documented in the earlier steps.
- Record the model name, provider, version, status, and known limitations.
- Document performance, ethical, and data privacy checks where applicable.
- Specify the locations or jurisdictions where the model is allowed or disallowed.
- Identify models that are unapproved, duplicated, unsupported, or approaching retirement.
Questions worth asking:
- Which features and use cases depend on this model?
- Has it been formally reviewed and approved?
- Where may it legally and operationally be used?
- What limitations or conditions apply?
- What would happen if the provider changed, restricted, or retired it?
The decision: Determine whether the model may be approved for continued use, approved with restrictions, replaced, consolidated, or retired.
The output: A governed AI model inventory with status, permitted locations, documented checks, limitations, and lifecycle information.
Step 6: AI Model Mapping
Assign AI models to the AI features that use them and to the components that provide them. This connects the business layer to the technical layer, making it possible to trace any AI feature back to the specific model powering it.
The objective: Establish end-to-end traceability between AI features, the models they use, and the components through which those models are provided.
What to do:
- Assign each model to the AI features it powers.
- Connect models to the components, platforms, or services that provide them.
- Identify where one model supports several features or use cases.
- Identify where several models provide similar or overlapping functionality.
- Document critical dependencies and available alternatives.
Questions worth asking:
- Which features, applications, and business use cases would be affected if the model changed or became unavailable?
- Are multiple teams using equivalent models independently?
- Does a change in model, version, or provider create new regulatory, cost, or performance exposure?
- Are any critical use cases dependent on a single model or provider?
The decision: Determine which model dependencies are acceptable, which require mitigation, and where consolidation or an alternative model should be considered.
The output: End-to-end traceability from AI use cases and features to the models, applications, and components that support them.
Step 7: AI Technology
Define the AI technologies being provided by AI models and those being leveraged by AI features. This completes the picture, closing the loop on the full architecture from business use case down to the technology stack. With all four layers documented and governed, the portfolio is no longer invisible.
The objective: Complete the portfolio by classifying the underlying AI technologies and identifying where they're used across the organization.
What to do:
- Define the task-performing technologies provided by each model, such as machine translation, text classification, or question answering.
- Connect those technologies to the models, features, and use cases that rely on them.
- Use consistent naming and classification so equivalent technologies can be compared across the portfolio.
- Identify approved technologies that can be reused across teams or applications.
- Identify unnecessary duplication, unsupported technologies, and critical concentrations of dependency.
Questions worth asking:
- Which AI technologies are used most widely across the enterprise?
- Where are different teams using different technologies to address the same need?
- Which technologies are approved and suitable for reuse?
- In which locations is this technology allowed?
- Are any critical capabilities dependent on one technology, model, or provider?
The decision: Determine which AI technologies should be standardized, reused, consolidated, restricted, or retired across the portfolio.
The output: A complete, connected view of the AI portfolio, traceable from business capability and use case through to feature, application, model, and technology.
In summary: Step 1 flags all applications providing AI features. Step 2 documents those features and assesses their risk levels. Step 3 maps features to their providing applications. Step 4 connects AI use cases to business goals and defines the approval process. Step 5 establishes an inventory of AI models with approval status and permitted locations. Step 6 maps those models to the features and components they power. Step 7 defines the AI technologies provided by those models, completing the picture from business use case down to the technology stack.

Five Benefits of a Governed AI Portfolio
Once the portfolio is established and kept up to date, organizations can answer the questions that were difficult at the start of this guide with far greater confidence: what AI is in use, what it supports, who is accountable for it, whether it has been approved and what it depends on.
The value extends well beyond creating an inventory and supports better decisions across the AI lifecycle. A governed AI portfolio provides the context needed to manage AI responsibly, assess both regulatory and investment risk, understand the consequences of change and direct resources toward the initiatives that best support business strategy.
Establish responsible AI practices:
A shared view of AI use cases, features, models and technologies makes ownership, approval status, risk and permitted locations visible. This gives architecture, legal, data privacy, security and business teams a common foundation for reviewing how AI is used and whether the necessary controls are in place.
Assess regulatory and investment risk:
Regulatory assessment determines whether an AI asset may be used safely, lawfully and in the relevant jurisdictions. Investment assessment addresses a different set of questions: whether the use case supports a strategic priority, duplicates an existing capability, depends on sustainable technology and warrants continued funding.
Managing both forms of risk helps organizations make more defensible decisions about what to approve, scale, revise or stop.
Understand dependencies and the impact of change:
Traceability across business capabilities, use cases, features, applications, models and technologies allows teams to see the consequences of a change before acting.
If a model is retired, a provider changes its terms, a technology becomes restricted or a regulation changes in one jurisdiction, the organization can identify the affected use cases, applications and business capabilities and respond accordingly.
Align AI investment with business strategy:
Connecting AI use cases to business capabilities helps leaders understand where AI is already active, which initiatives support strategic priorities and where further investment could create value.
It also provides a stronger basis for comparing competing initiatives and directing funding toward the use cases with the clearest business contribution.Reuse and rationalize AI capabilities:
A connected portfolio reveals where applications and teams are using similar AI features, models or technologies to solve the same problem.
Organizations can identify approved assets that are suitable for reuse, reduce parallel development and procurement, consolidate overlapping capabilities and direct resources toward genuine gaps in the portfolio.
This improves operational efficiency while reducing unnecessary cost, architectural complexity and the governance burden created by maintaining multiple solutions with similar purposes.
In summary: A governed AI portfolio combines business context, technical dependencies, ownership, risk and approval information in one connected view. This allows organizations to establish responsible AI practices, assess regulatory and investment risk, understand the impact of change, align AI investment with business strategy and identify opportunities to reuse or rationalize AI capabilities.
How Bizzdesign Alfabet Supports AI Portfolio Governance
Building this view manually through spreadsheets and stakeholder interviews across multiple layers of AI architecture is difficult to sustain at enterprise scale. Bizzdesign Alfabet’s AI Portfolio Management Accelerator provides preconfigured portfolio structures, reports and views that help enterprise architecture (EA) and strategic portfolio management (SPM) teams capture the AI landscape and use it to support governance and decision-making.
- What is our AI portfolio?
Get a comprehensive view of the organization's AI landscape across all four layers: use cases, features, models, and technologies. Up-to-date reports provide a single source of truth about the applications and components providing AI across the enterprise, the overall risk level of AI features, and the approval status of everything in the portfolio. For many organizations, this is the first time they've seen the full picture, including AI that's been running in production without ever going through a formal approval process.

- What are our AI dependencies?
Display a network diagram of the relationships between AI use cases, their supporting features, the models powering them, and the technologies those models provide, spanning from business capability through to AI technology. Use it to perform impact analysis on any change or disruption to the portfolio, whether that's a model being deprecated, a regulatory change affecting a specific jurisdiction, or a compliance question that needs answering fast.

- Where is AI impacting the business?
Display a capability map to identify and manage AI-driven business capabilities, giving a clear picture of where AI is active across the business landscape. Use it to understand which parts of the business already leverage AI and where it could be deployed for market differentiation.
This connects the AI portfolio to business strategy, helping leaders identify where AI is already contributing, where investment may be duplicated and where further adoption could create the greatest strategic value.

These three views help organizations move from documenting AI to actively governing it. They bring portfolio oversight, dependency analysis and business impact into one connected view, giving EA and SPM teams the information needed to guide decisions across the AI portfolio.
A Stronger Foundation for AI Governance
AI portfolio governance depends on seeing AI in its full business and technology context. Connecting use cases and business capabilities to the applications, features, models and technologies behind them gives organizations the traceability needed to understand what they have, how it's being used, and what each decision could affect.
The seven steps in this guide provide a practical route to establishing that connected view. For EA and SPM teams, the result is a stronger foundation for responsible governance and better-informed decisions about risk, investment, reuse, and change across the AI portfolio.
As AI adoption continues to expand, that shared understanding will be essential to keeping business ambition, technology choices and governance aligned.

FAQs
How do I get visibility into all the AI my organization is using?
Start with your application portfolio. Flag all applications that are providing AI features, then document the AI features each one delivers, the models powering them, and the technologies those models rely on. This four-layer structure, covering AI use cases, AI features, AI models, and AI technologies, gives you a complete and traceable picture of AI across the enterprise. Tools like Bizzdesign Alfabet are built specifically to capture and govern this structure, giving organizations a single source of truth for AI usage across the business.
What's the difference between managing an AI portfolio and an application portfolio?
The goals are the same: align investments to business strategy, reduce risk, and keep costs in check. What's different is the entity being governed. An application is a discrete, definable object with a clear owner and a known user base. AI manifests across the organization in multiple forms simultaneously, at the level of the business use case, the feature that delivers it, the model that powers it, and the underlying technology. Each layer needs to be documented and governed separately, which is why AI portfolio management requires its own structure.
What does enterprise architecture have to do with AI governance?
Enterprise architecture defines how an organization's strategy, processes, data, and technology fit together. In the context of AI governance, EA plays three critical roles: it connects AI use cases to business capabilities and portfolio priorities, it establishes the architectural framework and standards for AI adoption, and it ensures traceability from AI use cases all the way down to the underlying technology stack. Without EA, AI governance lacks the structural foundation to be consistent or defensible.
What roles do I need in place to govern AI effectively?
Effective AI governance requires five connected roles. The Application Owner flags AI-enabled applications and defines their AI-driven features. The Technology Architect identifies the technologies behind AI models and categorizes what's in use. The CTO and AI Competency Center ensure adoption stays aligned with business goals. The Enterprise Architect designs the governance framework and sets standards. The Risk and Compliance Manager ensures regulatory compliance across the portfolio. None of these roles works well in isolation, and all five need a shared view of the portfolio to function as a governance system. Bizzdesign Alfabet provides that shared view, with predefined business questions and executive-ready reporting built in.
How do I know if my organization needs an AI governance framework?
If you can't answer basic questions about your AI with confidence, you need one. Specifically: Can you produce a complete list of AI running across the enterprise? Do you know which use cases have been formally approved and by whom? Can you trace any AI feature back to the model powering it and the technology beneath that? Can you show which business priority each use case supports and whether it warrants continued investment? If those questions require significant effort to answer, or produce different answers depending on who you ask, the portfolio isn't under governance.
What is shadow AI and how do I get it under control?
Shadow AI refers to AI tools and workflows being used across the organization without the knowledge or oversight of IT, EA, or risk functions. It typically spreads through embedded AI features, independently acquired tools and business-led experimentation outside formal technology and approval processes. Getting it under control requires enterprise-wide standards that define how AI can be used, by whom, and within what boundaries, combined with a connected view of what's been deployed across the application landscape. Bizzdesign Alfabet supports this by tracking AI-specific attributes across applications and components, making it possible to identify ungoverned AI and bring it into the portfolio.
What are the steps to building a governed AI portfolio?
Building a governed AI portfolio follows seven steps, each one adding a layer of visibility and structure. Start by flagging all applications providing AI features, then document the AI features each one delivers and assess their risk levels. Map those features to their providing applications, then document the AI use cases they support and define the approval process. Create an inventory of approved AI models by location and jurisdiction, map those models to the features and components they power, and finally define the AI technologies being provided by those models. Each step builds on the last, moving from application-level visibility through to a complete, traceable picture of the full AI architecture. Bizzdesign Alfabet's AI Portfolio Management Accelerator is designed to support this process, with preconfigured structures and views that make each step faster to execute and easier to maintain.
Table of contents
More on this



