The CFO's AI Governance Framework: Why This Is Your Problem to Solve

The questions are increasingly being asked. Boards want to know the ROI on AI spend. Auditors are starting to ask whether AI touched your numbers. Regulators are moving. And yet, in most organisations I work with, AI governance is still sitting in IT or legal or somewhere other than finance.

Below is the practical framework I use when advising finance leaders to build that governance from the ground up.

You don't need to own AI. You do need to own the governance model that makes AI defensible. --Catherine Hermanto

How Should CFOs Evaluate AI Investments Before Implementation?

One of the things I see repeatedly is AI spend that has grown quite large while ROI has not been properly considered from the start. So before any AI goes live in finance, I always come back to four questions.

1. Think before you implement. What problem are you solving? Is AI the right tool, or are you chasing a trend? Would you fund this if it weren't called AI?

2. Cost-benefit with honesty. True cost includes licensing, integration, change management, compliance, and data quality. Hidden cost includes model drift, retraining, and governance overhead. Token cost (volume × complexity × frequency) is a real budget line that almost never appears in the first proposal. BCG's 2025 survey of 280+ finance executives found that only 45% of finance leaders can actually quantify ROI from AI and where they can, the median sits at just 10%. CFO's Guide to AI Investment ROI covers how to build a proper business case.

3. Automation vs AI-native. This is the most important distinction. Process automation follows rules, and therefore standard controls apply. AI-native decisions involve judgment, new governance frameworks are required. The key question: are you replacing a rule or a judgment?

4. Trust and governance. Who owns the output when AI generates a number? Can you explain every AI-assisted decision to an auditor? Have you considered model risk, audit trail, regulatory readiness, and human override? I have worked with one of the largest payment companies in the world and they have not adopted AI at all, because the board decided the data risk outweighs the benefit. At the other extreme, I know a pharmaceutical company that is so far ahead in AI early adoption and it is ahead of practically everyone. Neither is wrong. Be pragmatic about where your organisation sits.

Before getting into the architecture, it is worth being precise about what the CFO owns here. The CFO is not the AI system owner, but the CFO is a co-owner of governance, controls, and audit attestation, sitting alongside the CIO, CRO, and General Counsel.

You need to be in the room when the business makes AI decisions, because whatever is decided will flow into the numbers eventually.

Example of role mapping on several finance use cases of AI:

What Are the Five Pillars of AI Governance for Finance?

If AI is already running somewhere in your finance function and governance is not yet in place, here are five pillars to build on. This is not set in stone. Choose and pick wherever it is applicable for your organisation's size and complexity.

Pillar 1 — Organisation and Structure. Document who is doing what. A basic RACI is your starting point. Map where AI is being used, who owns each tool, and where the human checkpoint sits. Establish an AI Steering Committee with CFO representation.

Pillar 2 — Compliance, Legal and Financial Controls. Standard internal controls still apply, they do not disappear because AI is involved. Auditors will expect model documentation, validation evidence, change logs, and records of human override. Build this from day one. On the regulatory side, two frameworks matter most right now:

The EU AI Act entered into force on 1 August 2024. Article 50 transparency obligations apply from 2 August 2026, and Annex III high-risk obligations are currently expected to move to December 2027 under the May 2026 provisional agreement. The maximum fines for the most serious breaches can reach €35 million or 7% of global annual turnover, depending on the infringement category. Use the EU AI Act compliance checker to classify your current tools as a first step. This takes 20 minutes.

ISO 42001: The world's first certifiable AI management standard (December 2023). It provides a structured, auditable framework for responsible AI governance and complements EU AI Act compliance.

Pillar 3 — Audit and Continuous Monitoring. Anomaly alerts escalate to finance, not just IT. As CFO, you typically own the internal audit mandate, which means AI must be explicitly in scope. Quarterly model validation is the minimum for any AI touching material financial decisions.

Pillar 4 — Security, Infrastructure and Third-Party Risk. Three questions for every AI vendor: Are you notified when the underlying model is updated and do you re-validate before the next close? Does your vendor use your data to train their models, and what are the IP ownership terms? What happens if your primary AI vendor fails or is acquired, do you have portability of models and data?

Legal counsel must review every enterprise agreement to confirm where proprietary data is stored, how it is processed, and what the transfer terms say for data leaving the EU. See also: Claude for Finance — What CFOs Need to Know Before They Approve Access.

Pillar 5 — Leadership and Risk Appetite. A risk appetite statement needs to be concrete enough to be enforceable. Here is a worked example:

"We will not deploy AI in fully autonomous mode for any decision with direct customer financial impact exceeding £X without board approval and documented model validation within the prior 90 days."

Set explicit materiality thresholds, a monetary value, a percentage of revenue, or a regulatory impact trigger above which AI outputs require human sign-off. Report quarterly on AI risk to the audit committee. And be clear on the spectrum: when does AI decide? When does AI recommend? When must a human decide?

Governance must scale with financial materiality not be applied uniformly. Here is how I think about it:

Work around the materiality principle and keep governance as pragmatic and as simple as possible. 

These are not an exhaustive list — but they are the non-negotiables I come back to for every finance function.

Reporting and Close

• Reconcile all AI outputs to ERP and GL source systems

• Lock data input dates — never let AI pull live data uncontrolled

• Cross-check against prior period and budget variance before any number leaves finance

• Humans sign off before any number leaves finance. Numbers can hallucinate — you still need a sanity check.

AP, AR and Payments

• Multi-human approval for all payments above threshold

• Never allow AI to update bank details autonomously — ever

• Require 2FA and human authorisation for all outbound payments

• AI must never have autonomous payment execution rights for external transactions

Forecasting and FP&A

• Declare all assumptions explicitly and review every cycle

• Use explainable AI only — the CFO must be able to understand why the model produced a number

• Regularly audit forecast accuracy against actuals

• AI forecasts are inputs to human judgement, not the final answer

Tax and Compliance

• Qualified tax professional reviews all AI outputs before any filing

• Check AI knowledge cutoff against current legislation — regulatory changes do not automatically update model knowledge

• Human sign-off mandatory before any lodgement

Audit and Internal Controls

• Maintain a full audit log of every AI interaction with financial data

• AI cannot bypass existing approval workflows — this should be a hard block, not a soft guideline

• Document AI use in every audit-relevant process

• Auditors will ask whether AI was used here, and how the controls worked

For more: AI Strategies CFOs Use to Anticipate Risk

How Should Finance Teams Prepare for the EU AI Act?

For European companies, here is the practical classification to apply to every AI tool in your finance function:

High Risk — credit scoring, fraud detection, AI in audit decisions → Full compliance programme required. Register the system. Conduct a conformity assessment. Document everything.

Limited Risk — GenAI drafting board reports, FP&A commentary → Disclose AI use. Human sign-off on all outputs.

Minimal Risk — Copilot, internal analysis, summarisation tools → Good practice only. No mandatory obligation, but document usage.

Practical checklist for any high-risk tool:

Governance and policy: AI tool inventory completed; AI Use Policy drafted and CFO-approved; authorisation process defined for new AI tools.

Human oversight: Human review point for every high-risk AI decision; named individual accountable for each use case; no AI figure in a statutory filing without qualified sign-off.

Vendor governance: EU AI Act compliance confirmed for each vendor; contract terms cover audit rights, data use, and incident notification; vendor model documentation reviewed and retained.

Board reporting: Quarterly AI governance statement to audit committee; CFO attestation process established for AI risk reporting.

How Do You Build an AI Governance Framework From Scratch?

For enterprises and growing teams, here are five key steps you can take to set up:

For a structured roadmap, see: Short to Long-Term Plan for AI Adoption in Finance

For small teams and solo operators, you do not need a governance committee. You need three habits:

1. Write it down. Keep a one-page list of every AI tool you use, what you use it for, and what data it sees. Review it monthly. That is your AI inventory.

2. Set your own red lines. Decide now: what will AI never do without your review? Sending client communications? Filing returns? Approving payments? Write those down.

3. Check before you trust. Before acting on any AI output, verify the source data, check the logic, and ask: would I be comfortable explaining this decision to a client or a regulator?

One finance director I work with — at a 120-person European SaaS company — ran this exact process in a single afternoon. She listed 11 AI tools across her team in under 30 minutes, found 3 touching financial reporting with no documented controls, and set two red lines the same day. Six weeks later, she passed her annual audit with zero AI-related findings. That is what governance looks like in practice for a lean team.

Regarding agentic AI: I am personally in observing mode to see more case studies. There is still a real challenge for someone who understand the AI technology as well as able to implement the accounting and the finance rules well. For most teams today, the priority is getting the governance basics right. See also: CFO Agenda 2026 recap.

Two Golden Rules

AI should expand your capabilities not replacing your judgement. For me, AI is just another finance transformation programme. The tool is smarter, quicker, and more powerful than what came before. But it is still a tool.

Treat AI as a new digital employee. You would not give a new employee unlimited access to live systems on day one without onboarding, oversight, and limits. The same logic applies here.

Frequently Asked Questions

What is AI governance in finance?

AI governance in finance is the set of policies, controls, ownership structures, and audit processes that ensure AI tools used in financial functions — including forecasting, reporting, payments, and compliance — produce defensible, accurate, and auditable outputs. It covers who owns each AI tool, how outputs are validated, what data AI can access, and when a human must review or override an AI decision.

Why should CFOs own AI governance?

CFOs should own AI governance because any AI that influences financial outputs, spending decisions, or regulatory filings ultimately flows through the finance function. Boards are asking CFOs — not CIOs or legal teams — to justify AI ROI and attest to the reliability of AI-assisted financial reporting. If an AI-generated number is wrong, the CFO is the one explaining it to auditors and the board.

How does the EU AI Act affect finance teams?

The EU AI Act classifies certain finance use cases — including credit scoring, insurance risk assessment, and AI used in employment decisions — as high-risk. Companies deploying high-risk AI must register systems, conduct conformity assessments, maintain documentation, and implement human oversight. Transparency obligations (Article 50) apply from 2 August 2026. High-risk AI compliance obligations have been provisionally deferred to December 2027, but penalties for non-compliance can reach €35 million or 7% of global annual turnover.

What AI controls should auditors expect?

Auditors increasingly expect to see: a documented AI inventory covering all tools used in financial processes; validation evidence showing AI outputs were reconciled to source systems; change logs recording when models were updated; records of human review and override; and confirmation that AI did not bypass existing approval workflows. The FRC has specifically called for proportionate documentation of AI tools used in audit processes, and that expectation is extending into the finance functions they review.

What is an AI risk appetite statement?

An AI risk appetite statement is a board-approved policy defining the conditions under which AI can operate autonomously in financial processes. A practical example: “We will not deploy AI in fully autonomous mode for any decision with direct customer financial impact exceeding £X without board approval and documented model validation within the prior 90 days.” It specifies materiality thresholds, regulatory triggers, and the reporting cadence to the audit committee.

What is the difference between AI automation and AI-native decisions in finance?

AI automation replaces rule-based tasks and can be governed with standard internal controls. AI-native decisions involve judgment — the AI produces outputs based on patterns rather than explicit rules — requiring model documentation, assumption sign-off, explainability requirements, and human override procedures. Failing to distinguish between the two is one of the most common governance gaps in finance teams.

How do you build an AI inventory for your finance function?

Start with a one-page document listing every AI tool used across finance. For each tool, record: the vendor; what financial process it touches; what data it inputs and outputs; who is responsible for reviewing its outputs; and whether it has been assessed against EU AI Act risk categories. Review monthly. It takes approximately 30 minutes to build the first version and is the single most important governance action a finance team can take today.

What does ISO 42001 mean for CFOs?

ISO 42001 is the world’s first certifiable international standard for AI management systems, published in December 2023. For CFOs, it provides a structured, independently auditable framework for documenting AI governance — comparable to ISO 27001 for information security. It covers risk assessment, data governance, transparency, human oversight, and supplier accountability. It is voluntary but increasingly referenced by auditors and regulators, and it generates the documentation trails that directly support EU AI Act compliance.

About Catherine Hermanto

Catherine Hermanto is a Qualified Chartered Accountant (CA) and Qualified Treasurer (AMCT) with experience across large financial institutions spanning multiple geographies. She advises CFOs and VC-backed startups on governance, treasury, and finance transformation. She previously shared her thinking on treasury governance in Future-Proofing Your Treasury Function.

Connect with Catherine on LinkedIn

This article is based on Catherine's session at the CFO Connect Pro Workshop series. For more on how finance leaders are navigating AI, explore the State of AI in Finance 2026 report and Michiel Boere's session on AI Governance, Automation and Adoption. Want access to future sessions? Join CFO Connect