Alchemy Playbooks — MASTER-AI ™

The AI Governance Framework
that replaces process theatre
with actionable steps.

Committees without substance. Governance without bite. MASTER-AI  is a practical, six-domain framework for AI governance — grounded in ISO 42001 and the EU AI Act — built for boards who need to move from "we have a policy" to "we can prove it."

Explore the Framework Work with David →
€35m
or 7% of global turnover —
live EU AI Act penalties
EU AI Act, 2024
70%
of executives say they have
an AI risk committee
Fortune, 2025
14%
say they are fully ready
for AI deployment
Fortune, 2025
Dec 2027
extended deadline for Annex III
high-risk AI systems
Digital Omnibus on AI, May 2026
What It Is

MASTER-AI ™
Six domains, one governance function.

MASTER-AI ™ is a six-domain framework that maps the technical and organisational disciplines required to govern AI responsibly. It draws together the common threads in multi-jurisdictional laws and standards — including ISO 23894, ISO 27001, ISO 42001, the EU AI Act, the NIST AI RMF, and the UK's sector-based, pro-innovation approach.

Each of the six domain names forms the MASTER acronym — Model lifecycle, Algorithm explainability, Supply chain, Trusted data, Engaged humans, and Risk management — and together they feed into a central governance function, built on people, process, and technology, aligned to ISO/IEC 42001:2023, the world's first international standard for AI management systems.

Even the emerging standards have much more to say about how to structure AI governance than they do about the critical actions and technical controls to put in place. MASTER-AI ™ is not process theatre. It is the practical layer that sits on top of the standards — the actionable steps.

The MASTER-AI framework diagram: a central AI governance hub connected to six domains — Model lifecycle, Algorithm explainability, Supply chain, Trusted data, Engaged humans, and Risk management
The MASTER-AI  Framework Six domains, one governance function — aligned to ISO/IEC 42001:2023
M
Train → Deploy → Monitor
Model Lifecycle

Every AI system has a lifecycle — trained, deployed, monitored, updated, and eventually retired. Most organisations have a clear picture of the deployment moment, and a much hazier picture of everything before and after. For boards, the key question is whether management has a model inventory — a documented register of every AI system in use, its purpose, its risk classification, and its current governance status. Without an inventory, you cannot govern what you cannot see.

A
Transparent · Auditable
Algorithm Explainability

When someone asks "why did the AI decide that?", can you answer? Explainability is not just a regulatory requirement under the EU AI Act — it is a basic condition of accountability. If your AI can make a consequential decision but no one can explain the reasoning behind it, you have a governance gap regardless of what the regulations say. This domain covers both technical explainability and operational explainability — communicating outputs to affected individuals in plain language.

S
Third-Party · Tools · APIs
Supply Chain

Most organisations do not build their own AI — they buy it, licence it, or deploy it through third-party platforms. This does not reduce your governance obligations, it extends them. The EU AI Act is explicit: your compliance exposure includes the AI your vendors supply. Supply chain governance asks what AI is embedded in the software you purchase, and whether your contracts include appropriate representations about model safety and compliance. One of the most underdeveloped — and most material — risk areas in most organisations.

T
Quality · Provenance · Bias
Trusted Data

AI is only as good as the data it learns from and operates on. Poor data quality, unrepresentative training sets, and inadequate lineage tracking are among the most common root causes of AI failures — including the discriminatory outcomes that attract regulatory and reputational consequences. Trusted data governance covers data quality, training data documentation, bias detection, lineage, and alignment with GDPR. For organisations with existing data governance, the challenge is extending those frameworks explicitly to AI use cases.

E
Control · Override · Review
Engaged Humans

AI governance is not a technology problem. It is a people problem. The most sophisticated technical controls will fail if the humans who interact with AI systems do not understand what they are doing, or feel empowered to challenge it. This domain covers AI literacy, human-in-the-loop design, and escalation pathways. It also covers leadership. An organisation that treats AI governance as a compliance burden to delegate to legal will produce compliance-on-paper. Leadership that genuinely engages with AI risk produces governance that actually works.

R
Probability · Impact · Mitigation
Risk Management

The final domain brings the other five together into a structured risk management approach — connecting AI governance to your existing enterprise risk framework, internal audit function, and board reporting. Risk management for AI covers classification, impact assessments, incident response, and ongoing monitoring cycles. ISO 42001 provides the management system architecture for this domain — a systematic, auditable approach that organisations can implement proportionately to their size and context.

Why AI Governance Cannot Wait

The regulatory clock is real.
The trust clock matters more.

In Force Now
AI literacy and GPAI obligations are live

AI literacy obligations came into effect in February 2025. Governance rules for general-purpose AI models — the kind your organisation almost certainly uses — became applicable in August 2025. Penalties for non-compliance, up to €35 million or 7% of global annual turnover, are already live.

December 2027
High-risk obligations now land in December 2027

On 7 May 2026, EU lawmakers agreed via the Digital Omnibus on AI to extend the Annex III high-risk compliance deadline from August 2026 to 2 December 2027 — a 16-month extension, pending formal adoption. If your organisation deploys AI in hiring, credit decisions, customer service, healthcare, or other regulated contexts, this is welcome breathing room — but not a clean break from obligation. Many of the same systems are already subject to GDPR, which regulators are enforcing in the AI context right now.

The Subtler Point
Governance is competitive differentiation

Customers, employees, partners, and investors are forming views about which organisations handle AI responsibly. Organisations that establish demonstrable, structured AI governance now will attract talent, win procurement processes, and retain stakeholder confidence through the inevitable incidents ahead.

The Valuation Angle
Governance gaps are now an exit issue

From the PE governance side, weaknesses in AI governance can delay, dilute, or even derail an exit. It has become a valuation issue, not just a compliance one — and the organisations that appoint governance leadership early are the ones that handle this well.

"We'll get to AI governance once we've got our AI strategy sorted." With respect, this has it backwards. You cannot develop a responsible AI strategy without a governance framework to evaluate it against. The two must develop together, in parallel.
David Viney — The Fractional CAIO AI Governance Playbook (2026)
€180–250k
London salary for a full-time Chief AI Officer — vs. 2-4 days/month for a Fractional CAIO
38
controls across ten clauses in ISO/IEC 42001 — translated into concrete actions and evidence
6
MASTER-AI domains, each mapped to ISO 42001, the EU AI Act, and the NIST AI RMF
"Later is now"
organisations that bolt on governance late are the ones struggling to audit their AI estate
The Standards Landscape

The regulatory landscape
MASTER-AI  navigates for you.

A coherent compliance posture requires fluency across multiple standards and regulatory frameworks — some mandatory, some voluntary, all consequential. MASTER-AI  draws the common threads together.

ISO/IEC 42001:2023
AI Management System Standard

The world's first international standard for AI management systems. Covers governance, risk assessment, data practices, model lifecycle, transparency, and 38 specific controls across ten clauses — the foundation of any credible AI governance programme.

EU AI Act
European AI Regulation

The EU's landmark mandatory regulation, imposing risk-based obligations on AI providers and deployers — with significant requirements for high-risk systems. ISO 42001 provides a strong foundation for compliance, though it is not yet formally harmonised.

ISO/IEC 27001:2022
Information Security Management

AI systems generate new attack surfaces and data risks. ISO 27001 integration is essential for organisations managing personal data through AI — ISO 42001 is explicitly designed to complement it.

NIST AI RMF
AI Risk Management Framework

The US National Institute of Standards and Technology framework covering Govern, Map, Measure, and Manage functions across the AI lifecycle — particularly relevant for organisations with US regulatory exposure or US federal sector clients.

ISO/IEC 23894:2023
AI Risk Management Guidance

Guidance on AI-specific risk management, providing the conceptual underpinning for risk assessment within an ISO 42001 programme — integrated into practical risk registers and treatment plans your teams can actually use.

UK AI Regulation
Pro-Innovation, Sector-Based Approach

The UK's context-specific, pro-innovation regulatory approach assigns AI oversight to existing sector regulators — financial services, healthcare, critical infrastructure. MASTER-AI  maps what this means for your specific sector.

How I Work

The Fractional CAIO:
board-level AI governance, part-time.

Implementing governance across all six MASTER-AI  domains requires expertise at the intersection of technology leadership, risk management, legal and regulatory knowledge, and organisational change. That combination is rare — and almost never available in-house in organisations that haven't already built a dedicated AI function. A Fractional Chief AI Officer exists precisely to fill this gap.

01 · Diagnostic
Establish Your Baseline

Where are you across each MASTER-AI  domain today? What is your model inventory? What does your supply chain look like? Honest answers to these often-uncomfortable questions are the starting point for everything else.

02 · Design
Design Your Governance Architecture

What policies, processes, and controls do you need? How does AI governance connect to your existing risk framework? What does "good" look like for an organisation of your size and complexity?

03 · Roadmap
Build Your ISO 42001 Roadmap

Not every organisation needs full certification — but the discipline of working towards it, documenting AI systems, establishing controls, and conducting management reviews produces genuine governance maturity.

04 · Board
Represent AI Governance at Board Level

Perhaps the most important function. AI governance needs a voice in the boardroom that is fluent in both the technical realities and the strategic implications — without the cost of a permanent executive hire.

David Viney, Fractional CIO and AI Transformation Director

David Viney is a Fractional CIO and AI Transformation Director with over 25 years' experience leading enterprise technology and transformation programmes at the BBC, Arup, BSI, Heathrow, and WPP — where he built WPP Open, a £250m agentic AI platform.

He developed the MASTER-AI  framework to give boards and leadership teams a practical, six-domain structure for AI governance — translating ISO 42001, the EU AI Act, and the NIST AI RMF into concrete actions, documentation, and evidence an auditor can rely on. He serves on the AIGAS (AI Governance Standards) board and is engaged with the LBS Data Science & AI Institute on the intersection of AI strategy and organisational change.

He holds ACA (ICAEW) and CITP (BCS) qualifications and has served as a board trustee in the human rights and international development sectors for over a decade.

ACA — ICAEW Chartered Accountant
CITP — BCS Chartered IT Professional
Board Member, AIGAS (AI Governance Standards)
Engaged with LBS Data Science & AI Institute
Built WPP Open — a £250m agentic AI platform
Find Out More

"Later is now."
Start with an honest baseline.

The organisations I see handling AI governance well are the ones that appointed governance leadership early — not after the AI estate had grown too large and too complex to audit. The ones struggling are the ones that treated governance as something to bolt on later.

Every AI initiative you launch in the absence of governance — every model you deploy, every vendor you onboard, every data set you train on — adds to the compliance and reputational liability you will eventually need to address. The two must develop together, in parallel.

Technology MOT · Free Diagnostic
Book a Technology MOT
A structured 30-minute diagnostic call · No cost · No commitment
An honest read on your MASTER-AI  baseline
Book Now Can We Speak First?
Rate: £1,200/day · Fractional, advisory, and project engagements
Based in Esher, Surrey · Working across the UK and internationally
MASTER-AI  · AI governance, made actionable.