AI Governance — Roles and Responsibilities (RACI)
Project: Sable AI Ltd — AI Governance Framework
Stage: Stage 2 — Governance Foundation
Status: Draft
Version: v1
Date: 2026-03-01
Assumptions: Built on outline assumptions — not verified against real Sable AI Ltd data
1. Purpose
This document defines who is Responsible, Accountable, Consulted, and Informed (RACI) for each AI governance obligation at Sable AI Ltd. It is designed for an early-stage company with a 10–15 person team [ASSUMPTION A-001] and implements the accountability structure in L1-2.4-Governance-Policy-v1.md.
RACI key:
| Code |
Meaning |
| R |
Responsible — carries out the work |
| A |
Accountable — owns the outcome; one person per row |
| C |
Consulted — provides input before decision or action |
| I |
Informed — notified when complete |
Where a cell shows A/R, the same person is both accountable and the primary doer — common in a small team where role separation is limited.
2. Roles in Scope
[ASSUMPTION] The following roles are assumed to exist at Sable AI Ltd. Actual role titles, reporting lines, and headcount must be verified before operational use.
| Role label |
Assumed position |
DPO / AI lead status |
| CEO |
Founder / Chief Executive Officer |
Ultimate accountability for all governance matters |
| CTO |
Chief Technology Officer |
[ASSUMPTION A-015] Acting DPO equivalent; operational AI governance lead |
| Eng Lead |
Engineering Lead |
Technical implementation and operational controls |
| CS Lead |
Customer Success Lead |
Customer-facing and candidate-facing compliance obligations |
3. RACI Matrix
3.1 Data Protection and Privacy Foundations
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Maintaining Records of Processing Activities (ROPA) |
I |
A/R |
C |
C |
UK GDPR Art. 30 |
| Identifying lawful basis for each processing activity |
C |
A/R |
C |
I |
UK GDPR Arts. 6, 9 |
| Conducting Legitimate Interests Assessments (LIA) where Art. 6(1)(f) relied on |
C |
A/R |
I |
I |
UK GDPR Art. 6(1)(f) |
| DPIA — initial completion before deployment |
A |
R |
C |
I |
UK GDPR Art. 35 |
| DPIA — ongoing review and update on material change |
I |
A/R |
C |
I |
UK GDPR Art. 35; ICO guidance |
| Maintaining Anthropic DPA and sub-processor records |
I |
A |
R |
I |
UK GDPR Art. 28(3) [ASSUMPTION A-005] |
| International transfer mechanism review (Anthropic) |
C |
A/R |
C |
I |
UK GDPR Ch. V [ASSUMPTION A-014] |
| Annual data protection policy review |
C |
A/R |
C |
I |
UK GDPR Art. 5(2) accountability principle |
3.2 Automated Decision-Making (ADM) Safeguards
These obligations arise under UK GDPR Articles 22A–22C as inserted by the Data (Use and Access) Act 2025, section 80, in force from 5 February 2026.
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Maintaining Art. 22A threshold analysis for Scout (is Scout's output a significant decision?) |
C |
A/R |
C |
I |
UK GDPR Art. 22A(1)(b); DUA 2025 s.80 [LEGAL REVIEW REQUIRED] |
| Designing and maintaining human review workflow |
I |
A |
R |
C |
UK GDPR Art. 22C(2) [ASSUMPTION A-007, A-012] |
| Monitoring that human review is genuine and not a token gesture |
I |
A/R |
C |
I |
UK GDPR Art. 22A(1)(a) — "no meaningful human involvement" test |
| Providing candidates with information about ADM logic |
I |
C |
I |
A/R |
UK GDPR Art. 22C(2)(a) |
| Enabling candidates to make representations about AI-assisted outcomes |
I |
C |
I |
A/R |
UK GDPR Art. 22C(2)(b) |
| Enabling candidates to obtain human intervention |
I |
C |
R |
A |
UK GDPR Art. 22C(2)(c) [ASSUMPTION A-007] |
| Enabling candidates to contest AI-assisted decisions |
I |
C |
I |
A/R |
UK GDPR Art. 22C(2)(d) |
3.3 Data Subject Rights
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Receiving and logging DSARs from customers / candidates |
I |
A |
I |
R |
UK GDPR Art. 15 |
| Fulfilling DSAR within statutory 1-month period |
I |
A |
C |
R |
UK GDPR Art. 12(3) |
| Handling erasure (right to be forgotten) requests |
I |
A |
R |
C |
UK GDPR Art. 17 |
| Handling rectification requests |
I |
A |
R |
C |
UK GDPR Art. 16 |
| Handling objection to processing requests |
C |
A/R |
C |
R |
UK GDPR Art. 21 |
| Handling restriction of processing requests |
I |
A |
R |
C |
UK GDPR Art. 18 |
| Handling data portability requests (where applicable) |
I |
A |
R |
C |
UK GDPR Art. 20 |
3.4 Bias Monitoring and Equality Controls
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Designing bias monitoring approach for Scout outputs |
I |
A |
R |
I |
Equality Act 2010 s.19; ICO audit Nov 2024 |
| Running bias tests on Scout outputs at defined intervals |
I |
A |
R |
I |
ICO AI in Recruitment Outcomes Report (Nov 2024) |
| Reviewing bias monitoring results and determining action |
C |
A/R |
R |
I |
ICO recommendation — fairness |
| Escalating identified bias or discrimination risk to CEO |
— |
R |
I |
I |
Equality Act 2010; DSIT Responsible AI in Recruitment guide |
| Ensuring bias monitoring data has a valid lawful basis and is not based on inferred characteristics |
I |
A/R |
C |
I |
UK GDPR Art. 9; ICO audit Nov 2024 [LEGAL REVIEW REQUIRED] |
| Commissioning external bias audit (recommended cadence: annually) |
A |
R |
C |
I |
DSIT Responsible AI in Recruitment guide |
3.5 Candidate Transparency
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Maintaining transparency notice template for customers to deploy to candidates |
I |
C |
I |
A/R |
UK GDPR Arts. 13, 14; ICO audit Nov 2024 |
| Ensuring customers deploy candidate transparency notice before processing |
I |
I |
I |
A/R |
UK GDPR Art. 13(2)(f) |
| Maintaining plain-language explanation of Scout's screening logic |
I |
C |
A/R |
I |
UK GDPR Art. 22C(2)(a) |
| Handling candidate requests for explanation of Scout's output or logic |
I |
C |
I |
A/R |
UK GDPR Art. 22C(2) |
| Updating transparency materials when Scout's logic or data use materially changes |
I |
A |
R |
C |
UK GDPR Art. 13; ICO guidance on AI |
Template transparency notice provided in L4-5.2-Candidate-Transparency-Notice-v1.md (forthcoming).
3.6 Incident Response
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Detecting and logging potential data protection or bias incidents |
I |
A |
R |
R |
UK GDPR Art. 33 |
| Classifying incident severity (P1–P3) |
C |
A/R |
C |
C |
See forthcoming L3-4.3-Incident-Response-Plan-v1.md |
| Notifying ICO within 72-hour window where breach meets reporting threshold |
A |
R |
C |
I |
UK GDPR Art. 33 |
| Notifying affected candidates where required |
A |
R |
I |
R |
UK GDPR Art. 34 |
| Notifying affected customers |
I |
A |
I |
R |
Customer DPA obligations |
| Root cause analysis and remediation |
I |
A |
R |
I |
Internal governance |
| Post-incident review and policy update |
C |
A/R |
C |
I |
UK GDPR Art. 5(2) accountability |
Full incident classification, escalation paths, and timelines are defined in L3-4.3-Incident-Response-Plan-v1.md (forthcoming).
3.7 Vendor Oversight (Anthropic and AI Model Providers)
| Responsibility |
CEO |
CTO |
Eng Lead |
CS Lead |
Regulatory basis |
| Annual review of Anthropic DPA and sub-processing terms |
C |
A/R |
C |
I |
UK GDPR Art. 28(3)(h) [ASSUMPTION A-005] |
| Monitoring Anthropic service status, security notices, and terms changes |
I |
A |
R |
I |
UK GDPR Art. 28(3)(f) |
| Evaluating new AI model providers before adoption |
A |
R |
C |
I |
UK GDPR Arts. 28, 35 |
| Approving any new or changed sub-processor |
A |
R |
C |
I |
UK GDPR Art. 28(3)(d) |
| Maintaining evidence of Anthropic's adequate guarantees (Art. 28(1)) |
I |
A |
R |
I |
UK GDPR Art. 28(1) |
4. Scaling Notes
This RACI is calibrated for a 10–15 person early-stage team. [ASSUMPTION A-001] As Sable AI Ltd grows, the following changes will be needed:
| Trigger |
Required change |
| Processing volume increases significantly (e.g., >50,000 candidates/year screened via Scout) |
Assess whether a dedicated DPO appointment is required under UK GDPR Art. 37(1)(b) [LEGAL REVIEW REQUIRED] |
| Series A funding or >25 employees |
Engage formal privacy counsel; review CTO DPO-equivalent role; add dedicated compliance resource |
| Enterprise customer contracts with audit rights |
Dedicated legal / compliance resource for DPA negotiation, audit support, and customer-specific DPIA reviews |
| EHRC or ICO inquiry or enforcement action |
External specialist engagement; CEO assumes direct oversight of regulatory response |
| Addition of any new AI system processing candidate or employee personal data |
New DPIA required; RACI to be updated; CEO approval required before deployment |
| Significant change to Scout's model, data inputs, or output logic |
Engineering Lead notifies CTO; DPIA review triggered; bias tests re-run |
5. Cross-References
| Document |
Relationship to this RACI |
L1-2.4-Governance-Policy-v1.md |
Parent policy — this RACI implements its accountability structure |
L1-2.1-AI-System-Inventory-v1.md |
Defines the AI systems this RACI governs |
L1-2.2-Risk-Classification-Framework-v1.md |
Risk tier informs escalation thresholds in §3.6 |
L1-2.3-Data-Flow-Map-v1.md |
Data flows that Engineering Lead is responsible for maintaining |
L3-4.3-Incident-Response-Plan-v1.md |
(forthcoming) — detailed incident procedure referenced in §3.6 |
L2-3.4-DPIA-Template-v1.md |
(forthcoming) — DPIA that CTO owns under §3.1 |
L4-5.2-Candidate-Transparency-Notice-v1.md |
(forthcoming) — transparency notice that CS Lead deploys under §3.5 |
This document requires review by a qualified UK data protection lawyer before operational use. RACI assignments are built on assumed characteristics of Sable AI Ltd and have not been verified against real company data. See ASSUMPTIONS-LOG.md for a full register of unverified assumptions.