Enterprise AI governance frameworks presuppose that the deploying organisation has sufficient knowledge of its AI systems to govern them. A system is characterised at deployment; its parameters are registered, its authority ceiling is set, and its governance obligations flow from this initial characterisation. The presupposition is workable for systems that are fully specified by the deploying organisation. It fails structurally for systems whose behaviour is materially determined by a foundation model: a large-scale pre-trained model provided by an external party, whose training data, capability boundaries, known failure modes, and post-deployment update schedule are partially or wholly opaque to the deployer. Foundation model-dependent systems are governed at deployment on the basis of a characterisation that the deploying organisation cannot fully verify, against a capability profile that the provider can update without notice, using a failure mode taxonomy that the deployer cannot independently derive. The governance basis for these systems is therefore structurally weaker than that for systems that the deployer fully specifies — not because the deployer has failed to perform due diligence, but because the information required to fully characterise a foundation model is structurally unavailable to the deployer, regardless of what the provider discloses. This paper names and formalises that condition as the Foundation Model Dependency Governance problem and introduces a three-obligation framework for governing enterprise AI systems under foundation model dependency. The Foundation Model Characterisation (FMC) obligation specifies what the deploying organisation must establish and document about the foundation model at deployment, working from available provider disclosures, independent evaluations, and internal testing, and provides a structured five-dimensional characterisation protocol. The Behavioural Boundary Assessment (BBA) obligation specifies how the deployer monitors system outputs against the characterised model profile at runtime, detecting drift that may indicate an unannounced foundation model update or an emergent breach of the capability boundary. The Dependency Change Governance (DCG) obligation specifies what triggers mandatory re-characterisation and how the deployer detects provider model updates in the absence of notification. The paper also introduces the Opacity-Adjusted Governance Calibration principle: governance intensity for a foundation model-dependent system should be calibrated inversely to the foundation model’s transparency. The paper analyses five major governance frameworks, demonstrating that none specifies deployer-level governance obligations adequate to the foundation model dependency condition.
M Maruf Hossain (Sat,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: