A Practical Framework for Governing AI in Customer Support

Why AI customer support needs a governance framework

Customer support AI operates in a context where errors have direct consequences. A wrong answer about a return policy may cost the customer money. A missed escalation condition may leave an angry customer waiting. An incorrectly processed account change may be difficult to reverse. The volume at which AI operates — thousands of queries per day — means that even a small error rate produces a large absolute number of customer-facing mistakes.

Governance is the system that keeps the error rate measurable, the policy response proportionate, and the error impact bounded. Without it, you find out about accuracy problems through customer complaints — after errors have already reached customers at scale.

A governance framework does not prevent AI from being useful. It makes it possible to scale AI confidently — by giving you the measurement, enforcement, and audit mechanisms to know when automation is working and when it is not.

Component 1: Accuracy measurement

The foundation of any AI governance framework is an objective, current measure of accuracy. Not resolution rate. Not CSAT. Accuracy — whether the AI's response was factually correct and operationally appropriate — measured per support category.

This is the function of FortiVault's AI Trust Score. It aggregates response accuracy, human override rate, connector call reliability, and escalation rate, calculated independently for each category: billing, returns, login, technical support, product FAQs. The score updates continuously as FortiAgent handles real conversations — it is not a benchmark score measured in a lab. It reflects current performance in your environment.

The practical implication of per-category measurement: you cannot govern AI customer support with a single platform-wide accuracy number. An AI that is 88% accurate on billing queries and 96% accurate on shipping queries does not have an "average accuracy" that tells you anything useful about billing automation safety.

• Measure accuracy per category — not as a single aggregate
• Base accuracy on observed outcomes — human override rate, correction content
• Update continuously — a score from last month does not reflect today's performance
• Separate accuracy metrics from resolution rate — resolved does not mean correct

Component 2: Automation policy enforcement

Once you have per-category accuracy measurement, you can build automation policy on top of it. The policy question is: what accuracy level is required for each category to automate without human review?

The answer varies by category risk. Billing queries require a higher accuracy threshold than product FAQ queries. Account changes require a higher threshold than order status lookups. The governance framework should define these thresholds explicitly — and the system should enforce them automatically, not rely on manual review of a dashboard.

Automation gating is the enforcement mechanism. FortiVault checks the current Trust Score for the query category against the configured threshold before every response is sent. If the Trust Score is below the threshold, the response enters the human review queue — regardless of how confident the AI appears about that specific response.

Component 3: Human review

Human review in a governed AI system is not a manual process bolted on when something goes wrong. It is a structured step in the response workflow, triggered automatically by the governance layer when accuracy does not meet the threshold.

The review queue should give reviewers everything they need to make a meaningful review decision: the FortiAgent draft, the knowledge source it retrieved, the connector data it used, the guidance rules that applied, and the automation gate state at the time of the response. A reviewer who approves a response without seeing the full decision context is not performing meaningful governance — they are rubber-stamping.

Critically, review actions must be logged. An approval is a data point. A correction is a data point with higher signal value. Both feed the Trust Score calculation. Both contribute to the accuracy model that determines whether the category moves toward or away from the automation threshold.

• Review is triggered by the governance layer — not by manual scheduling or incident reports
• Reviewers see the full decision context, not just the draft response
• Review actions are logged and feed the accuracy model
• Review queue volume is a leading indicator of category accuracy health

Component 4: Auditability

The fourth component is the record — the per-decision audit trail that makes it possible to investigate an error after the fact, demonstrate what happened to a customer or a compliance team, and identify the root cause of accuracy degradation.

The audit trail should be immutable and created at decision time. It should capture the knowledge source version, connector call details, rule application, automation gate state, and any review actions. It should be queryable by category, date range, automation state, and outcome.

From a governance design perspective, the audit trail is also the accountability mechanism. It makes it impossible to claim that AI governance is in place while operating without one. If there is no per-decision record, there is no governance — there is only policy intent.

Governance by category: why a single policy is not enough

The most common governance mistake in AI customer support deployments is applying a single automation policy to all query types. Full automation across all categories, or blanket human review across all categories, or a single accuracy threshold that applies regardless of category risk.

The right governance design is category-specific. Different categories have different accuracy requirements, different risk profiles, and different improvement timelines. A governance framework that treats them identically is not actually governing the risk — it is applying uniform rules to non-uniform situations.

In practice, this means your billing category should have a higher automation threshold than your FAQ category. Your account change category should require a higher Trust Score than your order status category. And your escalation configuration should be defined per category — not as a single set of conditions that applies across all query types.

FortiVault's governance layer is built around this principle: every governance decision — threshold, review trigger, audit record — is category-specific. The platform surfaces category-level data because category-level governance is the only governance that actually manages the risk.