Organizations keep publishing AI governance policies they cannot enforce. Decoupling explains the gap. Isomorphism explains the copying. Neither explains why we keep pretending the policies work.
I read a corporate AI governance framework last week that had seventeen principles, a risk taxonomy, an accountability matrix, and no description of who would enforce any of it. The document was forty-two pages. The enforcement section was a bullet point that said the ethics committee would "provide guidance." I have seen this pattern enough times now that I can spot it from the table of contents. The longer the principles section, the shorter the enforcement section. The gap is not an oversight. It is the structure.
Meyer and Rowan (1977) gave institutional theory the concept I keep reaching for when I see this gap. They argued that organizations adopt the formal structures their institutional environment demands, the myths and ceremonies that signal legitimacy, while their actual work practices follow a different logic. The formal structure handles legitimacy. The operational structure handles efficiency. The two are loosely coupled, and the loose coupling is not a failure. It is the design. Organizations that tightly couple their formal governance to their actual operations create real constraints, and real constraints are expensive. The gap between the governance document and the operating reality is where most AI policy lives.
I need to be careful here. I do not have a local copy of Meyer and Rowan in English, and my understanding of their specific argument about institutional myths and ceremonial conformity is based on how the concept has been summarized and applied in later literature I have read, including Robey and Boudreau (1999), who cite Meyer and Rowan directly for the claim that organizations "tend to conform to institutional models while resisting attempts at reform, even where organizational efficiency is threatened." The decoupling argument, as I understand it from this secondary reference, is that maintaining a gap between formal claims and actual practice is rational from the perspective of institutional legitimacy. The organization needs the governance document to satisfy external scrutiny. It does not need the governance document to dictate how products ship. So the document exists and the products ship anyway. The structure is ceremonial, in the specific sense that Meyer and Rowan intended.
I wrote about ceremonial adoption of AI ethics boards before, and I keep coming back to the same observation from a different angle. The ethics board post focused on who gets to stop a project and who does not. This post is about something wider. It is about what happens when an entire governance apparatus, the policies, the frameworks, the review processes, the accountability matrices, exists to satisfy institutional pressure rather than to govern. The policy gets written. The committee gets formed. The principles get published on the website. And then the organization goes on doing what it was already doing, because the policy was never designed to constrain. It was designed to signal.
DiMaggio and Powell (1983) explain why organizations copy each other's governance structures instead of designing their own. Their three isomorphic pressures map onto AI governance with uncomfortable precision. Coercive pressure comes from the EU AI Act and its regulatory equivalents, which create a legal requirement for documented governance. I wrote about how the EU AI Act functions as institutional theory in real time, hitting all three of Scott's institutional pillars at once. The regulative pillar is the clearest. The Act demands governance artifacts. It demands risk assessments and conformity evaluations and documentation trails. It demands these things because regulators can only measure what they can see, and what they can see is documents. An organization that produces the documents and does not implement the substance has satisfied the visible requirement while leaving the invisible gap intact.
Mimetic pressure drives the content of the documents themselves. When organizations are uncertain about how to govern AI, which almost all of them are, the safest move is to copy whoever appears to have already figured it out. The result is convergence. As I wrote when I discussed AI policy as governance theater, the AI policy at most organizations is a copy of the existing IT acceptable-use policy with "AI" swapped in for "IT." The convergence extends to the frameworks, the principles lists, the risk categories. They look the same because the organizations writing them are all imitating each other under uncertainty, exactly as DiMaggio and Powell predicted.
Normative pressure fills in the details through professionalization. Consulting firms publish AI governance templates. Industry associations release responsible AI frameworks. Law firms produce policy language for their clients. The professionals who write these documents all attend the same conferences, read the same reports, and move between the same companies. When every AI ethics officer has similar training and works in similar professional networks, the policies they write will converge. Normative isomorphism makes convergence feel like competence. It feels like best practice. Best practice does not mean the practice is effective. It means the practice is common.
The three pressures produce organizations that have governance artifacts without governance substance. That is governance theater. The organization performs the role of a responsible AI actor for its regulators, its customers, its investors, and its employees, without the performance changing what the organization actually builds, how it builds it, or what happens when things go wrong.
I think the useful distinction is between performative governance and protective governance. Performative governance exists to satisfy external expectations. It produces the documents, the committees, the principles, and the public commitments that institutional pressure demands. Its function is legitimacy. Protective governance exists to reduce harm. It produces accountability structures that can delay or block product decisions, auditing mechanisms that can detect problems before deployment, and escalation paths that can override revenue priorities when the risk is high enough. Its function is constraint. The difference is not subtle. Performative governance and protective governance require different powers, different reporting lines, different enforcement mechanisms, and different consequences for the people who hold them accountable.
Meyer and Rowan would say that the gap between them is stable as long as external scrutiny is low. Decoupling works because most external observers cannot see the gap between a governance document and an operating reality. Regulators audit documentation. Customers read privacy policies and responsible AI statements. Investors ask about governance during earnings calls. None of these constituencies is well positioned to evaluate whether the governance document actually constrains what gets built. The gap is visible only when something goes wrong, when an AI system produces a harmful outcome that the governance framework was supposed to prevent, and the organization cannot point to any mechanism that would have caught it. At that point the ceremony fails. The legitimacy function collapses. The governance document that was supposed to demonstrate responsibility starts demonstrating the opposite.
I am not sure where the stable equilibrium lands. Meyer and Rowan argued that decoupling is unstable because external scrutiny eventually exposes the gap. I think that is true, but I also think the timeframe matters. An organization can maintain decoupled governance for years before a specific incident makes the gap visible. The EU AI Act may accelerate that timeline by requiring conformity assessments for high-risk systems, which means regulators will look beyond the document to the implementation. Or it may not, because regulators have limited resources and high-risk system classifications are being contested by the companies they are supposed to regulate. The question I keep turning over is whether regulatory pressure can close the gap between performative and protective governance, or whether it will simply produce more elaborate performances.
What I think institutional theory predicts, and what I keep seeing confirmed, is that coercive pressure produces compliance artifacts, mimetic pressure produces convergence artifacts, and normative pressure produces professionalized artifacts. None of these pressures necessarily produces protective governance. Protective governance requires tight coupling between the formal structure and the operating reality. It requires the ethics committee to have authority to stop a product launch, the risk framework to have mechanisms that trigger mandatory review, and the accountability matrix to name actual people with actual consequences. I think the organizations that build protective governance instead of performative governance will be the ones that experienced a specific kind of crisis, one where the governance theater failed visibly and the cost of the gap became undeniable. Until that crisis, the institutional pressure pushes toward performance.
About the author
Share
More notes
Related notes