AI & Agentic Systems

Your AI Policy Is Just Your Old IT Policy With AI Pasted In

Almost every AI policy is a find-and-replaced IT acceptable-use policy. DiMaggio and Powell explain why that pattern is not lazy. It is institutional isomorphism.

2026-05-14 · 6 min read AI & Agentic SystemsOrganizational Theory
AiPart 36 of 51
Ai Adoption S Curve Ai Adoption Social NAi Adoption Toe FramAi Agent Software 37Ai Agents Customer SAi Agents Principal Ai Ambidexterity ExpAi Chatbots Media RiAi Coding Effective Ai Colleague StructuAi Customer Service Ai Dependency ParadoAi Deskilling PeopleAi Energy SociotechnAi Ethics CeremonialAi Future Work AutomAi Garbage Can ModelAi Governance TheateAi Hallucination TruAi Healthcare IdentiAi Hiring Fairness MAi Implementation FaAi Is Research MethoAi Labor Market Is RAi Layoffs Budget RoAi Models Critical RAi Native DevelopmenAi Network Effects DAi Observational LeaAi Output Boundary OAi Participant Work Ai Pilots Dont BecomAi Pilots Dont BecomAi Pilots Dont BecomAi Pilots Dont Becom36Ai Productivity ParaAi Project CancellatAi Regulation GlobalAi Safety Pmt Fear DAi Scaling Gap EnterAi Security AutomatiAi Security PlatformAi Self Efficacy DigAi Supercomputing RbAi Takes Over RoutinAi Task Technology FAi Training Data KnoAi Transaction Cost Ai Trust Repair WillAi Vendor Concentrat

I opened an AI policy document last month. A large organization, well known, recently published, carefully formatted. I read the first section. Then I read the organization's existing IT acceptable-use policy. The AI policy was the IT policy with "AI" replacing "IT" and "generative AI" replacing "software." The same prohibitions. The same approval workflows. The same reporting structure. The same nobody-will-read-this boilerplate about compliance. The search and replace was not even complete. Two paragraphs still said "IT system" where they should have said "AI system."

I do not think the person who wrote it was lazy. I think the person who wrote it was operating exactly as organizational theory predicts. DiMaggio and Powell (1983) called the mechanism mimetic isomorphism. When an organization faces uncertainty about how to handle a new class of technology, it copies a template from a perceived legitimate source. The perceived legitimate source is the existing IT policy, because that policy already exists, already has institutional approval, already looks like governance. Copying it and changing a few words is faster and safer than designing a governance framework from scratch that actually addresses what makes AI different from enterprise software: opacity, emergent behavior, training data provenance, hallucination risk, and the delegation of judgment.

I wrote about mimetic isomorphism in the context of AI adoption strategies a few days ago, and the framework applies even more cleanly to AI governance than to AI adoption. Adoption at least involves a real decision about purchasing and deploying technology. Policy copying is pure legitimacy seeking. The organization looks like it has an AI governance framework. It has a document. A document is not governance.

The coercive pressure is coming from the outside. The EU AI Act is following the same regulatory playbook as GDPR, a broad extraterritorial regulation with significant fines that forces organizations to create documented governance structures. Organizations respond by creating the documented governance structures. They write policies. They appoint AI ethics officers. They stand up AI review boards. And because the regulation demands evidence of governance rather than evidence of effective governance, the checkbox is checked as soon as the document is published. GDPR did the same thing a decade ago. Every website deployed a cookie banner. The banner said "we value your privacy." The banner was designed to make you click accept without reading. The checkbox got checked. The data collection practices did not change. That is compliance theater, and it is the natural output of coercive isomorphism when the regulator demands documentation but does not audit implementation.

The normative pressure is quieter and I think more insidious. Consulting firms have published AI governance templates. Industry associations have released responsible AI frameworks. Law firms have drafted AI policy language for their clients. The templates are designed by professionals, shared at conferences, circulated through professional networks, and they all look the same because the professionals who write them all read the same sources and attend the same events. Normative isomorphism, DiMaggio and Powell said, comes from professionalization. When every AI ethics officer comes from the same small pool of certification programs and industry working groups, the policies they write will converge. The convergence makes the policies feel like best practice. But best practice does not mean the practice is good. It means the practice is common.

Scott (1995) extended the institutional analysis with three pillars, and the cultural-cognitive pillar is the one that explains why the problem is hard to fix. The regulative pillar is the EU AI Act. The normative pillar is the consulting templates and professional standards. The cultural-cognitive pillar is the taken-for-granted assumption that an AI policy is the same kind of thing as an IT policy. Nobody questions whether AI governance needs a fundamentally different structure, a structure that accounts for emergent model behavior, for the difficulty of auditing black box systems, for the fact that the organization does not fully control what its AI systems will do. The question does not arise because the existing framework, the IT acceptable-use policy with its approval workflows and prohibited behaviors list, is the only framework that makes sense within the organizational frame.

I have seen the AI ethics board version of this too. An organization stands up an AI ethics review board with a charter, a membership list, and a meeting schedule. The board reviews projects. It has never stopped a project. It has flagged concerns that were addressed by adding a line to a risk register. The board exists to demonstrate that ethics is being taken seriously, and the demonstration is the point. The ethics board is the organizational equivalent of the GDPR cookie banner. It signals compliance to external stakeholders. It generates documentation for regulators. It does not change what the organization builds.

This is not cynicism about the people on the boards. Most of them are competent professionals who want to do good work. The problem is structural. When AI governance is designed as an extension of IT governance, the review process inherits the logic of IT project review: scope, budget, timeline, risk category. That logic is not equipped to evaluate whether an AI system can produce outcomes that the organization did not intend and cannot explain. The governance theater produces artifacts that look like governance. The actual governance is missing.

The pattern runs deeper than AI. Institutional isomorphism predicts that any new domain of organizational practice that arrives under uncertainty and regulatory pressure will generate governance templates that are copied from the nearest existing domain. Cybersecurity governance was copied from IT governance. Privacy governance was copied from legal compliance. AI governance is being copied from cybersecurity and privacy governance. Each copy introduces a gap between what the governance artifact claims to do and what it can actually do, and each copy makes the gap harder to notice because the template feels familiar.

The fix is not to write better templates. The fix is to recognize that the first version of any AI governance framework will be dominated by mimetic and coercive pressure, because organizations need to signal readiness before they achieve readiness. The real work starts after the policy is published. That is when the gap between the document and the practice becomes visible, if anyone dares to look. The organization that audits its own compliance theater, that compares its AI policy against what its AI systems actually do, and that rewrites the policy to close the gap, is doing something that institutional theory says is unlikely. But that is the organization that will have governance instead of governance theater.

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
AI Spending Is Surging. Productivity Growth Is 0.1-0.6%.
Next →
Why AI Pilots Don't Become Products

Related notes

AI & Agentic Systems
When an AI Agent Makes a Decision, Who Is Accountable?
5 min read
AI & Agentic Systems
The AI Dependency Paradox: You Cannot Stop Using What You Cannot Trust
6 min read
IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read