Enterprise AI governance involves at least four distinct problems. Most organizations are still treating them as one.
Every major technology wave in enterprise IT has followed the same adoption curve. The technology enters through the bottom, not the top. Individual employees start using it, then teams, then business units, and IT and legal and compliance discover what is happening somewhere around the point where the technology is already deeply embedded in how work gets done. This happened with cloud computing. It happened with mobile devices. It happened with social media in the workplace. Generative AI is doing it again, and the governance frameworks are, predictably, behind.
The gap is not just a timing problem. Generative AI creates a category of governance challenge that previous technologies did not, because the outputs are probabilistic and human-readable. When a cloud server runs the wrong calculation, the error is usually detectable. Numbers that are wrong look wrong. A generative AI system that produces a legally incorrect contract clause, a subtly hallucinated financial projection, or a policy summary that is mostly right but wrong in one consequential detail, produces output that looks exactly like output that is correct. The governance problem is not only "who approved this tool" but "who verified what the tool said."
I wrote about why AI hallucination is a trust calibration problem rather than a purely technical one, and the enterprise governance dimension makes that point even sharper. When a consumer uses a chatbot and gets wrong information, the consequence is usually a personal inconvenience. When an enterprise uses AI output to generate a compliance assessment, a financial analysis, or a legal summary, wrong information has organizational and potentially legal consequences. The scale of harm is different, and the accountability structure is almost never designed to match it.
There are at least four distinct governance problems that organizations need to solve. They tend to get conflated, which is part of why governance efforts stall.
The first is data input controls. What data can employees or systems send to external AI services? This covers more than just the obvious sensitive categories. Internal strategy documents, pre-release financial data, customer behavioral data, and ongoing legal matters all need explicit policies about which AI systems are permitted to process them and under what conditions. Most organizations have not drawn those lines clearly, partly because the list of AI systems employees are actually using is not fully known.
The second is output quality assurance. When an AI system drafts a contract clause, a customer-facing email, or a financial model, who is accountable for verifying it before it becomes a decision or a commitment? This is harder than it sounds because the efficiency argument for AI is that it reduces review time. If every AI output gets the same human review that a human-written document would get, the time savings disappear. Organizations need to develop tiered verification standards that scale review depth to decision stakes. Almost nobody has done this systematically.
The third is model risk. If an AI-generated analysis influences a business decision that turns out to be wrong, how is the error traceable? Traditional software systems produce logs and audit trails. Generative AI systems produce outputs that are essentially opaque in terms of how the model arrived at them. If a strategic recommendation was influenced by a model's implicit biases in its training data, there may be no audit trail to find. This is new territory for IS governance and risk management, and the frameworks that exist for auditing algorithmic systems were mostly built with narrower, deterministic AI in mind.
The fourth is vendor risk. AI providers update their models continuously. The model you deployed six months ago is not the model you are running today. Safety behaviors, output tendencies, and factual accuracy can change between versions. Vendors change pricing without much notice. Gartner has published extensively on AI governance frameworks and responsible AI as strategic priorities for enterprise risk management, noting that organizations with formal governance programs report higher confidence in AI outcomes, according to research highlighted in their newsroom. My read of their position is that vendor risk is systematically underweighted in current enterprise AI governance thinking, because organizations tend to evaluate an AI vendor once and then treat the product as static.
What strikes me about the current state is how much of it is theater in the specific sense that DiMaggio and Powell described for institutional isomorphism. Organizations are under pressure to "have an AI governance policy," so they write one. The policy exists. The form is there. The substance, actual mechanisms for verifying outputs, managing vendor changes, controlling data inputs, and assigning accountability for AI-influenced decisions, is frequently absent or untested. I wrote about how AI policy often functions as governance theater rather than governance, and the enterprise AI governance landscape is a nearly textbook case of that dynamic.
The organizations that are further along have started by separating the four problems rather than trying to solve them together. Data input controls are a policy and technical controls problem. Output quality assurance is a workflow redesign problem. Model risk is an audit and documentation problem. Vendor risk is a contract and vendor management problem. Each one has different owners, different timelines, and different success criteria. Bundling them into a single "AI governance initiative" usually means the initiative produces a policy document without changing any of the underlying workflows.
The governance problem is genuinely hard, and I am not sure anyone has solved it well yet. But the organizations that are at least asking the right questions, which of our processes now depend on AI output, who verifies that output, what happens if the model changes, and what data are we allowing to leave our environment, are building the foundation for something that could work. The ones that are treating governance as a document to write and a checkbox to check are setting themselves up for the same conversation in two years that they are having now, except with a larger blast radius.
About the author
Share
More notes
Related notes