By Marcus Reid | Chief AI Strategy Officer | 14 Years in Enterprise Digital Transformation
Fourteen years ago, I watched a bank spend $40 million on a fraud detection system that worked perfectly. The model caught fraud at rates the team had never seen in testing. Six months after launch, it was quietly switched off.
Nobody explained the decision to the engineers. The system had started flagging transactions from the bank’s highest-value customers. Nobody had defined, in advance, what should happen when that occurred. No escalation path. No designated decision-maker. No policy covering the conflict between fraud detection and customer retention. The model did its job. The organization wasn’t ready for what that meant.
That was 2012. I’ve told that story in boardrooms across four continents since then, and every time, someone in the room goes quiet. Because they recognize it. The names change. The industry changes. The dollar figures get bigger. The core problem never does.
AI transformation fails at the governance layer. Not the model layer.
What the Numbers Are Actually Telling Us
Global enterprise AI spending is on track to hit $665 billion in 2026. That figure gets cited constantly as proof that AI adoption is succeeding. It isn’t proof of that at all. It’s proof that organizations are spending.
Whether that spending produces results is a separate question, and the answer is not encouraging. Approximately 73% of enterprise AI deployments fail to meet their projected returns. S&P Global surveyed more than 1,000 firms in 2025 and found that the share of companies that had abandoned AI projects outright jumped from 17% in 2024 to 42% in 2025. In a single year, the abandonment rate more than doubled.
The reasons cited were not technical. Cost overruns without measurable value. Regulatory exposure with no compliance structure in place. And, most commonly, no designated owner for accountability when something went sideways.
McKinsey’s 2025 research tells a similar story from a different angle. 88% of organizations now use AI in at least one business function. Fewer than one-third have scaled it across the enterprise. So we have near-universal adoption at the pilot level and near-universal stagnation at the scale level. The gap between those two things is not a model problem. Engineers are not the bottleneck. The bottleneck lives in the organizational layer above them, where decision rights, risk ownership, and accountability structures either exist or they don’t.
Most organizations, right now, don’t have them.
The Word “Governance” Is the Problem
Nobody gets excited about governance. It sounds like a compliance function. It sounds like a committee that produces policy documents and holds quarterly reviews and generally slows things down without adding value.
That reputation is earned, in part, because a lot of governance actually works that way. But AI governance done wrong and AI governance done right are so different from each other that they almost shouldn’t share a name.
Done wrong: a policy document gets written, approved by legal, posted somewhere on the intranet, and treated as proof that the problem is handled. Done right: governance is operational infrastructure that runs continuously alongside every AI system the organization touches.
The difference, in practice, comes down to three things.
First is inventory. I’ve worked with enterprises that couldn’t tell me how many AI tools were running in production. Not approximately, not roughly. Not at all. Dozens of models deployed across business units, none formally tracked, several making consequential decisions in customer-facing workflows, and no single person with a complete picture. If you don’t know what you’re running, you cannot govern it. You’re just hoping nothing breaks loudly.
Second is lifecycle controls. Models are not static. A model that performs well at deployment degrades as the world changes around it. Data distributions shift. Customer behavior shifts. Regulatory requirements shift. Without formal approval gates at key lifecycle moments, organizations are running on assumptions that expired six months ago and have no mechanism for knowing that.
Third is runtime monitoring. This is the one that almost nobody does, and the gap between testing performance and production performance is real and consistent. A model that passes every evaluation in a controlled environment will behave differently when it encounters actual production data at actual scale. Runtime monitoring catches that gap before it becomes a customer complaint or a headline. The absence of runtime monitoring is how organizations end up surprised by failures that, in retrospect, were entirely predictable.
Deloitte’s 2026 research, drawing on responses from 3,235 senior leaders, found that only 1 in 5 organizations has a mature governance model for autonomous AI agents. Four out of five enterprises are running AI systems capable of taking independent action with no formal structure for controlling what those systems do. That is the actual state of the market.
Five Ways AI Governance Breaks Down
I’ve seen enough failed AI programs to recognize the patterns. The breakdowns are not random. They cluster into five failure modes, and they’re specific enough to diagnose and fix if you know what to look for.
1. Nobody Actually Owns It
The most common failure has nothing to do with technology. It’s the assumption that accountability is implicit rather than assigned. When no single executive owns AI governance, responsibility spreads across IT, legal, compliance, and individual business units. Every team assumes someone else is watching the critical decisions.
Research from Knostic in 2025 puts the numbers in stark terms: 90% of enterprises use AI in daily operations. Only 18% have fully implemented governance frameworks. That 72-point gap represents organizations where AI is making consequential decisions and nobody has formal authority over how those decisions get made or reviewed.
The thing that makes this failure mode so persistent is that it’s comfortable. Diffused accountability means no one person carries the risk. That feels safe right up until something goes wrong, and then it becomes a crisis with no clear owner, which is the worst possible scenario.
2. The Policy Illusion
A lot of organizations have solved this problem on paper. They have AI ethics policies. They have responsible AI principles. They have governance frameworks that were approved by the board, filed with legal, and shared at an all-hands meeting.
And then, sitting right underneath that documentation, they have AI tools running in production with no monitoring, no audit trail, and no escalation path when the system behaves unexpectedly.
I worked with a healthcare system that had a 40-page AI ethics policy. Beautiful document. Genuinely thoughtful. They were also running an AI tool that made patient triage recommendations with zero runtime oversight. Nobody was watching the outputs. Nobody had defined what constituted an error that required human review. The policy said all the right things. The operations ignored all of it.
Governance that exists only in documents is not governance. It’s liability management with extra steps.
3. The Board Doesn’t Know What It Doesn’t Know
Deloitte’s global boardroom survey found that 66% of boards report limited or no AI expertise among their members. NACD’s 2025 survey found that only 27% of boards have formally written AI governance into their committee charters.
This matters because boards are where risk appetite gets defined. When a board lacks the literacy to assess AI risk, it approves initiatives without understanding what oversight infrastructure those initiatives require. Problems accumulate below board level, invisible to the people with fiduciary responsibility, until they’re too large to manage quietly.
By the time a board-level AI failure becomes visible to the board, it’s already a crisis. The window for prevention closed somewhere earlier, in a meeting that the board wasn’t equipped to identify as significant.
4. The Shadow AI Debt
Most organizations are governing AI retrospectively. AI tools arrived through shadow adoption, individual team decisions made before any oversight structure existed. A sales team started using an AI tool for lead scoring. An HR team adopted one for screening. A customer service team deployed one for response drafting. None of it went through a formal approval process because no formal approval process existed at the time.
By the time leadership recognized the scope of what was running, dozens of applications were in production with no accountability owner, no risk classification, and no monitoring in place. The governance challenge is no longer designing a system from scratch. It’s retrofitting oversight onto systems that were never designed to accommodate it.
This is governance debt, and it compounds over time exactly the way technical debt does.
5. Agentic AI Is Running Faster Than the Frameworks
This is the failure mode that is going to define the next two years.
According to Info-Tech Research Group’s 2025 research, 64% of organizations are already experimenting with agentic AI, systems that reason, plan, and execute tasks across multiple steps without human review at each stage. Fewer than 25% have implemented formal monitoring or control mechanisms for those systems.
Traditional governance assumes a human reviews an AI output before a consequential decision gets made. Agentic systems break that assumption completely. They act. Multi-agent systems can exhibit behaviors that no single component would produce on its own. Without defined autonomy limits, orchestration rules, and clear escalation triggers for human oversight, organizations are deploying systems capable of taking consequential actions that no one directly authorized.
If you’re curious how these systems actually differ from conventional AI tools, the complete 2026 guide to agentic AI testing and evaluation walks through how autonomous AI is being evaluated in practice, which is the prerequisite to governing it.
The Regulatory Floor Just Got Higher
For organizations still treating AI governance as a future consideration, 2026 changed the math.
The EU AI Act is fully active. Fines for high-risk violations reach €35 million or 7% of global annual turnover. The Act has extraterritorial reach, meaning any organization whose AI systems affect EU residents faces exposure, regardless of where the organization is headquartered. A US-based company with EU customers is not outside the scope.
In the United States, over 1,100 AI-related bills were introduced in 2025. Colorado, California, and Texas have all enacted requirements covering disclosure, bias prevention, and risk management for AI systems. Boards are now facing genuine fiduciary liability for AI failures in ways that were theoretical two years ago.
The Harvard Edmond & Lily Safra Center for Ethics has tracked how the U.S. regulatory environment shifted between the Biden and Trump administrations, and the key finding is that the underlying compliance exposure didn’t disappear with the shift toward deregulation at the federal level. State-level enforcement is accelerating. The practical conclusion: organizations need governance programs flexible enough to work across overlapping jurisdictions, not programs designed around a single regulatory deadline.
What Governance Actually Looks Like When It Works
The organizations getting this right don’t look like compliance departments that happen to work on AI. They look like engineering teams that built operational infrastructure for AI risk, the same way they built operational infrastructure for security or reliability.
A few patterns are consistent across the ones I’ve seen function well.
Accountability is assigned to a person, not a team. The research is clear on this: when AI governance is a cross-functional responsibility without a named owner, it operates as nobody’s responsibility. One executive needs to own it, with the authority to make binding decisions across business units. The CIO is often the natural fit, but the title matters less than the mandate.
Wharton’s AI accountability leadership research points to JPMorgan as the clearest large-scale example: the head of AI policy reports directly to the CEO, governance involves legal, risk, ethics, and operations as equal stakeholders, and accountability is explicit at every level of the organization. That structure doesn’t happen accidentally. It was built intentionally.
Risk classification is proportionate, not uniform. A content recommendation engine and an AI system making credit decisions are not the same governance problem. Treating them identically wastes oversight resources and, more dangerously, leaves high-risk systems under-supervised while low-risk ones consume disproportionate compliance attention. Effective governance matches oversight intensity to actual risk level. Light-touch for systems that affect preferences. Strong human-in-the-loop controls for systems that affect rights, opportunities, safety, or compliance.
Monitoring is operational, not periodic. The governance programs that catch problems early treat model monitoring the same way engineering teams treat application performance monitoring. Continuous. Instrumented. Tied to escalation paths that trigger defined responses rather than meetings. When a model’s behavior drifts outside defined parameters, the response is a process, not a discussion about scheduling a review.
MIT Sloan’s research on AI leadership identified that executives who succeed at scaling AI share one trait: they treat the challenge as organizational, not technical. Liberty Mutual’s CIO Monica Caldas, recognized by MIT Sloan for AI transformation leadership, built her program on a straightforward premise: you cannot transform technology without transforming the organization alongside it. That is a governance insight. It’s not a model insight.
The NIST Framework: Useful, But Only If You Use It Correctly
Three frameworks dominate enterprise AI governance in 2026. The NIST AI Risk Management Framework is the most widely adopted in the United States. It organizes around four functions: Govern for cross-cutting accountability, Map for contextualizing risks, Measure for continuous evaluation, and Manage for prioritizing responses.
NIST also defines seven characteristics of trustworthy AI: validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy, and fairness with bias managed.
Here’s what practitioners learn quickly about NIST: it is a thinking tool, not a checklist. Organizations that implement NIST literally, checking boxes against the framework categories and filing the documentation, get compliance artifacts. Organizations that use it to build actual operational structures, with owners, monitoring, escalation paths, and review cadences, get governance.
The difference is whether signals trigger decisions. A governance program that identifies drift, classifies incidents, and produces reports that sit in a folder is not functional governance. It is an audit waiting to report on failures that have already occurred. Governance works when a signal produces a response and someone is accountable for both.
A Diagnostic for Finding Where Your Governance Breaks
Most organizations don’t have a complete governance failure. They have a gap at a specific level of their organizational structure. This table helps locate it.
| Level | What It Controls | Where It Usually Breaks |
|---|---|---|
| Board | Risk appetite, fiduciary oversight | No AI expertise, no charter mandate |
| C-Suite | Strategy, investment, executive ownership | No single named accountability owner |
| Business Unit | Use case approval, risk classification | Autonomy without shared standards |
| Product and Engineering | Build standards, testing, deployment gates | Speed incentives override safety checks |
| Operations | Runtime monitoring, incident response | Monitoring present but not actionable |
| Vendors and Third Parties | Third-party AI accountability | No contractual governance requirements |
The failure in most organizations is not at the top or the bottom of this stack. It’s in the middle. The board sets principles. Engineering has coding standards. Nobody connects them. Business unit classification and runtime operations are where governance most commonly goes silent.
Where to Start If You’re Behind
If your organization is in the majority with no implemented governance framework, the single best starting point is an AI inventory. A complete accounting of every model, agent, and AI-enabled tool currently in production. Not what’s been approved. What’s actually running.
This exercise consistently produces three surprises for leadership teams. The number of AI tools in production is significantly higher than anyone estimated. A meaningful portion have no designated owner. Several are making decisions in customer-facing or compliance-relevant workflows that nobody at the leadership level knew were being made by an AI.
From an inventory, risk classification becomes possible. From risk classification, proportionate oversight becomes designable. From oversight design, accountability assignment becomes concrete.
The organizations that start here move faster than organizations that start with policy documents, because inventory creates the facts that every subsequent governance decision depends on.
For teams thinking through the leadership and organizational design side of this, specifically how to restructure decision-making to support AI accountability rather than working around it, the discussion of how AI is reshaping leadership roles and decision rights covers the human side of what governance implementation actually demands from executives.
And if you’re still evaluating which AI tools your organization is actually working with before you build the governance layer around them, the 2026 comparison of Claude, ChatGPT, Grok, and Gemini is a useful starting point for understanding what you’re governing before you govern it.
The Counterargument, and Why It Doesn’t Hold Up Anymore
The case against prioritizing governance goes like this: governance slows innovation. The organizations winning the AI race are the ones moving fast, not the ones building oversight committees. Speed is the competitive variable. Everything else is a cost.
That argument made some sense in 2022. There was genuine first-mover advantage in AI adoption, genuine risk in being slow, and genuine uncertainty about which governance approaches would even prove necessary.
By 2026, the evidence runs the other direction.
S&P Global’s data shows 42% of AI projects abandoned in 2025. The organizations doing the abandoning were almost uniformly the ones that moved fast without governance, accumulated technical debt and compliance exposure, and then couldn’t sustain the investment when the costs became visible. The organizations with mature governance are the ones at scale, because governance reduces the variance that kills programs. Fast-and-ungoverned turns out to be a path to expensive failure, not a path to competitive advantage.
Speed without accountability is just risk that hasn’t been invoiced yet.
Frequently Asked Questions
What does AI governance mean in practical terms for an enterprise? It means having documented, operational answers to four questions: what AI systems are running, who owns them, what risks they carry, and what evidence exists for oversight. Without all four, you have AI in production and no governance around it. In practice, that means maintaining an AI inventory, classifying each system by risk level, assigning named accountability owners, and running continuous monitoring with defined escalation paths.
Why do so many AI projects fail before reaching full deployment? The failure is almost always organizational rather than technical. Unclear accountability, undefined risk ownership, conflicting priorities between business units, and no agreed criteria for what constitutes a successful deployment are the consistent causes. McKinsey’s 2025 data shows 88% of organizations using AI somewhere, but fewer than one in three have scaled it enterprise-wide. The bottleneck is never the model. It’s the governance structure around the model.
What is the actual difference between AI ethics and AI governance? AI ethics is about principles: what the organization believes about fairness, transparency, and accountability. AI governance is the operational machinery that enforces those principles in live systems. An organization can have a genuinely thoughtful AI ethics program and no functional governance at all. The gap between them is where most AI failures actually occur.
How does the EU AI Act affect companies based outside Europe? Extraterritorial reach is built into the Act. Any organization whose AI systems are used by or affect EU residents falls within scope, regardless of where the organization is headquartered. A US-based company with EU customers, EU employees, or AI systems that operate across EU borders faces real exposure. High-risk violations carry fines up to €35 million or 7% of global annual turnover, whichever is higher.
What is the first concrete step for an organization starting from scratch? Build an AI inventory before doing anything else. Identify every AI tool and model currently running in production, who deployed it, what decisions it influences, and whether anyone formally owns it. This exercise typically reveals that more is running than leadership knew, much of it without accountable ownership. The inventory creates the factual foundation that every subsequent governance decision requires.
How should a board approach AI governance oversight without deep technical expertise? Boards don’t need to understand model architecture. They need to understand AI risk at the strategic level: what the organization’s exposure is, what the accountability structure looks like, and what the incident response plan covers. Formally writing AI governance into committee charters, as only 27% of boards have done according to NACD’s 2025 survey, is the starting structural commitment. After that: regular briefings on significant AI incidents, defined risk appetite for high-stakes AI use cases, and clear escalation paths when those boundaries are approached.
What makes governing agentic AI harder than governing traditional AI systems? Traditional AI governance assumes a human reviews the output before a consequential action is taken. Agentic systems break that assumption. They act across multiple steps without requesting human approval at each stage. That means the control mechanisms need to be built upstream, before deployment: what decisions can the agent make independently, what triggers a pause for human review, and who is accountable for actions the agent takes without being directly instructed. Most current governance frameworks were not designed with this model in mind.
