The Governance Gap Is Already Open
AI adoption in large enterprises is not waiting for governance frameworks to catch up. Large language model tools are being used by employees across functions. Generative AI applications are being piloted by product and technology teams. AI-assisted development tools are being adopted by engineering teams, with or without formal approval. The capabilities are advancing faster than any board-level governance process was designed to track.
This is not a problem unique to AI. Fast-moving technology adoption has always outpaced governance designed for slower adoption cycles. What makes AI different is the combination of scale, consequence, and opacity. AI tools are being adopted at individual rather than team or departmental level, making the adoption invisible to traditional IT governance processes. The consequences of incorrect or harmful AI outputs can be immediate and material. And the opacity of AI decision-making makes it difficult for governance processes designed to assess whether a control is working to assess whether an AI system is performing appropriately.
The governance frameworks that enterprise boards currently have for technology risk were not designed for these characteristics. A framework designed to govern technology procurement and deployment does not govern the use of AI tools by individuals. A framework designed for periodic risk assessments does not track the risk profile of an AI system whose capabilities and failure modes change with each model update.
The governance framework that works for enterprise AI operates at the pace of deployment and is calibrated to the actual risk profile of different AI use cases rather than treating all AI uniformly.
A Tiered Risk Model for AI Governance
The starting point for an effective AI governance framework is a tiered risk model that distinguishes AI use cases by the business impact and data sensitivity they involve. Applying the same governance intensity to an AI tool that drafts internal emails and an AI system that supports patient treatment recommendations is both impractical and counterproductive. The administrative burden of over-governance suppresses adoption of valuable low-risk AI use cases. The light governance of under-governed high-risk AI use cases creates liability exposure and potential harm.
The tier structure that works in practice distinguishes three categories. Low-risk AI use cases are those where the AI is operating on non-sensitive data, its outputs are reviewed by a human before use, and the consequence of an incorrect output is limited to minor inconvenience or rework. AI-assisted drafting, research summarisation, and code completion in non-production contexts fall here. The governance requirement is awareness and basic hygiene: employees know they are using AI, they review outputs before relying on them, and they do not send sensitive data through unapproved services.
Medium-risk AI use cases are those where the data involved is sensitive, the human review requirement is more demanding, or the potential consequence of an incorrect output is significant but bounded. AI-assisted customer communication, AI-supported analysis used in business decisions, and AI tools integrated into operational processes fall here. The governance requirement includes data handling controls, defined review protocols, and logging of AI-assisted decisions for audit purposes.
High-risk AI use cases are those where AI outputs affect consequential decisions about individuals, handle regulated data, operate in regulated processes, or could cause material harm if incorrect. AI systems supporting hiring, lending, medical, or enforcement decisions fall here. The governance requirement includes pre-deployment risk assessment, ongoing monitoring of system performance and bias, explicit accountability structures for AI-assisted decisions, and mechanisms for individuals to understand and contest AI-influenced outcomes.
The Policy Framework That Enables Adoption Without Bureaucratic Friction
A governance framework that slows the adoption of valuable AI capability is a governance failure as much as one that permits harmful adoption. The policy framework must enable the former while preventing the latter.
The design principle that achieves this is to make the right path the easy path. Employees who want to use AI tools in their work should be able to access a clear policy that tells them what is permitted, what requires approval, and what is prohibited, in language that a non-technical employee can act on without consulting the IT security team. The approval process for medium-risk AI use cases should be lightweight enough to complete in days rather than weeks, and the outcome should be recorded in a system that provides organisational visibility into AI tool adoption.
The policy framework should be maintained and updated frequently, because the AI landscape is changing at a pace that makes an annual policy review cycle obsolete. A new model capability, a new category of AI tool, or a new regulatory development may require policy updates within months rather than years. Designating an owner for the AI policy framework, with the authority and the resources to update it in response to landscape changes, is as important as the initial policy design.
Board-Level Visibility Without Technical Expertise
The governance framework serves no useful purpose if it does not provide the board with meaningful visibility into the organisation’s AI risk exposure and the effectiveness of the controls in place.
Board-level AI reporting does not require the board to understand the technical details of AI systems. It requires that the reporting translate AI risk into the dimensions that boards are equipped to govern: financial exposure, regulatory compliance status, operational resilience, and reputational risk.
The reporting framework that works provides a portfolio view of the organisation’s AI use: the categories of AI use in deployment, the risk tier of each category, the controls in place for each tier, and any incidents or near-misses that have occurred. It also provides a trend view: is the AI use portfolio growing in higher-risk tiers faster than the governance infrastructure can support? Are there categories of use where incidents are accumulating at a rate that suggests the governance controls are insufficient?
This reporting framework does not require deep AI expertise to interpret. It requires the same analytical skills that boards use to assess other operational risk portfolios. Making it available converts board AI governance from a theoretical responsibility into a practical one.
The Monitoring Approach That Operates at Pace
Traditional technology governance monitoring is periodic: quarterly reviews, annual audits, incident-driven assessments. AI systems require continuous monitoring because their risk profile changes continuously. A large language model that is performing acceptably in January may behave differently in March as the model is updated, as the use cases it is applied to evolve, or as the volume and type of queries it processes changes.
The monitoring programme for enterprise AI should include automated tracking of AI tool adoption through approved channels, review of AI-assisted decision outcomes in high-risk use cases, and regular assessment of AI system performance against the standards defined in the risk tier assessment. It should also include a mechanism for employees to report concerns about AI outputs: the governance framework depends on human review catching AI failures, which requires a clear path for reviewers to escalate findings when they identify them.
The AI landscape in 2023 will not slow down to allow governance to catch up. The governance framework that works is one that is designed to operate at the pace of the landscape, not one that was designed for a technology adoption cycle that no longer applies.