Is your AI governance policy setting you up for failure?
Our team covers where the flaws might be hiding – and how to fix them.
AI is revolutionizing how organizations operate, but with that transformation comes high-stakes risk. Successful AI governance demands far more than a static policy document. It calls for a dynamic policy that serves as the cornerstone to enable an organizationwide framework that stretches from executive leadership to the day-to-day front lines.
AI governance or acceptable use policies not tied to organizational strategies and risk appetite are destined to fail. Too often, organizations develop AI policies in a vacuum and treat them as check-the-box compliance exercises disconnected from operations. These static documents gather dust, unenforced and forgotten, while organizational strategies and the AI capabilities that enable them rapidly evolve. A poorly designed or outdated AI policy isn’t just a blind spot. It’s a vulnerability that can expose organizations to legal, ethical, and competitive fallout. By contrast, an AI policy that serves as the cornerstone of a robust governance framework brings standards to life and unlocks strategic advantage by aligning cutting-edge innovation with responsible oversight.
Following is a breakdown of some of the most common challenges that organizations face with AI governance and how our AI governance team helped clients overcome these issues for sustained future-ready success.
|
AI governance pillar |
|---|
|
Accountability and responsibility Leadership should lead this pillar, with accountability at the executive level. |
|
Where we’ve seen things go wrong |
|
Executives use large language models without regard for the AI policy, which sets a poor tone at the top. Leadership views AI governance as an IT issue and provides minimal strategic input. The organization demonstrates a lack of ownership. Either no one is accountable or there’s accountability by committee, which likely will fail. |
|
Where we’ve seen things go right |
|
Executive-level accountability is enforced with charters for board and management committees. AI governance is embedded into strategic decisions and aligned with values. Regular reporting and briefings are conducted through clear chains of communication and ownership. |
|
Takeaways |
|
AI governance must be championed by senior leaders and embedded into the organization’s overarching strategy and risk appetite, with clear leadership accountability and routine reporting. |
|
AI governance pillar |
|---|
|
Training and awareness This pillar should be clearly tied to organizational strategy, connected to operations, and communicated throughout the organization. |
|
Where we’ve seen things go wrong |
|
AI governance policies exist in isolation, divorced from the organization’s overarching strategy, AI road map, risk appetite, and operational realities. Policies sit stagnant instead of serving as living, breathing documents. Insufficient communication and training render the AI policy ineffective. |
|
Where we’ve seen things go right |
|
Regular, scheduled updates are issued through town halls, newsletters, and targeted training sessions to keep everyone informed on AI policy developments. |
|
Takeaways |
|
AI policies should align with strategic and operational objectives to create a unified governance framework. The organization should issue regular updates, both from leadership and across teams, so everyone understands expectations. Ongoing training should establish clear metrics and consistently monitor and report progress to support improvement and accountability. |
|
AI governance pillar |
|---|
|
Accountability and responsibility Actionable, defined roles, responsibilities, and accountability at the organizational level define this pillar. |
|
Where we’ve seen things go wrong |
|
Policies contain ambiguous roles that either lack distinct accountability or are so diffuse through committees that no one is truly responsible. Policies lack teeth, management violates their principles without repercussions, all of which leads to widespread noncompliance. |
|
Where we’ve seen things go right |
|
AI governance structures are formalized, with specific individuals or teams clearly tasked with oversight. Defined escalation pathways are established to enforce tangible consequences for noncompliance, which promotes consistent adherence. |
|
Takeaways |
|
Programs should designate specific leaders and stakeholders accountable for AI governance, including executive oversight, cross-functional working groups, and subject-matter specialists from relevant domains, such as data science, IT, legal, and risk management. The organization should implement consistent disciplinary measures to uphold credibility and deter policy violations. |
|
AI governance pillar |
|---|
|
Policies and standards This pillar involves approval and inventory of use cases, including regular review. |
|
Where we’ve seen things go wrong |
|
Generic AI policies cover high-level principles, such as security and ethics, without specifics regarding incident response, defined roles and responsibilities, or business objectives. Policies fail to translate ideals into actionable, pragmatic guidelines for day-to-day decisions regarding specific AI use cases. No central system is in place to track or review the status and risk profile of each AI project. |
|
Where we’ve seen things go right |
|
An up-to-date inventory of approved, under-review, and prohibited use cases is maintained for transparency and governance. |
|
Takeaways |
|
AI governance policies should provide clear guidelines on acceptable and unacceptable AI use cases, with established processes for evaluating, approving, and monitoring AI initiatives against these guidelines. A cross-functional review board (including legal, IT, and risk) should periodically assess and update the AI use-case inventory. Organizations should build an evaluation of need into the policy, test the process by moving pilots to production, and include who has decision-making accountability. |
|
AI governance pillar |
|---|
|
Policies and standards Solid controls tied to the organization’s overall risk and ethics framework with regular monitoring and testing characterize this pillar. |
|
Where we’ve seen things go wrong |
|
AI policies exist in isolation, disconnected from enterprise risk management processes, which results in a lack of continual evaluation and adjustment. |
|
Where we’ve seen things go right |
|
AI governance integrates with the company’s enterprise risk management framework. Controls are built in throughout the AI life cycle. Risk and control self-assessments – inclusive of additional risks and continuous monitoring, testing, and risk indicators – are tracked centrally. |
|
Takeaways |
|
Robust AI governance policies should be tightly integrated with the organization’s risk management framework to facilitate continuous monitoring and to determine and execute against the testing strategies aligned to the risks of the use case. |
|
AI governance pillar |
|---|
|
Training and awareness This pillar focuses on regular education and awareness regarding policies, procedures, and technologies. |
|
Where we’ve seen things go wrong |
|
Employees receive either no AI training or generic, one-off AI training, leaving them ill-prepared to handle real-world challenges. |
|
Where we’ve seen things go right |
|
Accessible materials, such as infographics and concise one-pagers, turn the policy into a dynamic, easy-to-reference guide rather than a static document, which can help employees quickly grasp guardrails and understand their roles and responsibilities. |
|
Takeaways |
|
Employees should be engaged in ongoing, focused training programs that are reinforced through targeted messaging and communication so that everyone has a shared understanding of the AI governance policy, its rationale, and their roles. |
|
AI governance pillar |
|---|
|
Policies and standards This pillar revolves around alignment to current and future regulatory requirements. |
|
Where we’ve seen things go wrong |
|
No dedicated function or owner is designated to track regulatory changes across jurisdictions, which can lead to compliance gaps and potential regulatory penalties. |
|
Where we’ve seen things go right |
|
Policies are built to meet jurisdictional standards (such as the European Union’s AI Act) and comply with other risk-based rules. Policies default to the most stringent rule, giving the same rigor regardless of jurisdiction. |
|
Takeaways |
|
The AI governance program should account for all applicable laws and regulations, including extraterritorial requirements as well as emerging regulatory landscapes. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Accountability and responsibility Leadership should lead this pillar, with accountability at the executive level. |
Executives use large language models without regard for the AI policy, which sets a poor tone at the top. Leadership views AI governance as an IT issue and provides minimal strategic input. The organization demonstrates a lack of ownership. Either no one is accountable or there’s accountability by committee, which likely will fail. |
Executive-level accountability is enforced with charters for board and management committees. AI governance is embedded into strategic decisions and aligned with values. Regular reporting and briefings are conducted through clear chains of communication and ownership. |
AI governance must be championed by senior leaders and embedded into the organization’s overarching strategy and risk appetite, with clear leadership accountability and routine reporting. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Training and awareness This pillar should be clearly tied to organizational strategy, connected to operations, and communicated throughout the organization. |
AI governance policies exist in isolation, divorced from the organization’s overarching strategy, AI road map, risk appetite, and operational realities. Policies sit stagnant instead of serving as living, breathing documents. Insufficient communication and training render the AI policy ineffective. |
Regular, scheduled updates are issued through town halls, newsletters, and targeted training sessions to keep everyone informed on AI policy developments. |
AI policies should align with strategic and operational objectives to create a unified governance framework. The organization should issue regular updates, both from leadership and across teams, so everyone understands expectations. Ongoing training should establish clear metrics and consistently monitor and report progress to support improvement and accountability. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Accountability and responsibility Actionable, defined roles, responsibilities, and accountability at the organizational level define this pillar. |
Policies contain ambiguous roles that either lack distinct accountability or are so diffuse through committees that no one is truly responsible. Policies lack teeth, management violates their principles without repercussions, all of which leads to widespread noncompliance. |
AI governance structures are formalized, with specific individuals or teams clearly tasked with oversight. Defined escalation pathways are established to enforce tangible consequences for noncompliance, which promotes consistent adherence. |
Programs should designate specific leaders and stakeholders accountable for AI governance, including executive oversight, cross-functional working groups, and subject-matter specialists from relevant domains, such as data science, IT, legal, and risk management. The organization should implement consistent disciplinary measures to uphold credibility and deter policy violations. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Policies and standards This pillar involves approval and inventory of use cases, including regular review. |
Generic AI policies cover high-level principles, such as security and ethics, without specifics regarding incident response, defined roles and responsibilities, or business objectives. Policies fail to translate ideals into actionable, pragmatic guidelines for day-to-day decisions regarding specific AI use cases. No central system is in place to track or review the status and risk profile of each AI project. |
An up-to-date inventory of approved, under-review, and prohibited use cases is maintained for transparency and governance. |
AI governance policies should provide clear guidelines on acceptable and unacceptable AI use cases, with established processes for evaluating, approving, and monitoring AI initiatives against these guidelines. A cross-functional review board (including legal, IT, and risk) should periodically assess and update the AI use-case inventory. Organizations should build an evaluation of need into the policy, test the process by moving pilots to production, and include who has decision-making accountability. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Policies and standards Solid controls tied to the organization’s overall risk and ethics framework with regular monitoring and testing characterize this pillar. |
AI policies exist in isolation, disconnected from enterprise risk management processes, which results in a lack of continual evaluation and adjustment. |
AI governance integrates with the company’s enterprise risk management framework. Controls are built in throughout the AI life cycle. Risk and control self-assessments – inclusive of additional risks and continuous monitoring, testing, and risk indicators – are tracked centrally. |
Robust AI governance policies should be tightly integrated with the organization’s risk management framework to facilitate continuous monitoring and to determine and execute against the testing strategies aligned to the risks of the use case. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Training and awareness This pillar focuses on regular education and awareness regarding policies, procedures, and technologies. |
Employees receive either no AI training or generic, one-off AI training, leaving them ill-prepared to handle real-world challenges. |
Accessible materials, such as infographics and concise one-pagers, turn the policy into a dynamic, easy-to-reference guide rather than a static document, which can help employees quickly grasp guardrails and understand their roles and responsibilities. |
Employees should be engaged in ongoing, focused training programs that are reinforced through targeted messaging and communication so that everyone has a shared understanding of the AI governance policy, its rationale, and their roles. |
|
AI governance pillar |
Where we’ve seen things go wrong |
Where we’ve seen things go right |
Takeaways |
|---|---|---|---|
|
Policies and standards This pillar revolves around alignment to current and future regulatory requirements. |
No dedicated function or owner is designated to track regulatory changes across jurisdictions, which can lead to compliance gaps and potential regulatory penalties. |
Policies are built to meet jurisdictional standards (such as the European Union’s AI Act) and comply with other risk-based rules. Policies default to the most stringent rule, giving the same rigor regardless of jurisdiction. |
The AI governance program should account for all applicable laws and regulations, including extraterritorial requirements as well as emerging regulatory landscapes. |
Today’s AI environment leaves no room for governance gaps. One lapse can unravel customer trust, spark compliance issues, or derail innovation. The right policy framework can elevate AI from a potential liability to a powerful asset.
Mitigate AI risk with AI governance
If your company is using AI, you need an AI governance plan. We can help.
Contact our AI governance team
If you suspect there are vulnerabilities in your AI governance approach, our team specializes in helping companies build robust, future-ready AI governance – and we can help yours, too.
