Every large organization I work with has an AI governance document. Very few have AI governance. The gap between the two is the most expensive misunderstanding in enterprise AI right now: leaders believe that because a policy exists, behavior is constrained. It is not. Policy that is not wired into the platform is advisory at best and theater at worst.

This piece lays out the governance model I actually deploy — one that treats governance as a control plane with owners, enforcement points, and metrics, rather than a PDF that engineering has never read.

Why most AI governance fails

The common failure mode is not lack of effort. It is a category error. Teams write governance the way they write a corporate value statement: aspirational, broad, and disconnected from any system that could enforce it. “Models must be used responsibly” is not a control. “No customer PII may be sent to a third-party model endpoint that is not on the approved list, enforced at the egress gateway” is a control.

Three patterns show up again and again:

  • Governance without ownership. A committee approves a policy, then disbands. No single accountable owner exists for any given control, so nothing is maintained as the technology shifts under it.
  • Governance without enforcement. The policy describes desired behavior but there is no gate — no place in the pipeline, the platform, or the network where a violation is actually stopped.
  • Governance without measurement. Nobody can answer “how many AI systems are in production, what data do they touch, and which ones violate policy today?” If you cannot measure it, you are not governing it.

A governance program that fixes these three things will outperform a far more elaborate one that does not.

The operating model

I structure enterprise AI governance as three layers that map to who does what.

Policy layer

A small set of principles and hard constraints, written to be testable. The test for every statement in this layer: could an engineer or an automated check tell whether this is being violated? If the answer is no, it belongs in a values document, not in governance.

Keep this layer short. Ten enforceable constraints beat a hundred aspirational ones. The longer the policy, the more confident I am that none of it is enforced.

Control layer

This is where governance becomes real. Each policy constraint maps to one or more controls, and each control has:

  • a named owner (a person, not a committee),
  • an enforcement point (where the control actually runs),
  • a detection mechanism (how violations are caught), and
  • an exception path (because rigid controls get bypassed, and bypassed controls teach the organization that governance is optional).

Platform layer

Controls should be implemented as platform capabilities, not per-team obligations. If every team has to independently configure logging, data filtering, and access control for their AI systems, most will do it inconsistently and some will not do it at all. The platform team makes the secure path the default path. Governance that requires constant human diligence will fail at scale; governance baked into the platform survives staff turnover and deadline pressure.

Four control domains that matter

Across engagements, the controls that earn their keep cluster into four domains.

Data governance for AI

The first question for any AI system is not “what model?” but “what data, and where does it go?” The controls here:

  • Classification at ingestion. Know the sensitivity of data before it reaches a model. Untagged data is the root cause of most AI data incidents.
  • Egress control. Sensitive data must not leave the trust boundary to an unapproved model endpoint. Enforce this at the network and gateway layer, not by asking developers to be careful.
  • Retention and training-use constraints. Be explicit, and technically enforce, whether prompts and outputs can be retained or used to train models.

Model and endpoint inventory

You cannot govern what you cannot see. Maintain a live inventory of every model in use — first-party, third-party API, and embedded-in-SaaS — with the data it touches and its owner. This inventory is the single most useful governance artifact you will build, and the one most organizations skip.

Identity and access for AI systems

AI systems are non-human identities that act with real privilege, often on behalf of users. They need the same rigor as any other privileged identity: scoped credentials, short-lived tokens, least privilege, and full auditability. I cover this in depth in the identity and Zero Trust article, because it is where agentic systems break most dangerously.

Output and behavior monitoring

Log inputs and outputs for AI systems handling sensitive operations, with the same seriousness as any other security-relevant log. You want the ability to answer, after an incident, exactly what was asked and what was returned.

Tiering: govern by risk, not uniformly

Uniform governance is a tax that pushes teams to route around you. Tier instead.

A practical three-tier model:

  • Tier 1 — low risk. Internal productivity use, no sensitive data, no consequential decisions. Light-touch: inventory it, apply baseline egress controls, move on.
  • Tier 2 — elevated risk. Touches sensitive data or influences decisions about people, money, or access. Full control set, named owner, monitoring.
  • Tier 3 — high risk. Autonomous action, regulated data, or safety-relevant decisions. Everything in Tier 2 plus pre-deployment review, stricter enforcement, and a defined kill switch.

Tiering lets you concentrate scarce security attention where consequences live, and it gives teams a fast path for low-risk work so they do not learn to see governance as an obstacle.

Metrics that tell you it’s working

If governance is real, these questions have answers:

  • What percentage of production AI systems are in the inventory? (Target: near 100%. Reality at the start: usually under half.)
  • What percentage of Tier 2+ systems have a named owner and pass their control checks?
  • How many policy violations were detected and remediated last quarter, and what was the mean time to remediate?
  • How many exceptions are open, and how many are past their review date?

Watch the exception count especially. A governance program with zero exceptions is not strict — it is being bypassed, and you have lost visibility. A healthy program has a steady, managed flow of exceptions that are reviewed and expired.

Where to start

If you are standing this up from nothing, resist the urge to write the perfect policy first. Do this instead:

  1. Build the inventory. You cannot govern the invisible.
  2. Implement egress control for sensitive data. This single control prevents the most common and most damaging incidents.
  3. Assign owners to your Tier 2+ systems.
  4. Write the ten enforceable constraints — and only those — once you can see the landscape.

Governance that ships in this order earns credibility because each step delivers visible risk reduction. Governance that starts with a hundred-page policy earns eye-rolls. The control plane is the product; the document is just its specification.

Related reading

5 min read

Identity and Zero Trust for Enterprise AI Adoption

AI did not introduce a new security model — it introduced a flood of new identities that the old perimeter was never designed to hold. Zero Trust is the model that scales to it. Here is how identity-first thinking applies to enterprise AI.

Identity Zero Trust AI Security
5 min read

Securing AI Agents and Agentic Workflows

Agents turn a model from something that answers into something that acts. That single shift breaks most of the assumptions behind traditional application security. Here is a concrete threat model and a control set for agentic systems.

AI Security AI Agents Zero Trust

Discussion

Comments are powered by Giscus / GitHub Discussions. They appear here once configured — see Configure Giscus in the project README and update GISCUS in src/consts.ts.