Skip to main contentameide
United StatesEnglish
DeutschlandDeutschEspañaEspañolFranceFrançaisItaliaItaliano
Governance

Governance isn't a checklist

AI governance in large organizations doesn't fail because the controls are missing. It fails because the controls are bolted on after the fact.

Francesco Magalini · Founder2 min read

The pattern is familiar to anyone who has shipped enterprise software for more than a couple of years. The platform launches. It works. Six months later risk, compliance, and InfoSec assemble a working group. A checklist appears. A governance team is formed to enforce the checklist. The platform team and the governance team are now in tension because the controls weren't designed together with the system they're trying to govern.

We've spent enough of the last few years inside large organizations rolling out AI to be confident this is the wrong shape. AI governance done as a layer after the system already exists ends up doing one of two things:

  • Blocking work — the controls are too coarse, so teams escalate everything, governance becomes a bottleneck, shadow IT appears.
  • Theatrical work — the controls are too easy to satisfy on paper, so everyone checks the boxes and nothing real changes.

Neither serves the organization.

The thing that actually works

Governance done well isn't a checklist. It's an operating model. Which means three things:

  1. Decisions live where the work happens. The team that ships the model should own its risk position. The team that owns the data should set the access policy. The team that owns the customer relationship should sign off on customer-facing automation. Centralizing all of this in a "governance committee" produces theater, not safety.
  2. The substrate enforces the decisions. If a model is approved for internal-only use, the platform should make external deployment impossible — not "discouraged." If certain data classes can't be retrieved into prompts, the retrieval layer should refuse, not warn.
  3. Audit is a byproduct, not a project. If you have to run an audit, your substrate is broken. The system should be auditable continuously, with the trail produced as a side-effect of normal operation.

This is the operating model the ameide Platform was designed around. It's also why we don't ship a "governance module" — there isn't one, because governance is a property of the whole system, not a feature you turn on.

What this looks like in week one

If you're standing up AI inside a large organization, the first decision worth making isn't which model to use. It's: what does the operating model look like, and which decisions get made by whom? Get that wrong, and no amount of tooling will save you. Get it right, and the tooling becomes an enabler instead of a tax.

We're publishing more field notes from this work over the coming weeks. If you're in the middle of this and want to talk through specifics, get in touch.

About cookies on this site

Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising.

For more information, please review your options. By visiting our website, you agree to our processing of information as described in our privacy statement.