The full insights are available exclusively to DataIQ subscribers.
Data and AI leaders with a focus on governance and risk from financial services, insurance, retail, manufacturing, consumer goods, government, and energy organisations shared how they are responding to the growing complexity of AI adoption.
The discussion focused on the practical realities of governing AI at scale, such as balancing innovation against risk, adapting governance frameworks for agentic systems, managing third-party AI providers, and creating structures that support rather than hinder adoption.
While maturity levels varied across the organisations represented, a common thread existed that organisations are increasingly moving away from centralised control towards federated governance models that embed accountability closer to the business.
The biggest risk is the pace of change
Many leaders felt their governance frameworks were becoming outdated rapidly after they were implemented. Policies written for early GenAI use cases are already struggling to accommodate agents, embedded AI capabilities, and widespread employee access to AI tools.
Several leaders described a constant cycle of updating governance approaches as new capabilities emerge. One leader summarised the challenge as “the biggest risk is the pace of change.”
The implication is that governance can no longer be treated as an annual exercise and now organisations are moving towards quarterly reviews and continuous policy evolution.
Good governance starts with triage, not approval
It was agreed that not every AI use case deserves the same level of scrutiny. Organisations have introduced structured intake processes that assess inherent risk early, before significant investment has been made. Common criteria include:
- Use of personal data.
- Customer-facing impact.
- Third-party dependencies.
- Regulatory exposure.
- Automated decision-making.
Leaders utilising this method explained how lower-risk use cases move quickly through a lighter-touch process, while higher-risk applications receive deeper review.
This approach allows governance teams to focus attention where it matters most, rather than becoming overwhelmed by volume.
Federated governance scales better than central control
As AI adoption expands, purely centralised governance models are proving difficult to sustain. One organisation uses a model involving a central governance function supported by 25 AI leads embedded across functions and regions. These local leaders own compliance and adoption within their areas while maintaining visibility through a shared AI registry.
Other leaders described their own hub-and-spoke structures involving:
- AI champions.
- Model stewards.
- Data owners.
- Functional AI leads.
The common principle was that central teams define standards, but accountability must sit closer to where AI is being used.
Human-in-the-loop remains the dominant control mechanism
Despite excitement around autonomy, organisations are cautious about removing human oversight, and for good reason. Leaders described numerous examples where AI recommendations, code generation, and operational decisions still require explicit human review.
One leader shared an insightful practical lesson from allowing agents too much freedom during development: “The agents deployed everything into the product, and later on we realised something had gone wrong.” In response, the organisation introduced mandatory approval checkpoints, code reviews, and restricted permissions.
The consensus was that human oversight remains essential, although organisations are beginning to question how effective that oversight really is given the rapid pace of change and complexities being addressed.
Prove humans are reviewing decisions
A nuanced discussion emerged around the concerns surrounding human oversight where several leaders argued that requiring approval is not enough if reviewers simply click “approve” without scrutiny.
One organisation is exploring techniques to create productive friction between AI outputs and human decision-makers: “How do we ensure the human in the loop is efficient?”
This challenge is increasingly important in regulated environments where future audits may require organisations to demonstrate that humans reviewed outputs, but also how and why decisions were made.
Sandboxes create safer paths to innovation
Leaders have deliberately created environments where employees can experiment with AI safely, and these sandboxes typically include:
- Limited data access.
- Restricted permissions.
- Token spending controls.
- No production deployment capability.
The goal is to encourage learning without creating unacceptable risk.
There were strong voices from several leaders arguing that preventing experimentation entirely simply pushes employees towards shadow AI tools which drastically increases risk and exposure.
The risk of under-adoption is as important as the risk of misuse
Leaders argued that organisations are now carrying two AI risks: using AI irresponsibly and failing to use AI at all.
Concerns around competitiveness, workforce capability, and falling behind peers if employees are not given opportunities to build AI literacy were highlighted and acknowledged as a near-universal issue.
Governance is no longer seen as solely being about controlling risk as it is now about enabling responsible adoption at scale, and this must be communicated across organisations.
The full insights are available exclusively to DataIQ subscribers.
