Artificial intelligence has moved far beyond experimentation. What began as isolated testing of generative AI tools has quickly evolved into enterprise wide adoption. As we have been part of the AI journey with many of our customers, we have observed that organizations are using AI to improve productivity, automate workflows, enhance security operations, and accelerate business initiatives. As adoption continues to expand, many organizations are discovering that innovation is moving faster than oversight.
According to K logix observations, over two thirds of security leaders report having some form of AI governance committee or oversight group in place. While this represents an important first step, many organizations are still determining how to transform discussions into repeatable processes and policies.
To better understand how organizations are approaching AI governance, we spoke with Sydney Gelb, Senior Manager at K logix and Sydney Solomon, West Coast Practice Lead at K logix, who help organizations navigate a rapidly evolving AI regulatory and compliance landscape and translate it into actionable governance and security initiatives they can implement.
When AI Becomes Impossible to Ignore
Many organizations entered the AI era cautiously. Initial efforts are often centered on employee experimentation with tools such as ChatGPT, Claude, and Microsoft Copilot. What started as individual productivity gains soon expanded into business functions ranging from software development and customer service to security operations and compliance.
As AI capabilities became embedded in everyday workflows, governance became increasingly difficult to postpone. “Governance becomes a priority when an unknown like AI begins to take shape within organizational agendas and becomes impossible to ignore,” says Gelb.
Today, AI is no longer viewed as a standalone technology initiative. It is becoming a new operational and security domain that requires defined ownership and controls.
“AI governance is an amalgamation of strategy, legal and regulatory compliance, leadership oversight, and risk management related to the use of AI at an organization,” Gelb explains. “AI itself is a risk, so I like to think of AI governance as a dedicated risk management program specific to artificial intelligence.”
Organizations that fail to establish governance frameworks risk creating environments where AI adoption expands without visibility into how tools are being used, what data is being shared, and who is responsible for managing associated risks.
The Risks Behind Rapid Adoption
For many organizations, the greatest challenge is not that AI introduces entirely new risks. Rather, it amplifies existing concerns around data security, privacy, compliance, and governance. Among the most common concerns raised by security leaders is the potential for sensitive data exposure.
“The biggest risk we hear from customers pertains to data loss,” Gelb explains. “Organizations need to ensure their data is appropriately identified, classified, and tagged to prevent misuse or undetected sensitive data ingestion into unlicensed tools.”
As AI systems gain access to larger volumes of organizational data, traditional governance practices become increasingly important. Data classification, access management, vendor oversight, and user education all play critical roles in reducing exposure.
At the same time, organizations are facing pressure from executives and boards seeking assurance that AI initiatives are being implemented responsibly. The challenge is compounded by the speed at which adoption is occurring. In many cases, business units are deploying AI capabilities faster than governance teams can assess and monitor them.
What Organizations Are Doing Today
While AI governance programs remain relatively immature across many industries, clear trends are emerging.
The K logix team has observed that organizations are increasingly using AI copilots to assist with document analysis, content generation, and workflow automation. Security teams are leveraging AI powered detection and response capabilities delivered through managed service providers. Compliance and audit teams are beginning to explore AI as a means of centralizing evidence collection and streamlining assessments.
These use cases offer significant efficiency gains, but they also expand the attack surface and introduce new governance requirements.
As organizations scale AI initiatives, security leaders are recognizing that successful adoption requires more than technology controls. It requires a framework that aligns AI initiatives with business objectives, risk tolerance, and compliance obligations.
The Governance Gap
One of the most common misconceptions Gelb encounters is the belief that governance can be addressed through documentation alone. She comments, “Some organizations view AI governance as simply a change of paper. If we have a policy, we’re protected. But that’s not the case.”
Policies are important, but they represent only one component of a successful governance program. Organizations must also establish awareness, training, accountability, and oversight mechanisms that influence behavior across the enterprise.
“It requires awareness and training across the organization to mitigate risks like insider threat and data loss,” Gelb says. “Educating users on how to use AI and when human intervention is needed is critical to ensuring it is used securely.”
Governance must also extend beyond security teams. Organizations need visibility into all AI systems, applications, and third-party services operating across the business. Without proper inventory and oversight, organizations may struggle to understand where AI is being used and what risks it introduces.
A New Regulatory Reality
As organizations mature their governance programs, they are increasingly looking to established frameworks and emerging regulations for guidance.
According to Solomon, “The NIST AI Risk Management Framework is one of the more useful starting points for organizations because it helps turn AI governance from an abstract concept into something operational. By organizing risk management around the four NIST functions, govern, map, measure, and manage, the framework provides teams with a common structure for understanding where AI risks arise across the AI lifecycle, assessing those risks, and building governance processes that can evolve alongside the technology.”
Global regulations are also evolving rapidly. The European Union’s AI Act, which entered into force in 2024 and introduces obligations in phases through 2026 and beyond, establishes a risk based approach to regulating AI systems and is expected to influence governance programs worldwide.
At the same time, standards such as ISO/IEC 42001 are providing organizations with structured guidance for managing AI systems responsibly throughout their lifecycle, while helping prepare for evolving regulatory expectations.
Even within the United States, where there is no comprehensive federal AI law, states such as California are helping shape the future of AI governance. Solomon, who resides in California, states “California is a good example of how quickly AI governance is moving into real-world compliance expectations. Recent privacy and AI developments here point to growing regulatory focus on transparency, the protection of personal information in AI systems, and automated decision-making.” For security leaders, these developments signal that AI governance is rapidly becoming a business requirement rather than a future consideration.
Where Organizations Should Start
Despite the complexity of the challenge, Gelb advises organizations not to overcomplicate the first steps. She notes, “AI governance starts at the top of the organization, with buy in from business and security leaders to understand how AI will be used and who is responsible for managing it.”
From there, organizations should establish a governance committee responsible for defining guardrails, reviewing proposed AI initiatives, and creating processes for evaluating risk. “It can often be useful to bring in an external perspective early to ensure all considerations are addressed proactively rather than retroactively,” she describes.
Ultimately, successful governance programs combine visibility, accountability, and education with a clear understanding of organizational goals. “The most difficult part of building an AI program is knowing where to start,” says Gelb. “Having the right expertise helps organizations develop a roadmap and move forward with confidence.”
Five Steps to Building an AI Governance Foundation
For organizations just beginning their AI governance journey, both Gelb and Solomon emphasize that progress does not require a fully mature program from day one. As Solomon states, “What matters most is creating a foundation strong enough to support responsible AI adoption today but flexible enough to adapt as AI use-cases evolve, business priorities shift, and regulatory expectations continue to take shape.”
1. Establish Executive Ownership
AI governance cannot be delegated solely to security or IT teams. Organizations should identify executive sponsors and define clear accountability for AI related decision making.
“AI governance starts at the top of the organization,” says Gelb. “Leadership alignment is critical because AI impacts far more than technology. It affects business processes, risk management, legal considerations, and compliance.”
2. Create an AI Governance Committee
Many successful organizations begin by forming a cross functional governance group that includes representatives from security, legal, compliance, privacy, risk management, and business operations.
The committee should be responsible for defining acceptable use guidelines, reviewing new AI initiatives, and establishing oversight processes that align with organizational goals.
3. Gain Visibility Into AI Usage
Organizations cannot govern what they do not know exists.
This means identifying approved and unapproved AI tools, understanding where AI capabilities exist within third-party platforms, and maintaining an inventory of AI systems being used throughout the organization.
Without visibility, organizations may unknowingly expose sensitive information, create compliance challenges, or increase operational risk.
4. Develop Policies, Training, and Guardrails
While policies alone are not enough, they remain an important component of governance.
Organizations should establish clear guidance around:
Approved AI use cases
Data handling requirements
Human review expectations
Third-party AI usage
Employee responsibilities
Equally important is ongoing education to help employees understand both the benefits and limitations of AI technologies.
5. Align to Recognized Frameworks
Organizations do not need to build governance programs from scratch.
Frameworks such as the NIST AI RMF and ISO/IEC 42001 provide practical guidance for establishing governance structures, assessing risk, and preparing for future regulatory requirements.
According to Solomon, “Organizations don’t need to build AI governance from scratch. Established frameworks provide a practical path forward, helping teams mature their governance program while keeping it aligned with emerging regulatory expectations and industry best practices.”
Turning AI Into a Sustainable Business Capability
As AI adoption continues to accelerate, organizations that establish governance early will be better positioned to innovate responsibly, satisfy evolving regulatory expectations, and build sustainable AI programs that support long term business objectives.
While many leaders are still determining where to begin, one thing is becoming increasingly clear: AI governance is no longer a future initiative. It is rapidly becoming a core component of cybersecurity, risk management, and business strategy.
“The conversation around AI is often focused on what’s possible,” says Solomon. “But for organizations, the more important question is whether they are prepared to manage it responsibly. Governance is what turns AI from an experiment into a sustainable business capability.”
Conclusion
While these foundational steps provide a starting point, AI governance is ultimately a journey rather than a destination. As adoption continues to accelerate, organizations that establish governance early will be better positioned to innovate responsibly, satisfy evolving regulatory expectations, and build sustainable AI programs that support long term business objectives.
Subscribe
Stay up to date with cyber security trends and more