To better understand how organizations are approaching AI governance, we spoke with Sydney Gelb, Senior Information Security Consultant at K logix. As part of the K logix cyber risk consulting team, Sydney helps organizations build structured, risk aligned approaches to adopting AI.
As organizations rapidly adopt AI, many are realizing that business innovation is moving faster than oversight. Organizations that are not actively thinking about AI governance are already behind. 67% of CISOs and security leaders we speak with mention having some form of internal AI governance committee in place. While that is an important first step, turning those conversations into practice requires establishing clear policies and consistent governance across the organization.
Sydney explains,
“AI governance is an amalgamation of strategy, legal and regulatory compliance, leadership oversight, and risk management related to the use of AI at an organization. AI itself is a risk, so I like to think of AI governance as a dedicated risk management program specific to artificial intelligence.”
Moving Beyond Experimentation
Many organizations began their AI journey with experimentation, whether through internal use cases or employee adoption of tools like generative AI (e.g., ChatGPT, Claude). However, that experimentation has quickly expanded into broader usage across the business.
“Governance becomes a priority when an unknown like AI begins to take shape within organizational agendas and becomes impossible to ignore.”
AI is no longer isolated; it is becoming a new security domain that must be governed through appropriate controls, documentation, and behaviors to mitigate risk during adoption.
The Risks Organizations Are Facing
“AI is still an unknown, so in and of itself, AI is a risk.”
One of the most immediate concerns organizations are raising is around data exposure. She explains,
“The biggest risk we hear from customers pertains to data loss. Organizations need to ensure their data is appropriately identified, classified, and tagged to prevent misuse or undetected sensitive data ingestion into unlicensed tools.”
Trends in the Market
AI adoption is accelerating across organizations, often in ways that extend beyond initial expectations.
Sydney highlights several key trends emerging across customers, including the use of AI copilots for job enhancement such as email templating and document analysis, third party managed services leveraging AI to enhance detection capabilities, and the use of AI to automate and centralize audit evidence collection.
These use cases show that AI is quickly becoming embedded across business functions, increasing both its value and the need for governance.
Where Organizations Are Falling Short
Despite growing awareness, many organizations are still early in their AI governance journey. Sydney explains,
“Some organizations view AI governance as simply a change of paper, if we have a policy, we’re protected. But that’s not the case.”
She emphasizes that AI governance is as much about culture as it is about policy.
“It requires awareness and training across the organization to mitigate risks like insider threat and data loss. Educating users on how to use AI and when human intervention is needed is critical to ensuring it is used securely.”
In addition, governance must extend beyond security teams.
Sydney notes that organizations need to maintain oversight across the entire business to ensure that all AI tools and third party capabilities are known and properly inventoried.
Where to Start
For organizations early in their journey, governance begins with leadership alignment.
“AI governance starts at the top of the organization, with buy-in from business and security leaders to understand how AI will be used and who is responsible for managing it.”
The first practical step is establishing oversight.
She recommends beginning with an AI governance committee responsible for defining guardrails, establishing request and review processes, and documenting parameters for the broader organization.
Sydney adds,
“It can often be useful to bring in an external perspective early to ensure all considerations are addressed proactively rather than retroactively.”
A New Standard for Responsible AI Adoption
AI governance is quickly becoming a foundational element of modern security and risk programs.
As adoption continues to accelerate, organizations that take a structured approach will be better positioned to innovate while managing risk.
Sydney explains,
“The most difficult part of building an AI program is knowing where to start. Having the right expertise helps organizations develop a roadmap and move forward with confidence.”
By combining visibility, policy, and accountability, AI governance enables organizations to adopt AI in a way that is secure, scalable, and sustainable.
The K logix Cyber Risk Consulting team supports organizations in building and operationalizing AI governance programs, helping define policies, establish oversight, and align AI use with broader security and risk strategies. If you are interested in learning more about AI governance and related AI security services, click here.
Subscribe
Stay up to date with cyber security trends and more