AI governance and ethics need operating models, not principles

At a glance

What this is: This is an analysis of why responsible AI programmes fail when governance and ethics are treated as slogans instead of operational workflows.

Why it matters: It matters because IAM, NHI, and autonomous-identity teams all need the same governance pattern: inventory, risk routing, review, monitoring, and evidence across the full lifecycle.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.

👉 Read Collibra's analysis of AI governance and ethics from the ground up

Context

AI governance and ethics is the operating model that determines whether AI use cases are approved, traceable, monitored, and accountable. The primary gap is not a lack of principles, but the failure to translate those principles into workflow across data, models, policies, and decisions.

For identity practitioners, that matters because governance problems do not stay inside the AI team. The same lifecycle thinking used for human IAM, NHI governance, and autonomous identity controls has to be applied to AI use cases before the system is deployed and after it starts changing business processes.

This is why the article’s core claim is familiar to security and identity leaders: ethics without governance is a wish list, and governance without evidence becomes theatre. That starting point is typical in organisations that are scaling AI faster than their control model.

Key questions

Q: How should organisations operationalise responsible AI governance?

A: Organisations should treat responsible AI as a lifecycle control, not a policy statement. That means classifying use cases at intake, assigning named owners, routing reviews automatically, linking each system to the data and policies it depends on, and retaining monitoring evidence after deployment. Without those steps, ethics remains aspirational and cannot be defended to regulators or boards.

Q: Why do AI ethics programmes fail after deployment?

A: They fail because the organisation reviews the system too late. By the time a model is live, the data, workflow, and business dependence are already in place, so removing or changing the system becomes expensive and politically difficult. Ethics has to be embedded before development and monitored throughout operation, or it becomes a post hoc justification exercise.

Q: What do security teams get wrong about AI governance inventories?

A: They often inventory only the AI they built themselves and miss embedded AI inside vendor platforms and other shadow AI. That creates a false sense of control because the real decision surface is broader than the visible project list. A useful inventory must cover models, use cases, agents, owners, and the approvals attached to each one.

Q: Who should be accountable when an AI system produces harmful outcomes?

A: Accountability should sit with a named business owner supported by governance, legal, security, and privacy reviewers. If ownership is diffuse, no one can explain the approval, the monitoring state, or the escalation path when something goes wrong. The control model must make accountability explicit before the system is deployed.

Technical breakdown

AI governance lifecycle: why intake is the control point that matters

AI governance only works when use cases are classified before development starts. That intake step determines who reviews the proposal, what data may be used, which risks need escalation, and whether a use case is acceptable at all. Once the model is trained and embedded in a workflow, ethical concerns become harder to unwind because the business has already committed to the system. The article’s emphasis on early review is therefore structural, not procedural. It reflects a basic control truth: approval after deployment is not governance, it is documentation of an already-closed decision.

Practical implication: establish a mandatory intake gate that classifies AI use cases before build work begins.

Accountability workflows for AI models and agents

Accountability workflows connect the AI use case to the data it uses, the policies that apply, the model artifacts involved, and the business owner who is answerable for the outcome. In practice, this is the difference between a governance statement and a defensible control record. The article also recognises that AI agents introduce a broader control problem than static models because agents act across tools and data sources. That means the workflow must track not only model approval but also operational authority, escalation paths, and the reviewer who can stop or change the use case when behaviour drifts.

Practical implication: maintain a live inventory of AI use cases, models, and agents with named business and control owners.

Continuous monitoring for fairness, drift, and policy adherence

Responsible AI is not a one-time certification. Models drift, data distributions shift, and the surrounding business process changes, so the ethical posture of a system can degrade after launch even when the initial approval was sound. That is why the article correctly ties monitoring to governance rather than treating it as a separate analytics function. For identity teams, this mirrors how standing access must be continuously observed after provisioning. The control is effective only if the evidence shows whether behaviour still matches the approved boundary.

Practical implication: define recurring monitoring for policy adherence, drift, and impact signals, then tie exceptions to a documented review path.

NHI Mgmt Group analysis

AI governance fails when organisations treat ethics as commentary instead of control. The article is right that principles alone do not change outcomes, because a code of conduct does not tell reviewers what to approve, what to reject, or what evidence to capture. That gap is visible in every security domain where intent exists but workflow is missing. Practitioners should read this as an operating model problem, not a communications problem.

Responsible AI is converging on the same lifecycle discipline used in identity governance. The strongest programs inventory what exists, classify risk at intake, route review automatically, and retain evidence after deployment. That is exactly the pattern NHI and IAM teams already recognise in access governance, even if the subject has shifted from accounts to models and agents. The implication is that AI governance will be judged by traceability, not statements of intent.

Shadow AI is the governance analogue of shadow IT, and it creates the same visibility failure. If embedded AI inside vendor platforms is omitted from inventory, the organisation cannot claim control over its full AI surface area. That is a governance assumption that fails under scale, because the system under review is no longer a single model but a distributed set of decisions and embedded capabilities. Practitioners need to treat AI inventory as a control plane, not a spreadsheet.

Auditability is becoming the real currency of responsible AI. Regulators, customers, and boards are no longer satisfied by claims that AI is ethical in principle. They want evidence of ownership, decision records, monitoring, and escalation. That moves AI governance into the same accountability model as NHI lifecycle governance and privileged access oversight. Practitioners should assume that if evidence cannot be produced, the control did not exist in practice.

Policy-based review of AI agents will increasingly blur into broader identity governance. Once agents can act across tools and data sources, the question is no longer only whether the model is safe, but whether the actor is authorised to do what it did. That bridges AI governance, NHI control, and human approval design in one workflow. The field is moving toward integrated governance, and programmes that stay siloed will struggle to explain behaviour end to end.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• That same survey shows 53% of organisations expect AI to run major portions of their infrastructure autonomously within three years, which is why the control model has to move now, not later.

What this signals

Shadow AI governance: the next programme risk is not a lack of AI ambition but a lack of inventory discipline. If embedded AI and agent activity are not captured in the same control plane as model approvals, the organisation cannot prove what it is actually governing.

With 70% of organisations already granting AI systems more access than human employees, per The 2026 Infrastructure Identity Survey, the governance gap is no longer theoretical. Practitioners should expect AI access review, policy routing, and evidence capture to become baseline requirements in both IAM and AI operations.

The practical signal for identity teams is convergence: AI governance, NHI lifecycle control, and privileged access oversight are moving toward the same operating pattern. Programmes that separate them will struggle to explain ownership, approval, and monitoring when AI systems act inside production workflows.

For practitioners

• Build a pre-development intake gate Require every AI use case to be reviewed before engineering resources are committed. Capture purpose, data sources, affected populations, risk tier, and named owner so the decision is explicit and traceable.
• Create a live inventory of AI use cases, models, and agents Include embedded AI in vendor platforms, not just internally built systems. Use the inventory as the source of truth for approval status, control ownership, and review cadence.
• Route reviews automatically by risk tier Tie high-risk use cases to privacy, legal, security, and fairness checks without manual chasing. Use policy-driven routing so the right reviewers see the right cases at the right time.
• Link approvals to evidence and monitoring Require every approved use case to retain decision records, monitoring outputs, and exception handling in one place. Continuous evidence should show whether the system still behaves within the approved boundary.

Key takeaways

• Responsible AI fails when ethics is treated as a statement of intent rather than a workflow with owners, reviews, and evidence.
• The biggest control gap is timing, because post-deployment review arrives after the system has already been embedded into business operations.
• Identity and AI governance are converging on the same lifecycle model, where inventory, classification, monitoring, and accountability determine whether the programme is real.

Key terms

• AI governance operating model: The set of processes, owners, controls, and evidence that determines how AI is approved, monitored, and changed. It is the practical layer that turns policy into action, linking intake, risk review, deployment, and ongoing oversight so the organisation can defend what the system does in production.
• Shadow AI: AI systems or agents that are in use but are not captured in the organisation’s approved inventory or governance workflow. They create visibility gaps similar to shadow IT, but with added risk because decisions may be made, data may be consumed, and outputs may be acted on without formal review.
• Human-in-the-loop control: A governance control that requires a named human reviewer to validate or stop a consequential AI decision. It is only meaningful when the reviewer has enough context, time, and authority to intervene, otherwise it becomes a symbolic checkpoint rather than a real control.
• Policy traceability: The ability to link an AI use case to the policies, data sources, approvals, and evidence that govern it. This traceability makes reviews auditable and helps explain why a system was allowed to operate, which boundary it was expected to respect, and how exceptions were handled.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: AI governance and ethics: How to build responsible AI from the ground up. Read the original.