TL;DR: AI governance capacity is becoming a structural constraint as 73% of leaders cite technical skill gaps, 85% of companies offer AI training, and 41% of executives see separate data and AI governance models as a barrier, according to Deloitte, KPMG, and MIT Technology Review Insights with Databricks. The governance challenge is moving from staffing to system design, where scalable controls matter more than adding specialists.
At a glance
What this is: This is OneTrust's analysis of why AI governance programmes are stalling, with the central finding that talent shortages and fragmented operating models are slowing responsible AI adoption.
Why it matters: It matters because IAM, security, and governance teams increasingly need to operationalise AI controls without assuming that more headcount alone will solve policy, risk, and oversight gaps.
By the numbers:
- Nearly three-fourths of leaders 73% said lack of technical talent and skill gaps were top challenges to adopting AI.
- More than eight in 10 85% companies provide some AI training, but 84% of those employees report needing more.
- 41% of executives view separate data and AI governance models as a primary barrier.
👉 Read OneTrust's analysis of the AI talent gap and governance operating model
Context
AI governance breaks down when organisations treat it as a hiring problem instead of an operating model problem. The article argues that demand for AI oversight is rising faster than the pool of people who can translate policy, risk, and model behaviour into repeatable controls, which is a familiar pattern in identity and security programmes that depend too heavily on scarce experts.
For IAM and governance teams, the relevance is that AI systems increasingly require the same discipline used in identity governance, policy interpretation, evidence collection, and exception handling. When control ownership is scattered across product, data, security, and compliance teams, the result is slower decisions and weaker accountability rather than stronger assurance.
Key questions
Q: How should organisations scale AI governance when expert talent is limited?
A: They should standardise the repeatable parts of governance, then reserve experts for exceptions and high-risk decisions. That means building workflows that route approvals, capture evidence, and apply policy consistently across teams. Headcount helps only when the control design can scale with it.
Q: Why do separate data and AI governance models create problems?
A: Separate models create duplicated reviews, inconsistent policy interpretation, and unclear ownership. When data, privacy, security, and model-risk teams operate in parallel instead of through a shared control plane, organisations spend more time coordinating decisions than making them. The result is slower governance and weaker accountability.
Q: What do security teams get wrong about AI governance maturity?
A: They often mistake policy documents and training coverage for operational control. Maturity depends on whether the organisation can apply policy, prove decisions, and manage exceptions at scale. If the programme cannot produce auditable evidence, it is still reliant on manual oversight.
Q: How do IAM and AI governance programs intersect in practice?
A: They intersect wherever access, approval, and accountability matter. AI governance needs the same patterns IAM uses for ownership, separation of duties, and traceable decision paths. That makes identity governance a useful operating model for managing high-risk AI systems, especially where sensitive data or privileged access is involved.
Technical breakdown
Why AI governance becomes a scale problem
AI governance is not just model review or policy writing. It is the set of controls that turn abstract rules into repeatable decisions, evidence, and exceptions across the lifecycle of AI use. The article's core point is that these tasks do not scale linearly with specialist headcount because they depend on interpretation, coordination, and auditability. Once AI use spreads across teams, manual review models become bottlenecks. That is why governance programmes stall even when organisations hire more experts. The limiting factor is often the operating structure, not the number of people available.
Practical implication: teams should design governance workflows that reduce manual review dependency and preserve decision evidence by default.
How collaborative AI governance tools change control flow
Collaborative AI governance tools sit above the operating environment and connect policy, risk, privacy, and security workflows. In practice, that means they can translate requirements into controls, route approvals, and surface risk signals without requiring every team to be a specialist in every domain. This does not remove human judgment. It redistributes it so expert reviewers focus on exceptions and high-risk decisions while routine governance tasks are standardised. For AI security and IAM practitioners, the architectural question is whether the control plane captures the same accountability trail that a manual process would, only with less friction.
Practical implication: require a governance control plane that preserves approval lineage, policy traceability, and exception handling.
Why regulatory pressure changes the governance model
The article links AI governance to a broader regulatory shift toward accountability and evidence. That matters because regulators do not accept policies in isolation. They expect organisations to show how controls are applied, how decisions are made, and how risk is monitored over time. The consequence is that governance tools must support evidence generation, not just coordination. This is especially relevant where AI systems intersect with identity, access, or sensitive data, because those domains already depend on auditability and clear ownership. The weakest programmes will be those that still rely on informal review chains.
Practical implication: align AI governance processes to evidence-producing controls that can support audit, compliance, and accountability reviews.
NHI Mgmt Group analysis
AI governance debt is now an operational risk, not a staffing gap. The article correctly frames the problem as an operating model limitation, but the deeper issue is that governance work accumulates faster than organisations can process it manually. When policy interpretation, approval routing, and evidence collection stay fragmented, the programme inherits hidden backlog and inconsistent decisions. Practitioners should treat this as governance debt that compounds until control quality degrades.
Collaborative governance tools matter because they reduce dependence on scarce expert attention. That is the practical lesson for identity and security teams as AI oversight becomes more continuous. The value is not automation for its own sake, but making policy application, exception handling, and evidence capture repeatable across teams. Practitioners should ask whether their control plane scales decision quality, not just workflow volume.
AI oversight is converging with identity governance because both require accountable, reviewable access to high-risk systems. AI programmes increasingly need the same concepts used in IAM and PAM, namely ownership, separation of duties, and auditable approval paths. That means security teams should stop treating AI governance as a parallel discipline and instead integrate it with existing governance structures. Practitioners should use shared control ownership rather than isolated AI-only processes.
Regulatory alignment will increasingly favour organisations that can prove control execution, not just policy intent. The article's regulatory framing is directionally correct, but the market signal is stronger than that: governance maturity will be measured by evidence quality, decision traceability, and the ability to show who approved what and why. That shifts the burden from documentation to operational proof. Practitioners should build systems that generate defensible records as part of normal workflow.
AI governance talent gaps expose a named concept: governance throughput mismatch. This is the gap between the speed at which AI use expands and the rate at which expert teams can review, approve, and monitor it. It creates delayed decisions, inconsistent exceptions, and weak oversight continuity. Practitioners should redesign control paths so governance throughput matches adoption tempo rather than depending on heroic effort.
What this signals
AI governance programmes are moving toward control planes that can evidence decisions, not just record policies. For practitioners, that means the next maturity step is less about adding specialists and more about making approval paths, exceptions, and review outcomes machine-traceable across the organisation.
Governance throughput mismatch: when adoption expands faster than expert review capacity, the bottleneck shifts from model risk to control execution. That pattern will increasingly push IAM, security, and compliance teams to share workflows and evidence stores rather than maintain separate oversight channels.
Where AI systems touch identity, access, or sensitive data, the operational question becomes whether the governance stack can prove who approved what, on what basis, and when. That is the same accountability standard reflected in the NIST AI Risk Management Framework and in identity programmes built around auditable control ownership.
For practitioners
- Redesign governance workflows for throughput Map the highest-friction approval, review, and evidence tasks in your AI programme, then move repeatable steps into standard workflows so experts handle only exceptions and high-risk cases.
- Build a shared control plane for AI oversight Connect privacy, security, compliance, and model-risk checks into one operating layer so policy decisions, exceptions, and approvals remain traceable across teams.
- Define evidence-producing controls Require every material AI governance decision to leave an audit trail that shows the policy basis, approver, exception rationale, and review date, then test whether those records are retrievable under audit pressure.
- Use identity governance patterns for AI systems Apply ownership, separation of duties, and approval lineage from identity programmes to AI governance so access to high-risk models and datasets is accountable and reviewable.
- Measure governance backlog, not headcount Track review queues, exception age, and unresolved policy decisions as operating metrics so you can see whether added staff is actually improving control delivery.
Key takeaways
- AI governance is becoming a throughput problem, because manual oversight cannot keep pace with enterprise adoption.
- The evidence in the article points to a control design issue, not simply a hiring shortage or training deficit.
- Practitioners should build governance workflows that produce traceable decisions, shared accountability, and scalable exception handling.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST AI RMF and NIST CSF 2.0 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST AI RMF | GOVERN | The article centres on governance structures and accountability for AI oversight. |
| NIST CSF 2.0 | GV.RM-01 | Risk management governance aligns with the article's operating model emphasis. |
| ISO/IEC 27001:2022 | A.5.2 | Roles and responsibilities are central to the shared-governance model described here. |
Document AI governance roles under A.5.2 so accountability and approval authority are unambiguous.
Key terms
- AI governance operating model: The operating model for AI governance is the way an organisation assigns roles, routes decisions, and proves that policy is applied in practice. It includes the people, workflows, records, and control points that turn AI oversight from a document into an executable process.
- Governance throughput: Governance throughput is the rate at which an organisation can review, approve, and evidence decisions without creating backlog or inconsistency. In AI programmes, low throughput usually means manual review is outpacing control design, which leads to delayed decisions and uneven enforcement.
- Shared control plane: A shared control plane is a central layer that connects policy, risk, privacy, and security workflows so teams work from the same source of truth. It reduces duplicated reviews and improves auditability when multiple groups must govern the same AI system.
- Exception handling: Exception handling is the process of reviewing, approving, and documenting cases that fall outside standard policy. In AI governance, it matters because high-risk use cases often need deliberate overrides, but those overrides must remain traceable and time-bound.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How the collaborative governance operating model is structured across product, data, security, privacy, and compliance teams
- Examples of where policy interpretation can be centralised without removing human review from complex decisions
- The specific ways governance tooling is intended to reduce repetitive manual work while preserving accountability
- How the approach aligns with emerging regulatory expectations for transparency and evidence
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle control, and secrets management for practitioners who need to connect access governance to real operational risk. It is designed for teams that must turn policy into repeatable control across identity and security programmes.
Published by the NHIMG editorial team on 2026-06-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org