Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance at enterprise scale: what CISOs need to operationalize


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: AI governance has moved from policy and review into continuous security operations as enterprises embed AI across SaaS, productivity, development, and customer systems, according to OneTrust. The hard part is no longer deciding whether to govern AI, but building inventory, intake, monitoring, and runtime controls that keep pace with deployment.

NHIMG editorial — based on content published by OneTrust: How CISOs Can Secure and Govern AI Across the Enterprise

By the numbers:

  • Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
  • 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

Questions worth separating out

Q: How should security teams govern AI systems that are embedded inside existing business tools?

A: Security teams should govern embedded AI the same way they govern other shared enterprise controls: discover it, classify it, assign an owner, and define the data and action boundaries before broad use.

Q: Why do AI governance programmes need more than policy documents?

A: Policies describe intent, but they do not enforce behaviour.

Q: What breaks when organisations cannot inventory all of their AI systems?

A: Without inventory, organisations cannot assign ownership, assess data exposure, determine which controls apply, or prove governance to auditors and regulators.

Practitioner guidance

  • Build a single AI inventory as a control record Capture models, embedded AI features, business owners, vendors, data sources, and risk classifications in one place so governance decisions have a consistent reference point.
  • Route all AI use cases through a structured intake review Require security, privacy, legal, compliance, and business review before deployment, with explicit assessment of data sensitivity, autonomy, and decision impact.
  • Extend monitoring into runtime AI behaviour Track what the system can access, what actions it can take, and what it actually does after deployment so reviews are not limited to pre-production approval.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • The article’s step-by-step AI inventory approach, including the fields teams should capture for ownership and risk tracking.
  • The intake and review questions OneTrust recommends before an AI use case moves into production.
  • The specific ways OneTrust frames continuous monitoring, lifecycle oversight, and governance by design for agentic AI.
  • The named frameworks and implementation references used to align AI governance with broader security and compliance programmes.

👉 Read OneTrust's blog on how CISOs can secure and govern AI across the enterprise →

AI governance at enterprise scale: what CISOs need to operationalize?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

AI governance is becoming a control-plane problem, not a policy problem. The article correctly shifts attention from written rules to operational oversight, because policy alone does not constrain what AI is embedded inside SaaS, development, or third-party services. Governance fails when teams cannot see the full AI estate, cannot classify risk consistently, and cannot attach ownership to each use case. Practitioners should treat AI governance as a continuous system of record and control, not as a document set.

A few things that frame the scale:

A question worth separating out:

Q: Who should be accountable when an AI system takes an unauthorised action?

A: Accountability should sit with the business owner of the use case, the control owner for the workflow, and the team that approved the AI’s access and autonomy. If the system can initiate actions, accountability must include the people who defined its scope, not just the people who built the model.

👉 Read our full editorial: AI governance is becoming a core security discipline for CISOs



   
ReplyQuote
Share: