TL;DR: AI governance programmes are failing when boards, security, privacy, legal, audit, and engineering share responsibilities without clear decision rights, according to Knostic’s analysis of stakeholder roles, EU AI Act timelines, and NIST/OECD-aligned operating models. The governance gap is not policy volume but auditable ownership, runtime enforcement, and measurable accountability across the AI lifecycle.
NHIMG editorial — based on content published by Knostic: Fast Facts on AI Governance Roles and Stakeholders
By the numbers:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should organisations assign accountability in AI governance programmes?
A: Organisations should assign one accountable owner for each governance decision, then separate that role from the people who implement controls, review privacy impacts, or handle incidents.
Q: Why do AI governance programmes need both policy and runtime controls?
A: Policy defines intent, but runtime controls decide whether that intent is enforced where AI actually operates.
Q: What do security teams get wrong about stakeholder maps in AI governance?
A: The common mistake is treating stakeholder maps as a communications exercise instead of a control design exercise.
Practitioner guidance
- Build a single AI governance RACI for every high-risk use case Assign one accountable owner for approval, one for runtime enforcement, one for privacy review, and one for incident response.
- Map governance controls to auditable artifacts For each policy, define the evidence it should produce, such as model cards, approval logs, DPIAs, access matrices, and incident tickets.
- Tie AI access decisions to runtime enforcement Make IAM and platform teams responsible for the controls that actually constrain prompts, tools, data egress, and redaction.
What's in the full article
Knostic's full article covers the operational detail this post intentionally leaves for the source:
- The role-by-role matrix for board, CDAO, CISO, DPO, legal, audit, IAM, and engineering.
- The EU AI Act timeline mapping for provider, deployer, and operator obligations.
- The KPI examples for approval latency, incident rates, and governance evidence.
- The sample RACI structure used to separate responsible, accountable, consulted, and informed roles.
👉 Read Knostic's analysis of AI governance roles and stakeholder accountability →
AI governance RACI models: what IAM and risk teams should align?
Explore further
AI governance is becoming an identity governance problem with broader stakeholder coverage. The article shows that boards, security, privacy, legal, audit, engineering, and operations now share responsibility for the same AI control surface. That is structurally similar to IAM and IGA, but the decision chain is wider and faster, which makes ownership gaps more dangerous. Practitioners should treat AI governance as a cross-functional access and evidence discipline, not a policy annex.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
- 69% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the same survey.
A question worth separating out:
Q: Who is accountable when AI governance failures happen?
A: Accountability sits with the role that owns the decision and the evidence for that decision, not with every team that was copied into the process. In practice, the accountable owner should be able to show approval records, control status, and incident follow-up. That is what makes governance defensible to auditors and regulators.
👉 Read our full editorial: AI governance roles and decision rights need clearer RACI models