Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI governance as infrastructure: what changes for security teams now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Governance is lagging AI adoption across enterprises, with OneTrust’s 2025 AI-Ready Governance Report finding that 90% of advanced adopters and 63% of experimental adopters say AI exposed the limits of manual processes, while more than two-thirds of technology leaders say governance trails project speed. That gap makes continuous, programmatic control the baseline for AI-ready operations.

NHIMG editorial — based on content published by OneTrust: What Will It Take to Be AI-ready in 2026?

By the numbers:

Questions worth separating out

Q: How should organisations govern AI systems that can make consequential decisions?

A: Organisations should govern consequential AI systems with the same discipline used for high-risk identities: defined ownership, least privilege, logging, approval boundaries, and human override.

Q: Why do manual AI governance processes fail as systems evolve?

A: Manual processes assume the AI system, its data, and its access paths remain stable long enough for a human review cycle to finish.

Q: What do security teams get wrong about AI governance reviews?

A: They often treat every use case as if it needs the same level of scrutiny.

Practitioner guidance

  • Embed policy checks into AI workflows Map each high-risk AI use case to a policy checkpoint that executes before data access, tool invocation, or external action.
  • Inventory AI systems as governed actors Create an inventory of AI agents, embedded models, and automation pipelines that can affect data or operational state.
  • Capture audit evidence continuously Log approvals, policy decisions, and runtime policy outcomes in a way that preserves evidence for privacy, risk, and security review.

What's in the full article

OneTrust's full blog covers the operational detail this post intentionally leaves for the source:

  • The report's survey framing and practitioner input across governance-focused IT decision-makers.
  • The specific governance patterns OneTrust associates with AI-ready operations across privacy, risk, and data teams.
  • The regulatory and market context behind AI governance as infrastructure.
  • The broader 2026 predictions on how AI agents reshape consent and accountability.

👉 Read OneTrust's predictions on what it will take to be AI-ready in 2026 →

AI governance as infrastructure: what changes for security teams now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

AI governance is becoming an infrastructure discipline, not an advisory layer. The article is right to frame governance as something that must operate inside the system rather than around it. Once AI decisions happen in milliseconds, the only effective control is the one that executes with the workflow. Practitioners should treat AI governance as an operational control plane, not a review committee.

A question worth separating out:

Q: Who should own accountability for AI data access risk?

A: Accountability should sit with the teams that own identity, data governance, and security operations together. If AI can access enterprise data, then ownership must cover entitlement design, monitoring, and incident response across the full workflow. The governance gap is not just technical, because without a named owner, no one can prove who approved or contained the access.

👉 Read our full editorial: AI governance must become infrastructure to keep pace with automation



   
ReplyQuote
Share: