TL;DR: Manual, inconsistent governance checks do not scale as AI portfolios grow, according to Collibra, and Gartner predicts that by 2027, 60% of organisations will fail to realise expected AI value because governance frameworks are fragmented. The deeper issue is that governance models built for periodic review break when policy enforcement must run continuously.
NHIMG editorial — based on content published by Collibra: Control Tower, OOTB controls to govern AI by exception
By the numbers:
- Gartner predicts that by 2027, 60% of organizations will fail to realize the expected value of their AI use cases due to fragmented governance frameworks.
Questions worth separating out
Q: How should security teams implement exception-based governance for AI systems?
A: Start by encoding each recurring governance requirement as a control with a clear failure condition, a run schedule, and an assigned owner.
Q: Why do manual governance checks fail as AI portfolios grow?
A: Manual checks fail because they cannot keep pace with the number of assets, versions, data sources, and policy obligations that appear as AI use expands.
Q: What breaks when governance controls are not tied to trusted metadata?
A: Controls lose context and begin to produce weak or misleading results.
Practitioner guidance
- Map AI governance checks to exception workflows Convert recurring review items into controls that fire only when a model, dataset, or policy condition fails.
- Tie each control to governed metadata Anchor every check in trusted relationships among models, versions, owners, data assets, and quality scores.
- Set operational thresholds for policy drift Define the score, version state, or ownership condition that causes a failure notification, then make the threshold visible to both control owners and reviewers.
What's in the full article
Collibra's full blog post covers the operational detail this post intentionally leaves for the source:
- The exact control-building workflow for creating a query, setting a run schedule, and customising failure notifications.
- The example logic behind the "Data Quality Issues on Training Data" control and how its hourly validation is configured.
- The governed metadata relationships used to connect models, versions, data assets, owners, and quality scores.
- The product-specific views for Candidate status, Failed Assets, and control history that support remediation and audit trails.
👉 Read Collibra's post on Control Tower OOTB controls for AI governance →
AI governance by exception: are manual checks already failing?
Explore further
Manual governance checks are now a scaling failure, not just an efficiency problem. The article is really about the point at which periodic validation stops being a viable control model. When AI portfolios expand, the governance burden multiplies faster than teams can review it by hand. That means the control weakness is structural: review cycles are too slow to represent the state of the portfolio accurately. The implication is that governance programmes must be measured by enforcement continuity, not by whether a review exists at all.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, which shows how governance maturity still lags operational need.
A question worth separating out:
Q: How do teams know whether AI governance by exception is working?
A: It is working when controls surface a small number of clear, actionable failures instead of overwhelming teams with routine checks. You should see faster remediation, cleaner ownership, and stronger audit evidence because the control is always on. If alerts remain noisy or unresolved, the governance model is not yet precise enough.
👉 Read our full editorial: AI governance by exception exposes the limits of manual controls