Notifications
Clear all
Topic starter
27/06/2026 1:45 pm
TL;DR: The article argues that the EU AI Act and NIST AI RMF are already pushing enforceable expectations for accountability, risk classification, transparency, and documentation, while most organisations still lack visibility into who owns their AI and what data it uses, according to Abnormal AI. The governance gap is now an ownership and assurance problem, not a tooling problem.
NHIMG editorial — based on content published by Abnormal AI: AI regulation is raising the bar for CISO accountability
Questions worth separating out
Q: How should organisations govern AI systems that affect business decisions?
A: They should treat AI governance as a cross-functional control, not a security-only task.
Q: Why is AI ownership harder than traditional application ownership?
A: AI ownership is harder because accountability must cover both the technical system and the decisions it influences.
Q: What should security teams look for in an AI impact assessment?
A: They should look for business impact, data lineage, failure modes, and operational dependency.
Practitioner guidance
- Build a living AI inventory Track every internal model and third-party AI service that influences decisions, and record the owner, data sources, business process, and risk classification for each entry.
- Assign outcome owners for every AI-enabled process Name one accountable business owner and one technical contact for each system so governance can answer who accepts risk and who remediates issues.
- Embed AI impact assessment into existing governance workflows Use model risk, third-party risk, incident response, and change management processes to assess bias, resilience, explainability, and operational dependency before deployment.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Specific examples of how teams can build a living AI inventory across internal systems and third-party services
- Practical guidance on mapping AI ownership into model risk, incident response, and change management processes
- Examples of impact assessment questions that go beyond compliance checklists and into operational dependency
- The article's own framing of how CISOs can influence business stakeholders on AI governance
👉 Read Abnormal AI's analysis of AI regulation, ownership, and governance →
AI governance and accountability: what CISOs need to do now?
Explore further
27/06/2026 3:12 pm
AI governance has become an identity accountability problem before it becomes a model-risk problem. The article is right that most organisations lack visibility, but the deeper issue is that AI systems are being deployed without durable ownership structures. That creates governance ambiguity across IAM, security, and business teams, because no one can consistently answer who is accountable for the system's access, data use, or outcomes. The practitioner conclusion is that AI governance must be attached to accountable owners, not just technical administrators.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when an AI system behaves unexpectedly?
A: The accountable party should be the named business owner of the AI-enabled process, supported by the technical team operating the system. Automation can help detect the issue and preserve evidence, but it cannot accept risk or explain business impact. Regulators and boards will expect a person who can answer for the decision and the control environment.
👉 Read our full editorial: AI regulation is raising the bar for CISO accountability
