TL;DR: AI governance and ethics fails when organisations stop at principles and never operationalise intake, review, monitoring, and evidence, according to Collibra. Responsible AI only works when governance is embedded across the lifecycle, because post-deployment ethics checks arrive after data, workflows, and business dependence have already hardened.
NHIMG editorial — based on content published by Collibra: AI governance and ethics: How to build responsible AI from the ground up
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should organisations operationalise responsible AI governance?
A: Organisations should treat responsible AI as a lifecycle control, not a policy statement.
Q: Why do AI ethics programmes fail after deployment?
A: They fail because the organisation reviews the system too late.
Q: What do security teams get wrong about AI governance inventories?
A: They often inventory only the AI they built themselves and miss embedded AI inside vendor platforms and other shadow AI.
Practitioner guidance
- Build a pre-development intake gate Require every AI use case to be reviewed before engineering resources are committed.
- Create a live inventory of AI use cases, models, and agents Include embedded AI in vendor platforms, not just internally built systems.
- Route reviews automatically by risk tier Tie high-risk use cases to privacy, legal, security, and fairness checks without manual chasing.
What's in the full article
Collibra's full blog post covers the operational detail this post intentionally leaves for the source:
- The article expands on the EU AI Act, NIST AI RMF, and ISO/IEC 42001 and how each framework maps to responsible AI operating models.
- It walks through the accountability workflow elements in more detail, including inventory, intake, automated risk routing, human review, and continuous monitoring.
- The post explains how organisations should connect data lineage, policy traceability, and model ownership so governance evidence survives audits.
- It also provides the practical sequence for getting started, including how to walk one high-stakes use case through the full lifecycle.
👉 Read Collibra's analysis of AI governance and ethics from the ground up →
AI governance and ethics: where do programmes still break down?
Explore further
AI governance fails when organisations treat ethics as commentary instead of control. The article is right that principles alone do not change outcomes, because a code of conduct does not tell reviewers what to approve, what to reject, or what evidence to capture. That gap is visible in every security domain where intent exists but workflow is missing. Practitioners should read this as an operating model problem, not a communications problem.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who should be accountable when an AI system produces harmful outcomes?
A: Accountability should sit with a named business owner supported by governance, legal, security, and privacy reviewers. If ownership is diffuse, no one can explain the approval, the monitoring state, or the escalation path when something goes wrong. The control model must make accountability explicit before the system is deployed.
👉 Read our full editorial: AI governance and ethics need operating models, not principles