TL;DR: AI governance now has to span ethics, compliance, lifecycle management, and technical controls as organizations deploy AI across regulated and customer-facing workflows, according to Kong. The missing piece is identity governance for AI systems, because governance without access control, auditability, and lifecycle discipline leaves the highest-risk failures untouched.
NHIMG editorial — based on content published by Kong: What is AI Governance? 2026 Framework Guide
By the numbers:
- Only 37% have policies to manage AI or detect shadow AI.
Questions worth separating out
Q: How should organisations govern AI systems that can access business data and APIs?
A: Organisations should govern AI systems as identities with defined owners, scoped permissions, review points, and retirement paths.
Q: Why do shadow AI deployments create so much governance risk?
A: Shadow AI creates governance risk because systems that are not discovered cannot be approved, monitored, or retired.
Q: What do security teams get wrong about AI governance programmes?
A: Security teams often treat AI governance as a policy or ethics exercise rather than an operational control problem.
Practitioner guidance
- Define AI identity ownership Assign a named business and security owner to every deployed AI system, with responsibility for access scope, monitoring, and retirement.
- Build lifecycle checkpoints into AI approvals Require entry, review, validation, and retirement checkpoints for AI systems, and tie them to evidence that can survive audit and incident review.
- Inventory shadow AI before scaling usage Discover every AI system connected to business data or APIs, then classify it by owner, data access, and operational purpose.
What's in the full article
Kong's full article covers the framework detail this post intentionally leaves at a higher level:
- A fuller breakdown of how Kong maps AI governance to NIST AI RMF, ISO/IEC 42001, and the EU AI Act.
- Examples of AI governance controls across healthcare, finance, and retail use cases.
- A deeper explanation of bias testing, transparency, accountability, and privacy controls.
- Lifecycle management considerations for AI systems from design through retirement.
👉 Read Kong's framework guide on AI governance and lifecycle controls →
AI governance and identity controls: what IAM teams are missing?
Explore further
AI governance fails when it stops at principles and never reaches identity control. Kong’s guide is strongest where it shows that ethical language alone does not govern access, data handling, or decision paths. AI becomes a security problem when it can act inside business systems without clear ownership, scoped permissions, or lifecycle exit criteria. The practitioner conclusion is that AI governance and identity governance must be treated as one operating model.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Which frameworks should guide enterprise AI governance decisions?
A: NIST AI RMF, ISO/IEC 42001, and the EU AI Act are the most relevant starting points because they connect risk management, management systems, and regulatory obligations. Practitioners should use them to shape internal control objectives, evidence requirements, and review processes rather than as abstract policy references.
👉 Read our full editorial: AI governance needs identity controls as agents expand access