TL;DR: Many organisations cannot reliably say how many AI models are running in production, which Collibra frames as a governance failure that also creates regulatory exposure. The core issue is that AI governance policies without production-level model controls leave blind spots in ownership, monitoring, lineage and retirement.
NHIMG editorial — based on content published by Collibra: AI model governance in production
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
Questions worth separating out
Q: How should security teams govern AI models that are already in production?
A: They should treat production models as controlled assets with named ownership, documented purpose, approval history, monitoring thresholds and a clear retirement path.
Q: What breaks when AI model governance stops at the registry?
A: The organisation loses visibility into what is actually running, who owns it and whether its behaviour still matches the approved state.
Q: How do teams know whether model governance is working?
A: They can prove it when every live model is mapped to an owner, a model card, lineage data, monitoring thresholds and a retirement decision trail.
Practitioner guidance
- Reconcile live models against registry records Compare the model registry, deployment logs and application dependencies to find models that are still active but no longer documented or owned.
- Assign durable ownership for every production model Name one accountable business or technical owner per model and force ownership changes when teams or roles change.
- Tie drift thresholds to governance decisions Define the performance threshold that triggers review, restriction, retraining or retirement, and route those alerts to the accountable owner.
What's in the full article
Collibra's full blog post covers the operational detail this post intentionally leaves for the source:
- The model card fields and approval artefacts Collibra expects for production governance.
- How lineage data is connected to model metadata and downstream applications in practice.
- The workflow for drift-triggered escalation, review and retirement decisions.
- How Collibra positions its platform integration for model metadata and audit evidence.
👉 Read Collibra's analysis of AI model governance in production →
AI model governance in production - are your controls keeping up?
Explore further
Production model inventories are a governance control, not a documentation exercise. The article exposes a familiar failure mode: teams believe a registry is a control, but the registry only helps if it stays aligned to what is live. This is structurally similar to unmanaged non-human identities, where the record exists but the operational reality has drifted. Practical implication: treat production reconciliation as part of governance, not an admin task.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A second finding from The 2024 ESG Report: Managing Non-Human Identities shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
A question worth separating out:
Q: Who is accountable when a production model drifts below approved thresholds?
A: The named model owner is accountable for the review, escalation and decision path, even if engineering or data science detects the issue first. Governance fails when drift is treated as a technical alert without a business owner attached to the next decision.
👉 Read our full editorial: AI model governance in production needs stronger control and audit