In Practice: AI in the Enterprise | Day 82: The Model Risk Governance You’ll Need in Three Years (Start Building It Now)

Model risk management in enterprise AI isn’t a solved problem. It’s barely understood.

Most organizations have a model risk framework inherited from financial services—approaches designed for regression models that predict loan default or market behavior. Those frameworks assumed you could hold the model still and understand it: extract coefficients, measure bias, validate performance, sign off, and deploy. The model’s behavior was relatively predictable within its operational envelope.

That world no longer exists.

The model risk governance you have today was built for a different problem. Foundation models introduce different considerations that challenge these assumptions. The model risk governance you’ll need in three years needs to be built now, because the complexity is arriving faster than most organizations realize.

What’s Actually Changing

The core shift is loss of transparency at scale. Your predecessors in model risk could, in principle, understand how their model worked. Someone—a data scientist, a mathematician—could crack it open and explain the causal path from input to output. This was tedious and expensive, but possible.

With foundation models and large language models, that option no longer exists at all. You’re deploying systems whose internal behavior you cannot fully explain, even if you built them. You’re introducing systems whose behavior changes with deployment context—different users, different use cases, different data—in ways that are difficult to predict and harder to measure consistently.

You’re also stacking models. An LLM calling an API that reads a database, transforms the data, feeds it back to another model. The risk surface isn’t one model anymore—it’s a web of interconnected systems, each with its own risk profile, each potentially amplifying or mitigating the others’ failures.

That’s not model risk. That’s system risk. And your governance framework is built for the wrong problem.

Three Dimensions of Complexity That Are Coming

Behavioral Drift: Your model performs differently in production than it did in test. This is a known problem. But with foundation models, behavioral drift becomes harder to detect and easier to miss. You’re monitoring for deviation from expected performance, but what’s “expected” when your model’s output distribution is continuously shifting based on user patterns, retrieval data, and context? The frameworks that detect drift in traditional ML break down when the thing drifting is too large to hold in your explanation budget.

Emergent Capabilities: You deploy a model for Task A. In production, users discover it’s useful for Task B, Task C, and Task D—sometimes better than your original use case. Those emergent capabilities were latent in the model. You didn’t design them. You didn’t test them. You don’t fully control when or how they appear. But you’re now accountable for them. Your risk governance needs to account for capabilities that emerge after deployment, not just the ones you architected.

Compounding Amplification: When you stack systems, failures don’t just accumulate—they amplify. A hallucination in one model becomes input to another, which makes a high-confidence wrong decision based on false data. Your risk governance for individual models doesn’t capture this compounding effect. You need frameworks that reason about system-level failure modes, not just model-level risk.

What’s Still Missing in Most Frameworks

The model risk programs I see in mature enterprises usually have three components: testing and validation, performance monitoring, and escalation procedures. They’re measuring the right things within their scope. But their scope is too narrow.

What’s missing is behavioral monitoring in context. You need to observe how your model behaves at the boundaries of its training data, with adversarial input, with out-of-distribution user populations. Not because you’re paranoid, but because that’s where real risk lives—at the edges, where assumptions break down.

What’s missing is feedback loop integration. Your production monitoring tells you the model is drifting. Your risk governance then escalates to data science for investigation. But the governance framework doesn’t close the loop: Did we fix it? Did we understand why it drifted? Did we update our assumptions about what environments this model can operate safely in? Without closed loops, you’re not learning—you’re just watching failures.

What’s missing is stack-level risk assessment. Your model is accurate. Your retrieval system is reliable. Your API is stable. But the combination of all three, deployed in production with human decision-makers relying on the output, has a different risk profile. You need frameworks that reason about system-level risk, not just component risk.

Building It Now

If you’re at a large enterprise with significant AI deployment, here’s what I’d prioritize starting today—not in three years:

First: Expand your definition of “model” from the algorithms to the system. Your governance framework should reason about the entire decision path: data ingestion, model inference, output formatting, integration with business systems, and human decision-making. A failure anywhere in that stack is your problem.

Second: Shift from static testing to continuous learning about model behavior. Deploy observability systems that understand model behavior across user populations, use cases, and contexts. Not just whether the model is accurate on average, but where it fails systematically. Where do certain user populations get different outputs than others? Where is your confidence high but accuracy is low?

Third: Separate risk tolerance by use case. A model that informs a business decision has different risk tolerance than a model that makes a business decision. A model that affects one customer has different requirements than a model that affects millions. Your governance framework should be granular enough to reason about these differences.

Fourth: Build escalation and learning into your governance loops. When something breaks, your escalation path should lead to understanding and prevention, not just remediation. If a model drifts, you should understand why and update your assumptions about safe operating conditions. That closed loop is where real governance lives.

Why This Matters

Model risk governance isn’t a compliance checkbox. It’s a decision-quality problem. If you don’t understand the risks your models are creating, you’re flying blind. And flying blind at enterprise scale—where decisions affect thousands of customers, millions of transactions, or critical business operations—is a risk your board should be skeptical of.

The organizations that get ahead of this are the ones that start now, while they still have time to build governance that actually works for their systems, not governance inherited from an older model-risk era.

The complexity is coming whether you’re ready or not. The question is whether you’re going to understand it when it arrives.

In Practice: AI in the Enterprise | Day 81: The Compliance Conversation That Separates Leaders from Followers

There’s a moment in every executive’s first year overseeing AI governance when compliance stops being a checkbox and starts being a conversation with your board. That moment usually arrives when someone asks a question you can’t answer: How do we know we’re compliant? Not whether you’ve passed an audit. Whether you actually know.

The separation between leaders and followers in enterprise AI right now isn’t who has the most sophisticated AI. It’s who understands that compliance is not a constraint to work around—it’s an advantage most organizations are actively throwing away.

The Myth: Compliance as Friction

The narrative most companies tell themselves is simple: compliance slows us down. Governance adds process. Rules limit innovation. It’s the cost of doing business in regulated industries. You pay it because you have to, and you try to minimize it.

This is exactly backward.

The companies that get compliance wrong aren’t moving faster. They’re moving recklessly and discovering their speed only costs more when they hit a wall. The companies that get it right move with informed confidence. They deploy AI systems that stay in production. They make decisions that don’t need to be remade. Their teams trust what they’re building because someone has thought through what could go wrong.

That’s not friction. That’s velocity with foundation.

What Separates Leaders: Three Conversational Shifts

The executives I work with who are genuinely leading on this are making three shifts in how they talk about compliance.

First: From “Are we compliant?” to “What are we assuming?”

Compliance questions are mostly not compliance questions. They’re risk questions wearing compliance language. A regulator asking about model explainability isn’t checking a box—they’re asking: What could fail here that you haven’t prepared for? Leaders reframe compliance conversations back to their actual shape: uncertainty, assumption, and residual risk. When your chief risk officer and general counsel are asking the same questions, you’ve aligned the organization. When they’re still speaking different languages, you haven’t.

Second: From “Tell me what we can’t do” to “Tell me what we’re responsible for”

Compliance is often positioned as restriction. We can’t deploy this model until X passes Y threshold. But the real conversation is about scope: If we deploy this, we own the consequences. That changes everything. Leaders shift their teams from thinking about restrictions to thinking about responsibility. What outcomes are you creating? What decisions are people making based on your system? Who’s affected if it fails? That’s where actual compliance lives.

Third: From document collection to decision documentation

Many enterprise compliance efforts are still primarily archaeological. You audit a decision after it’s made. You collect evidence afterward. Leaders run the process in reverse: they document what they’re deciding and why before deployment. Not instead of audit—instead of hoping the audit finds what you did rather than what you didn’t do. When your compliance program is forward-facing, not backward-facing, you catch assumption drift early.

Why This Matters Now

Enterprise AI governance is at an inflection point. The regulatory environment isn’t getting simpler—it’s branching. Different jurisdictions, different regulatory philosophies, different definitions of what “responsible AI” means. The companies that can navigate this complexity aren’t the ones that hired the biggest compliance team. They’re the ones that made compliance a native part of how their technical and business teams operate.

You can feel this happening in the conversations at the board level. Twelve months ago, AI governance was a risk mitigation conversation. Now it’s becoming a business continuity conversation. If we can’t reliably predict our AI’s behavior, can we grow this business? That’s a different question. It has different stakes.

The Practical Line

Here’s what this looks like in practice: Leaders are building compliance into how they make decisions about which AI systems to invest in. Not after investment—during. A system that can’t be governed clearly is a system that creates liability, even if it creates business value. That’s a trade-off you make consciously, not accidentally.

They’re also shifting who participates in compliance decisions. It’s not GC and risk anymore. It’s product, engineering, data, and business leadership in the room together. Because compliance isn’t a legal problem or a risk problem—it’s an organizational problem. You can’t solve it without everyone.

And they’re measuring it differently. Not “how many audits passed” but “how many decisions did we make confidently without discovering critical risk afterwards?” That’s a lagging indicator of a genuine compliance culture.

The Real Advantage

The leaders I watch aren’t celebrated for their compliance programs. They’re celebrated for their speed, their reliability, and their ability to scale AI responsibly. That’s what compliance done right actually buys you. Not safety theater or risk avoidance. Speed with confidence. Scale with control.

The conversation that separates leaders from followers is the one where compliance isn’t something your company does for regulators. It’s something your company does for itself—because an organization that understands its own risk can move faster than an organization that’s moving blind.

That distinction is becoming the business difference.

In Practice: AI in the Enterprise | Day 80: The Governance Capability Model: What Your Organization Actually Needs to Build (Not Hire)

You need a head of AI governance. You need a team. You need people with the right skills. So you hire.

This is the wrong approach. The enterprises that excel at AI governance don’t hire their way to excellence. They build capability.

There’s a difference. Hiring assumes the market has people who already know how to govern AI at scale. Mostly, it doesn’t. People know how to do one or two things—maybe fairness auditing, maybe model monitoring—but building integrated governance across fifty systems at an enterprise? That’s not a hiring problem. That’s a building problem.

What You Actually Need

The governance capability you need has four components:

1. Governance thinking. The ability to look at an AI system and ask the right questions. Will this cause harm? Are we accountable for this? Can we defend this decision? Is there risk we haven’t considered? What governance is needed?

This is not a skill you hire. This is something teams develop through experience. You need people who’ve governed multiple systems and learned patterns. People who can look at a new system and see what’s likely to go wrong.

You develop this by having people govern systems over years. Not by hiring “senior governance people” from other companies. Those people know governance at their company. They don’t automatically know your company.

2. Governance infrastructure. Tools, processes, standards that make governance scalable. Monitoring platforms. Decision support systems. Audit trails. Governance databases.

Some of this you buy. Much of it you build. You need people who understand what governance infrastructure you need and can build it. Not necessarily software engineers. But people who can design systems that work.

You develop this through iteration. You implement monitoring. It doesn’t work. You redesign it. You implement decision gates. They’re too slow. You automate them. Over time, you build infrastructure that works.

3. Governance integration. Governance doesn’t sit in a separate team. It integrates with how teams build and operate systems. Model developers think about fairness because governance is integrated into development. Operations teams monitor for drift because monitoring is integrated into operations.

This requires people who understand how to embed governance into existing work. This is not a “governance team” skill. This is a skill that lives in product, engineering, and operations teams. You build it by teaching people how governance applies to their work.

4. Governance judgment. The ability to make trade-off decisions under uncertainty. A fairness metric is slightly worse than before, but retraining costs money and time. Is it worth it? A new regulation might apply, but it’s unclear. Should we prepare? A model is failing for a small segment of users. Should we pull it?

These are judgment calls. They depend on understanding risk, understanding business, understanding technical constraints. There’s no “right answer” in a textbook. You develop judgment through experience making hard decisions and seeing what happens.

Why Hiring Fails

Most enterprises hire a governance team. They get smart people. But:

  1. They don’t understand the existing systems. A new governance head comes in and wants to implement a governance framework. But they don’t know what systems you have, which are critical, what risks matter. They implement a framework that’s generic and often wrong for your specific situation.

  2. They’re not integrated into how you build. Governance gets siloed. Model developers do their thing. Governance team checks boxes separately. Governance doesn’t actually affect decisions.

  3. They leave. You hire someone smart. After two years, you’ve figured out governance. Now the person leaves. You’ve lost the person but not the capability. You have to rebuild with the next person.

  4. They can’t scale team skills. You hire a governance head and a team. But most of your organization still doesn’t understand governance. So you’re bottlenecked. The governance team has to review everything.

What You Should Build Instead

Instead of hiring a governance team, build governance capability:

1. Develop governance thinking in existing teams.

Your model development teams should be able to think about governance. Not become governance specialists. But understand governance enough to ask the right questions about their models.

This means: – Governance training (not abstract, but for your systems) – Governance reviews where the team explains their thinking – Governance mentoring (someone who’s done this before works with them)

Over a year, your teams are thinking about governance. You’ve scaled thinking across the organization.

2. Build governance infrastructure iteratively.

Start with one capability. Monitoring. Build it. It’s imperfect. Improve it. Build the next capability. Decision gates. Improve them. Over time, you have infrastructure that works.

This requires people who understand what infrastructure you need and can build it. This could be engineers. It could be people from ops or product who understand the problem deeply.

3. Integrate governance into existing processes.

Don’t add a governance review step. Integrate governance into your existing review.

Model review: Include governance questions (fairness, data quality, monitoring). Don’t have a separate fairness review.

Incident response: Include governance questions (why did this happen? what should change?). Don’t have separate governance postmortems.

Deployment process: Include governance gates (this model meets standards). They’re not separate gates; they’re part of the deployment process.

4. Build judgment through experience.

You need people who’ve made governance decisions and can explain their thinking. These might be internal people who’ve grown into governance roles. They might be external advisors who work with your teams on hard decisions.

The key is that people are making decisions, not just implementing frameworks. They’re learning what works.

The Organizational Structure

The governance capability you need doesn’t live in a “governance team.” It’s distributed:

  • Governance thinking lives in model teams, operations teams, product teams
  • Governance infrastructure lives in a platform or engineering team
  • Governance integration lives in the processes where decisions are made
  • Governance judgment lives in experienced people scattered across the organization

You might have someone coordinating governance (a CTO, a governance lead). But they’re coordinating a distributed capability, not running a separate team.

How to Start Building

Year 1: Build governance thinking in your core teams. Pick one system. Work through governance with the team. Document what you learned. Do it again with the next system. By end of year, teams are thinking about governance.

Year 2: Build one governance capability (monitoring, decision gates, audit trails). Improve it based on what you learn. Build the next capability. Start integrating governance into your processes.

Year 3: Your teams are thinking about governance. Your infrastructure is working. You’re making trade-off decisions with some maturity. You can scale to more systems.

Year 4+: You’re scaling governance across your portfolio. You’re not bottlenecked by a small governance team. You’re bottlenecked by how fast you can develop systems and learn from them.

Why This Matters

Organizations that build governance capability scale better. They don’t hit the wall where governance is so much overhead that teams stop doing it. They don’t lose continuity when a key person leaves.

Organizations that hire governance teams often hit that wall. The team becomes a bottleneck. The team leaves. Governance collapses.

What You’re Actually Building

When you build governance capability, you’re not building a governance function. You’re building an organization that thinks about governance as part of how it operates.

That’s hard. It takes years. It’s messier than hiring a team and hoping they know what to do.

It’s also more durable. When people understand why governance matters, when it’s integrated into how they work, when they’ve learned from making decisions—that capability survives.

This is the difference between hoping someone else will handle governance (hire a team) and building an organization that governs itself (build capability).

One scales. One doesn’t.

In Practice: AI in the Enterprise | Day 79: Resilience vs. Robustness: Why Some AI Systems Survive Crisis and Others Don’t

Your system needs to be robust. It needs to work under normal conditions. Tests should pass. Models should perform. Data pipelines should run.

But robustness is not enough. Robustness is about handling expected conditions well. When the unexpected happens—when there’s a crisis—robust systems often fail. The ones that survive are resilient.

The Difference

Robustness is about being strong. You build a system that can handle normal variation. Your model is accurate on test data. It handles normal input ranges. It works when deployed.

Resilience is about bouncing back. When something breaks (and something will break), your system doesn’t just fail. It degrades gracefully. It falls back. It responds. It learns. It recovers.

A robust AI system handles normal cases well. It fails catastrophically when something unexpected happens.

A resilient AI system might not handle normal cases as optimally (there’s overhead in resilience), but when crisis comes, it survives.

The Problem With Pure Robustness

Most enterprises optimize for robustness. You test the model. You validate it. You monitor it. You deploy. It works.

Then something unexpected happens. The data distribution shifts in a way you didn’t anticipate. A dependency breaks. A fraud pattern changes. A regulator announces new requirements. The system was robust against what you tested for. It’s fragile against what you didn’t.

This is why you see stories of robust systems that fail spectacularly. They handled the expected cases well. They had zero resilience for unexpected cases.

What Resilience Requires

Resilience requires design for failure. Not “expect things to fail” but “assume things will fail in ways we haven’t predicted. Design for survival anyway.”

This looks like:

1. Graceful degradation. When something goes wrong, the system doesn’t produce bad results or crash. It degrades. It might produce lower-quality results. It might serve a smaller subset of cases. But it stays operational and doesn’t harm.

Example: A fairness monitoring system discovers that a model has unexpected bias. Rather than immediately pulling the model (which might break dependent systems), the system reduces the model’s decision-making to a smaller subset of cases where it’s reliable. As the team investigates, more cases can be added back.

2. Fallback systems. For critical decisions, you have a fallback. If the AI system fails, something else can handle it.

This might be: – A simpler, more robust model (less performant but more predictable) – Rule-based logic (less sophisticated but more controllable) – Human decision-making (expensive but reliable) – Default behavior (safe if suboptimal)

3. Observability at crisis time. When something is going wrong, you need to understand it quickly. This requires instrumentation that works under stress.

Most monitoring is designed for normal operation. Under crisis, monitoring itself can fail. Resilient systems have crisis-mode observability. Simple, focused monitoring that works when systems are stressed.

4. Decision authority during crisis. When something goes wrong, who has authority to make decisions? What decisions can they make unilaterally? What requires escalation?

Most organizations are vague about this. Resilient systems are explicit. “When accuracy drops below X, the on-call engineer can pull the model unilaterally.” “When fairness metrics exceed Y, escalate to the governance team, who can decide to restrict the model’s usage.”

5. Pre-planned recovery. When something fails, what’s the recovery plan? Not “figure it out in crisis.” Plan it before crisis happens. Test it.

“If the model fails, we switch to fallback. How long does that take? Seconds? Minutes? Hours? Can we do it automatically or does it require human decision? What signals tell us the fallback is working?”

What This Costs

Resilience is expensive. You’re building fallbacks that might never be used. You’re monitoring in ways that seem like overhead. You’re designing for failure when you’d like to believe your system will never fail.

The cost is highest in normal times. Fallbacks consume resources. Monitoring adds latency. Crisis-mode decision authority requires training and drills.

The payoff comes in crisis. When something breaks, resilient systems stay operational. Robust systems fail.

How to Build It

Start with critical systems. Which models affect the most customers? Which have the highest risk if they fail? Build resilience there first.

For each critical system:

  1. Identify failure modes. What could go wrong? Accuracy degrades. Fairness metrics change. Latency spikes. Input distribution shifts. External data source goes offline. Dependency fails.

  2. For each failure mode, design graceful degradation. What would the system do if this happened? How would it fail safely?

  3. Define fallbacks. For critical decisions, what’s the fallback? Can you pre-test it?

  4. Plan crisis-mode observability. If monitoring fails, how do you understand what’s happening? What’s the minimal set of signals you need?

  5. Define decision authority. Who decides to activate the fallback? What authority do they have? What requires escalation?

  6. Test the plan. Run a simulation. The model fails. Walk through the response. Did the fallback activate? Did it work? How long did it take? What did you learn?

The Competing Requirement

There’s tension between robustness and resilience. Building fallbacks adds complexity. Crisis-mode observability might not be as rich as normal monitoring. Decision authority that’s too decentralized might make inconsistent decisions.

The enterprises that handle this well don’t try to optimize both equally. They: – Optimize robustness for normal cases (good design, good testing, good monitoring) – Optimize resilience for crisis cases (fallbacks, simple decision authority, pre-planned recovery)

Different optimization targets. Different design choices.

Why Most Enterprises Skip This

Most enterprises skip resilience because:

  1. It’s expensive. You’re spending money to prepare for something you hope won’t happen.

  2. It’s invisible in normal times. Robustness is visible (the system works). Resilience is invisible (you don’t notice the fallback you never used).

  3. It requires thinking about failure. Psychologically, organizations prefer to think about success.

  4. It requires discipline. Testing fallbacks, running drills, maintaining decision authority—this requires ongoing investment.

The Real Cost

The real cost of not having resilience is what happens when crisis hits and your system breaks catastrophically. The cost isn’t just the incident. It’s the loss of trust. It’s the regulatory attention. It’s the effort to rebuild the system.

Most enterprises pay this cost once and then build resilience. The smart ones build it before they pay the cost.

Where To Start

If you have systems affecting high-stakes decisions (hiring, lending, medical), you need resilience now. You can’t afford catastrophic failure.

If you have systems that are critical to business (recommendation, ranking), you need resilience. The cost of catastrophic failure is high.

If you have systems affecting many customers, you need resilience. One failure affects many.

For most enterprises, that’s most of your systems.

Start with one critical system. Map failure modes. Design fallbacks. Plan recovery. Test. Learn. Then do the next one.

The enterprises that invest in resilience now will survive the inevitable crises. The ones that don’t will face catastrophic failures when crisis hits.

In Practice: AI in the Enterprise | Day 78: From Accountability to Continuous Improvement: The Governance Feedback Loop

Most organizations stop at accountability. Someone is responsible for a decision. That’s the end. If the decision was good, great. If it was bad, well, now you know for next time.

But accountability without feedback loops is just punishment. It doesn’t improve the system. Organizations that have feedback loops—where decisions are reviewed, outcomes are measured, and the system improves—those are the organizations that get better at governance.

The Difference Between Accountability and Improvement

Accountability says: You made a decision. You’re responsible for it. If it was bad, you’ll face consequences.

This is necessary. Responsibility matters. But accountability alone doesn’t improve decision-making. It often just defers the problem. The next person avoids making decisions (too risky). Decisions get delayed. Or decisions get made in a way that looks safe even if it’s not effective.

A feedback loop says: You made a decision. We measured the outcome. The outcome was X. Here’s what we learned. Here’s what we’ll do differently next time.

This is how systems improve. The decision-maker learns. The organization learns. The next decision is better.

What Actually Happens Without Feedback Loops

A data scientist decides to deploy a model without extensive testing. It seemed safe. They were wrong. The model made bad predictions. It harmed customers. There was an incident.

With accountability only: The data scientist is held responsible. They’re put on a performance plan. They become more risk-averse. Next time they deploy a model, they spend three months testing. This is safe, but it’s slow.

With a feedback loop: The incident happens. You measure what went wrong. The model lacked important edge cases. You trace back: the testing process didn’t cover these cases. You update your testing. The next model is better tested. You haven’t just punished the person; you’ve improved the system.

Here’s another example: A governance decision. You decide that all models need fairness audits. This seems like a good idea. But fairness audits are expensive. They slow down deployment. A year later, you realize that fairness audits caught very few real problems. They were mostly bureaucracy.

With accountability only: You’ve made a rule. You’re stuck with it, or you change it and someone has to admit it was a bad idea.

With a feedback loop: You measure what the fairness audits catch. You find they’re not very effective. You change the process. Maybe fairness audits are only for high-stakes models. Maybe you do different types of audits for different models. The process improves.

Building Feedback Loops

Feedback loops require:

1. Measurement of outcomes. When you make a decision, you measure what happens. Did pulling the model prevent the problem? Did retraining improve accuracy? Did adding human review reduce false positives?

Most organizations don’t do this systematically. A decision is made. Something happens. But you don’t deliberately measure the effect of the decision.

2. Reflection on what you learned. After measuring, you ask: Why did this happen? Did the decision have the intended effect? Were there unintended effects? What did we learn?

This is not punishment. It’s learning. You’re trying to understand whether your decision-making was effective.

3. Systematic incorporation of learning. You take what you learned and incorporate it into the next decision. Maybe your decision criteria change. Maybe your process changes. Maybe your judgment changes.

4. Documentation of the loop. You write down what you learned. Not as blame. As knowledge. This becomes institutional learning, not just individual learning.

How This Works in Practice

A model is showing accuracy drift. A decision is made to retrain. The model is retrained. Accuracy improves. Now what?

Feedback loop approach: 1. Measure: Accuracy was 89%. After retraining, it’s 92%. 2. Reflect: Retraining was effective. But why did accuracy drift in the first place? We measured the data distribution. Training data had demographic group A at 40%. Current data has demographic group A at 25%. Data distribution shifted. This caused accuracy drift in some demographic groups. 3. Learn: When data distributions shift significantly, accuracy can drift even if overall accuracy looks stable. We should monitor demographic-specific accuracy, not just overall accuracy. 4. Incorporate: We update our monitoring. We now track demographic-specific accuracy for all models. We can catch drift earlier. 5. Document: We document that we discovered demographic-specific monitoring works better than aggregate monitoring. We update our governance standards.

Next time: The next time accuracy drifts, we notice it faster because we’re monitoring for it. We retrain faster. We catch the problem before it becomes severe.

Why Most Organizations Don’t Do This

Most organizations skip feedback loops because:

  1. It’s not mandatory. There’s no rule that says “after a decision, you must measure the outcome and learn.” So it doesn’t happen.

  2. It feels like overhead. Measuring outcomes and reflecting on them takes time. It doesn’t feel like productive work.

  3. Accountability creates defensiveness. If a decision was bad, the person who made it doesn’t want to reflect on it. They want to move on. Adding a feedback loop feels like reopening a wound.

  4. Organizations move fast. There’s a new crisis. A new problem. Nobody has time to reflect on the last decision when the next one is urgent.

  5. Learning is slow. Even if you build feedback loops, learning takes time. It’s not clear that your next decision will be better. So the payoff isn’t obvious.

How to Build This Into Your Governance

Start small. Pick one type of decision. Maybe retraining decisions. When you decide to retrain a model: – Document the decision (why, when, what triggered it) – Measure the outcome (did retraining improve accuracy? by how much? did it have unintended effects?) – Reflect (why did this work or not work?) – Document what you learned

After three to five retraining cycles, you’ll have patterns. You’ll know: when we retrain because accuracy dropped below X, accuracy improves by Y on average. When we retrain because input distribution shifted, accuracy improves by Z.

Now you have evidence. You can use this to improve your retraining decision criteria. Or to predict which models will benefit most from retraining.

As you scale, you expand this to other decisions. Deployment decisions. Fairness audit decisions. Model prioritization decisions.

The Organization That Gets This Right

An organization with good feedback loops has these characteristics:

  • Decisions are documented (not just made)
  • Outcomes are measured (not just hoped for)
  • Learning is captured (not just experienced)
  • Processes improve based on learning (not stayed frozen)
  • People understand the feedback loop (and aren’t defensive about it)

These organizations deploy faster (they learn what’s safe). They make better governance decisions (they have evidence). They respond faster to problems (they’ve seen similar problems before). Their governance improves over time.

Most organizations don’t have this. Governance stays static. Decisions don’t improve. You’re making decisions the same way at year three as you were at year one.

The Most Important Thing

Feedback loops only work if people aren’t afraid. If a decision is bad, a feedback loop might expose it. That’s okay. The point is to learn, not to punish.

This requires psychological safety. People need to know that if they make a decision and measure the outcome honestly, they won’t be punished for being wrong. They’ll be valued for learning.

The organizations that get this right have leaders who ask: “Here’s the decision we made. Here’s what happened. What did we learn?” Not in an accusatory way. In a genuinely curious way.

That curiosity, multiplied across hundreds of decisions over years, accumulates into an organization that governs AI well.

In Practice: AI in the Enterprise | Day 77: The Vendor Relationship Maturity Model: Where Most Enterprises Are vs. Where They Need to Be

Most vendor relationships for AI are transactional. You buy a platform. You deploy models. You call support when something breaks. The vendor has no skin in your success.

A few enterprises have strategic vendor relationships. The vendor understands your use cases. Understands your governance requirements. Helps you think through the hard problems. Shares your upside and downside.

Most enterprises are in the first category and should be in the second. And they don’t know how to get there.

The Vendor Relationship Maturity Model

Level 1: Transactional. You have a vendor. You have a contract. You pay for the product. They provide support according to the SLA. Beyond that, you’re on your own.

Most vendor relationships sit here. The vendor doesn’t know anything about your governance requirements. Doesn’t know your risk tolerance. Doesn’t know which of their systems are critical to you. Their incentive is simple: sell more, support according to contract.

The problem: when something goes wrong (model breaks, new regulation comes, your use case changes), the vendor’s incentive isn’t to help you solve it. It’s to point to the contract and say “that’s not covered.”

Level 2: Advisory. The vendor has assigned someone to your account. They understand your use cases. They make suggestions about how to use their platform better. They might suggest new features. They help you think through architecture decisions.

Some enterprises get here. It’s better than transactional. The vendor has more context. But the relationship is still one-way. You come to them with problems. They respond. They’re not proactively partnering in your governance.

Level 3: Collaborative. The vendor understands your governance requirements. You have regular conversations about how their platform supports your governance needs. When regulations change, you talk about implications. When new use cases come up, you discuss architecture together.

The vendor has skin in your success. If you deploy poorly, they’ll hear about it. If there’s a problem with their product that affects your governance, they’ll help fix it.

Few enterprises get here. It requires the vendor to have deep people (someone senior enough to understand governance). It requires you to have openness (willing to share your governance challenges). It requires regular engagement (not just when there’s a problem).

Level 4: Strategic. The vendor is a partner in your governance strategy. They’re not just supporting what you’re doing; they’re helping you build it better. When you’re building a new governance capability (automated retraining, fairness monitoring, drift detection), they’re thinking through implications with you.

The vendor shares your risk and upside. If their platform helps you deploy faster and more safely, they share the benefit (through growth, through advocacy). If their platform causes problems, they share the cost (through support, through negotiation).

Almost no enterprises have strategic vendor relationships. It requires trust. It requires the vendor to be invested in your success over many years.

Why Most Are Transactional

Most enterprises stay transactional because:

  1. Many transactional vendor relationships are structured around revenue optimization. In transactional relationships, vendors optimize for revenue and support cost. A transactional relationship is cheaper for them. They don’t want to invest in understanding your governance if it doesn’t lead to more revenue.

  2. Enterprises don’t know what to ask for. You don’t articulate your governance requirements to the vendor. You just deploy. If it works, great. If not, you upgrade, reconfigure, or find a different vendor.

  3. Switching costs are high. Because you’re not really integrated with the vendor (you haven’t designed your governance around their platform), switching is hard. So you have leverage but don’t use it.

  4. Enterprises don’t know what strategic looks like. You might want a strategic relationship but don’t know how to ask for it or what to demand in return.

How to Move Up the Maturity Model

Start by getting clear on your governance requirements. What are your non-negotiables? What does the vendor’s platform need to support for you to govern well? (Audit trails, explainability, monitoring, integration with your data layer, API access, etc.)

Document these. Not as “nice to haves.” As requirements.

Assess the vendor against your requirements. Be honest. Does their platform support your governance needs? Does it support your scaling plans? Do they have the product roadmap you need?

If the answer is no, switching might be the right move. But at least you’re making the decision deliberately.

If you want to stay, propose a relationship upgrade. Tell the vendor: “We want to move from transactional to advisory.” What does that mean? – We want to have regular strategic conversations (quarterly, not just when there’s a problem) – We want to share our governance requirements and work through how your platform supports them – We want to understand your roadmap and give you input – We want you to understand our use cases deeply

In exchange: – We’ll stay with your platform as we scale – We’ll give you feedback and help you improve – We might advocate for you (reference customer, case study, recommendation)

As the relationship matures, push toward collaborative and strategic. This takes time and effort. You need: – Regular engagement (quarterly strategic reviews) – Shared goals (you want to govern better, they want to help) – Mutual investment (they invest in understanding your problem, you invest in learning their platform) – Trust (they share your roadmap, you share your constraints)

What to Negotiate

As you upgrade the relationship, here’s what to negotiate:

Uptime and response SLAs for critical systems. The SLA that works for a non-critical system doesn’t work for a system affecting millions of customers.

Integration rights. Can you integrate their system with your governance infrastructure? Can you access your data? Can you build on top of their APIs?

Custom development. If their platform doesn’t support something critical for your governance, can they build it? At what cost?

Roadmap influence. Can you influence their roadmap? If they’re not building something you need, can you work with them to prioritize it?

Support for scale. As you go from 1 to 100 systems, what changes? Do their support model scale? Do you get dedicated resources?

Governance collaboration. Can they help you think through governance? Do they have people who understand regulation, fairness, monitoring, incident response?

The Economic Reality

Strategic relationships are expensive. You’re asking the vendor to invest people and time. They’ll expect to be compensated.

Usually this happens through: – Higher contract values (you’re locked in, so you pay more) – Revenue sharing (you make money because of their platform, they share) – Longer commitments (3-5 years instead of 1) – Exclusive focus (they prioritize your needs)

You’ll also invest time. Regular meetings. Feedback cycles. Governance collaboration.

The payoff: you’ll deploy faster, safer, and with more confidence. You’ll have a vendor who understands your business. When you have problems, they’ll help solve them.

Most enterprises stay transactional because the upfront investment feels high. The enterprises that move to strategic relationships do so because they realize the long-term payoff is much higher.

Where You Should Be

If you have 1-5 systems, transactional is fine. You know the platform, you can solve problems yourself.

If you have 5-20 systems, you should be advisory. Someone at the vendor should understand your governance requirements.

If you have 20+ systems, you should be collaborative or strategic. You’re too invested in their platform not to have a relationship that’s mutually beneficial.

Most enterprises are one level below where they should be. Not because they’re doing something wrong. Because they haven’t negotiated the upgrade.

Do it. The vendors that are willing to upgrade the relationship are the vendors worth staying with.

In Practice: AI in the Enterprise | Day 76: Recursive Decision-Making: When AI Systems Need to Decide About Other AI Systems

You have 50 AI systems. At some point, you’ll want one AI system to help make decisions about other AI systems. Should this model be deployed? Should this model be pulled? Should we retrain this model?

This is not science fiction. It’s happening now. And it raises an entirely new governance problem: how do you govern decisions about AI when the decision-maker is also AI?

The Problem You’re About to Face

Right now, humans make decisions about AI systems. An anomaly detector alerts that a model’s accuracy degraded. A human reviews it. They decide whether to investigate, retrain, or pull. They’re accountable.

As you scale, this becomes untenable. You can’t have a human review every anomaly for every system. You need automated decision-making.

So you build an AI system to make decisions. The system monitors 50 models. When it detects something, it makes a recommendation. Or it makes the decision directly (with escalation for edge cases).

Now you have a new governance problem: how do you ensure the AI system that makes decisions about AI is itself well-governed?

What’s Different About Recursive Governance

Recursive governance has unique properties:

First: The feedback loop is different. If a human makes a bad decision about a model, you notice and correct it. The human learns.

If an AI system makes bad decisions about other AI systems, it might keep making the same mistake repeatedly. It might compound errors. A bad decision about one model might trigger bad decisions about other models.

Second: Accountability becomes unclear. When a human makes a decision and it’s wrong, accountability is clear. That human is responsible.

When an AI system makes a decision and it’s wrong, accountability is less clear. Who built the system? Who is responsible for its training data? Who is responsible for monitoring its decisions?

Third: Governance complexity multiplies. You’re not just governing the base models. You’re governing the decision-making system. And you need to govern the governance of the governance system.

This is where it gets complex.

What You Need to Build

Recursive governance requires:

1. Transparent decision-making. When the decision-making AI system makes a recommendation, you need to understand why. Not a black box. Interpretable logic.

For critical decisions (should we pull this model?), you need to be able to explain: I recommended pulling because accuracy dropped X%, monitoring shows Y, and the confidence is Z. You need to be able to challenge the recommendation.

2. Human escalation for edge cases. Not every decision should be automated. High-stakes decisions (pulling a model that affects millions of customers) should have human review even if the automated system is confident.

Define which decisions can be fully automated. Which need human review. Which need human decision-making.

3. Bias correction for the decision-making system. The AI system that makes decisions will have biases. It might be biased toward pulling models. Or toward being conservative. Or toward recommending retraining.

Monitor for these biases. Actively correct them.

4. Audit trails for cascading decisions. If the decision-making system makes a decision about Model A, which affects Model B, which affects Model C, you need to trace the cascade. What were the original decision criteria? How did they cascade? What were the consequences?

5. Feedback loops for the decision-making system. When the decision-making system makes a decision, does it learn from the outcome? If it recommended retraining and accuracy improved, does it learn that retraining was the right decision?

This requires deliberate feedback loops. Not automatic learning (that’s dangerous). But structured feedback so the decision-making system improves over time.

A Concrete Example

You have an autonomous system that decides which models to retrain. It monitors 50 models. When accuracy drops below threshold, it triggers retraining. When retraining is complete, it evaluates whether accuracy improved. If yes, it considers it a successful decision. If no, it tries a different approach.

This system is learning. But what’s it learning? Is it learning that retraining works? Or is it learning that the retraining process is fundamentally broken for some models?

Without careful governance, the system might learn the wrong lessons. It might retrain models unnecessarily. Or miss models that genuinely need retraining.

The governance you need: – Transparency: why did it choose to retrain this model? – Escalation: for models that affect critical business processes, require human approval before retraining – Bias monitoring: is it biased toward retraining or toward leaving models alone? – Audit trails: trace all retraining decisions and their outcomes – Feedback: does it learn that certain types of models respond well to retraining? Does it learn that certain data changes require retraining but the system trained once didn’t catch?

Why This Is Hard

Recursive governance is hard because:

  1. You lose observability. When humans made decisions, you could observe them (watch the meeting, review the decision record). When AI makes decisions, you need to instrument the system to understand what’s happening.

  2. You lose direct accountability. When a human makes a bad decision, you can retrain them. When an AI system makes bad decisions, you need to retrain the system or change its training data or modify its rules. The solution is less obvious.

  3. Cascading failures become possible. A bad decision by the decision-making AI can trigger bad decisions in other systems. This can cascade. A single error can multiply.

  4. Measuring success becomes ambiguous. How do you know if your decision-making AI is good? Did it make the right decision? Did it improve on what a human would do? How do you compare?

Getting This Right

Start by being conservative. The first decision-making AI systems should be: – Limited in scope (one type of decision, one class of models) – High transparency (you understand every decision) – High escalation (most decisions require human review) – Well-monitored (you’re watching for error patterns)

Gradually, as you gain confidence, you can increase automation. More decisions, less human review. But keep the monitoring and transparency.

The enterprises that get this right are the ones that treat the decision-making AI system as a critical system that needs governance as much as any production model.

The Deeper Insight

Recursive governance reveals something important: governance itself needs to be governed. Your governance system has characteristics. It has biases. It makes decisions. Those decisions have consequences. As you automate governance, you need to automate the governance of governance.

This sounds abstract. In practice, it means: – Your decision-making AI system is a production system that needs monitoring – Its decisions affect other systems, so failures cascade – You need to understand its behavior and correct it – You need audit trails and accountability

The governance that works for base models—monitoring, alerting, human review—also works for decision-making systems. But you need to apply it one level higher.

This is the challenge of governance at scale: building systems that can govern themselves while remaining under human control.

In Practice: AI in the Enterprise | Day 75: From Metrics to Dashboards to Decision-Making: The Information Architecture of AI Governance

Most enterprises measure the wrong things. Not because they don’t have metrics. They have too many. The problem isn’t measurement. It’s that measurement isn’t connected to decisions.

You can have perfect metrics and still not know what to do about them. You can have comprehensive dashboards and still be paralyzed about which system to prioritize. The gap between measurement and action is where good governance goes to die.

The Problem You’re Living

Your data science team has metrics. They measure model accuracy, latency, feature importance. They generate reports. The reports sit on a dashboard. People look at them occasionally.

Your business team has different metrics. Customer satisfaction. Churn. Revenue. They care about their metrics. They don’t connect them to the model metrics.

Your governance team has its own metrics. Fairness scores. Bias audits. Explainability measurements. They monitor them. But when something is out of bounds, they don’t always know what to do about it.

Here’s what happens: A model’s fairness score degrades. You have an alert. Then what? Do you retrain? Pull the model? Investigate why fairness degraded? Different teams would answer differently. So decisions get delayed or deferred.

This is the gap: measurement without decision architecture.

What Measurement Should Feed

Measurement should feed four things:

1. Alerting and escalation. When something is out of bounds, someone should know immediately. Knows what it means. Knows what decision authority they have.

Most organizations have alerts but not decision authority. Someone gets an alert that fairness degraded. But they don’t have the authority to investigate, don’t have the resources, don’t have the criteria for deciding what to do. The alert fires and nothing happens.

2. Trade-off visibility. Your model makes trade-offs. Accuracy vs. fairness. Latency vs. cost. Interpretability vs. predictive power. You need to know what trade-offs your model is making. And you need decision authority to make trade-off decisions.

Most organizations don’t make trade-off visibility explicit. You measure accuracy. You measure fairness. You don’t measure the trade-off between them. So when you need to optimize one at the expense of the other, you don’t have the data to make that decision deliberately.

3. Portfolio-level prioritization. You have 50 systems. All of them are slightly out of compliance. All of them could be better. Which ones do you fix first?

Prioritization requires measurement of impact. Which system affects the most customers? Which has the highest risk? Which is degrading fastest? You need a way to compare systems and decide where to invest effort.

Most organizations have system-level dashboards but no portfolio-level view. So prioritization happens by politics, not by data.

4. Root cause understanding. When something goes wrong, you need to understand why. Is the model degrading? Is the data changing? Is the system receiving different inputs than before? Is the training process broken?

Measurement should give you data to diagnose. When a fairness score drops, you should be able to see: is this because the training data changed? Is this because the model is training on a new feature? Is this because the input data distribution shifted?

Most organizations have metrics without diagnosis. They know something is wrong but not why.

Building Decision Architecture

The gap between measurement and decision is closed by building decision architecture. Here’s what that looks like:

First: Define decision points. For each system, what decisions need to be made? Retrain or not. Pull the model or not. Investigate anomaly or not. Optimize for accuracy or fairness. Add human review or not.

Make these decision points explicit.

Second: Define decision criteria. For each decision point, what data should you look at? When accuracy drops below X, investigate. When fairness gap exceeds Y, escalate. When latency spikes above Z, consider pulling.

This sounds obvious. Most organizations don’t have explicit decision criteria. So decisions are made inconsistently or delayed.

Third: Define decision authority. Who has authority to make each decision? Not a committee. A person or role. When the alert fires, who decides what to do? What escalation path if they need help?

Fourth: Connect measurement to criteria. Your dashboard should highlight when decision criteria are met. You shouldn’t need to look at 20 metrics and figure out what it means. The dashboard should tell you: “This metric triggered decision criterion X. Recommendation: escalate to Y.”

This requires building measurement and dashboarding with decision-making in mind. Not as analytics. As decision support.

How This Works in Practice

A model accuracy degrades from 92% to 87%. Alert fires.

Without decision architecture: Alert goes to Slack. Someone looks at it. They don’t have criteria for whether 87% is acceptable. They don’t have authority to decide what to do. They mention it in a standup. Nothing happens. Accuracy continues degrading.

With decision architecture: Alert fires. Dashboard shows: “Accuracy degraded from 92% to 87%. Decision criterion met: accuracy below 88%. Recommendation: investigate root cause within 48 hours. If root cause is data quality, escalate to data team lead. If root cause is model, escalate to model owner. If root cause is unclear after 48 hours, pull model and switch to fallback.”

The alert is now connected to action. The on-call engineer knows what to do. They have authority. They have resources. Something happens.

The Scaling Problem

At one system, you can have all conversations synchronously. Governance happens in meetings.

At 10 systems, you need documented decision architecture. Different teams need to know how to make decisions without constant meetings.

At 50 systems, you need decision automation. You can’t have a human review every decision for every system. You need rules that automatically escalate when criteria are met. You need dashboards that show portfolio-level priorities.

At 100 systems, you need decision intelligence. You need data about which types of decisions are most effective. Which escalation paths work. Which models tend to degrade fastest. You use this to predict which systems will need attention next.

Starting Point

Start with one system. Map its decision points. What are the critical decisions? Define criteria. Define authority. Build a dashboard. Test it. Did you catch the next problem early? Did the right person make the right decision?

Then replicate for the next system. Look for patterns. Which decision points appear across systems? Build common criteria. Build common dashboards.

As you scale, you’re not adding more measurement. You’re connecting measurement to decisions more systematically. You’re building decision architecture that works across systems.

Why This Matters

Most enterprises have the data they need to govern AI well. They don’t connect it to action. The gap between measurement and decision is where enormous amounts of governance potential gets wasted.

Measurement without decision architecture is overhead. It’s noise. Decision architecture connected to measurement is leverage. It’s how you govern at scale without doubling your governance team for every new system.

The enterprises that do this well have something that looks like automated governance. They don’t have more people. They have better decision architecture.

In Practice: AI in the Enterprise | Day 74: The Governance Evolution: What Changes as You Scale AI from 1 to 10 to 100 Systems

I’ve watched enterprises scale from their first AI system to their tenth to their hundredth. The governance challenge doesn’t grow linearly. It transforms.

Most enterprises don’t see this coming. They build governance for one system. It works. Then they deploy a second system and realize their governance doesn’t scale. They bolt on more process. By the time they have ten systems, they’re buried in governance overhead. By twenty systems, they’re paralyzed.

The enterprises that navigate this well are the ones that understand what changes at each scale. They rebuild governance intentionally.

One System

When you have one system, governance is simple. You know the model. You know the data. You know the team. You know what can go wrong. You can have all the conversations in one room.

Your governance is mostly about: Have we thought about risks? Is there a human review before the model makes decisions that affect people? Do we have monitoring? Can we turn it off?

This is good governance, but it’s personal. It depends on a team that knows everything about the system.

Three to Five Systems

Now you have multiple systems. They’re in different domains. Different data. Different risks. Different teams.

What changes: You can’t have all conversations in one room anymore. You need structures that work when governance teams and model teams aren’t working together constantly.

The governance patterns that worked for one system (lots of synchronous communication, informal decision-making) break. You need: – Written standards so that different teams understand what’s expected – Decision gates with clear criteria (when does a model get approved for deployment?) – Escalation paths for edge cases (what happens when a team’s model doesn’t meet standards?) – Governance infrastructure that doesn’t depend on one person

You’re building governance processes. Not just governance thinking.

Ten to Twenty Systems

Now you have specialized domains. Banking AI systems. Pricing AI systems. Recommendation AI systems. Each domain has different risks, different data sensitivities, different regulatory requirements.

What changes: You can’t have one-size-fits-all governance anymore. Different systems have different risk profiles. Some need more monitoring. Some need more human review. Some have different regulatory requirements.

The governance that works across different domains is: Set principles, let teams implement them differently.

Example: “All systems that make decisions affecting customers must have human review” is a principle. But what human review means varies. In a lending model, human review might be: the model recommends, a human decides. In a recommendation system, human review might be: we manually check top decisions weekly. In a pricing system, human review might be: we have rules that block outlier decisions.

Same principle. Different implementations.

This requires: – Governance frameworks that are principles-based, not process-based – Tailoring mechanisms (how do you adapt the framework to different domains?) – Trade-off decisions (risk vs. speed vs. cost—what’s the right balance for this domain?) – Governance architecture that can accommodate domain variation

You’re building governance that scales across different types of systems.

Fifty to One Hundred Systems

At scale, you’re not building individual systems anymore. You’re building a portfolio. You have systems in different domains, at different maturity levels, built by different teams, with different governance maturity.

What changes: You need to optimize across the portfolio, not just individual systems. Some systems are solving problems that drive revenue. Some are solving problems that reduce risk. Some are experimental.

Your governance needs to reflect these different roles.

Also, at this scale, you can’t rebuild governance for every new system. You have systems that were built with old frameworks. Systems that are newer. Systems that are maintained by teams with different governance maturity.

This requires: – Portfolio-level governance (how do you set standards across systems at different maturity levels?) – Progressive governance (how do you enforce governance on existing systems without forcing re-architecture?) – Governance simplification (if you’re running 100 systems, you can’t have 100 different governance approaches) – Incentive structures (how do you make it easier to do governance right than to skip it?)

You’re building governance that scales across organizational complexity.

What This Means Practically

The enterprises that navigate these transitions well do three things:

First, they anticipate the evolution. When you have three systems, you think about what governance will look like with ten. You build infrastructure that can evolve. You use tools that scale. You make decisions about architecture with future scale in mind.

Second, they rebuild governance intentionally at inflection points. When they move from 5 to 15 systems, they don’t just bolt on more process. They redesign governance. Different approach, different tooling, different organizational structure.

Third, they invest in governance infrastructure. Governance platforms. Monitoring tools. Decision support systems. These seem like overhead when you have one system. They’re essential when you have fifty.

The Most Common Mistake

Enterprises try to scale governance by replicating the same governance for every system. This works until scale makes it impossible. Then they either: – Build massive governance overhead (every system goes through the same 10-week approval process) – Abandon governance (teams skip it because it’s too slow) – Build governance anarchy (every team does their own thing)

None of these work.

What works is building governance that evolves with scale. That’s intentional, not accidental.

Where You Are

If you have 1-5 systems, build governance thinking that can survive scale. Invest in standards and clarity even if informal communication would work now.

If you have 5-20 systems, you’re at an inflection point. Evaluate whether your governance is scaling or creaking. If it’s creaking, rebuild.

If you have 20-50 systems, you need portfolio-level thinking. Stop treating each system as independent. Optimize across the portfolio.

If you have 50+ systems, you need progressive governance. You can’t force all systems into one framework. Build a framework that works across maturity levels.

The governance that works for your tenth system won’t work for your hundredth. The enterprises that win are the ones that rebuild intentionally before they’re forced to.

In Practice: AI in the Enterprise | Day 73: When Data Governance Becomes Strategic

Data governance is boring. It’s about metadata. It’s about lineage. It’s about making sure you know where data came from and what it means. Most enterprises treat it as a compliance obligation. A checklist.

But data governance is actually one of your most powerful levers for responding to governance change. Enterprises that nail it outpace competitors. Not because they’re more compliant (though they are). Because they can adapt faster.

Why This Matters

Think about what happens when a regulator asks for something new. Let’s say a new fairness requirement comes out. It says: “When you make decisions using AI, you must verify that the model doesn’t have disparate impact on [specific demographic group].”

If you understand where every piece of data in your pipeline came from, what it means, how it’s used, and what it’s called in each system, you can answer this quickly. You can trace back: “Our model uses data field X, which comes from source Y, and it maps to demographic group Z.” You can check fairness. You can respond to the regulator in weeks.

If you don’t understand your data, the same question takes months. You have to trace through your data architecture. You discover that three systems call the same thing by different names. You find that the demographic data you need is in a database that’s hard to access. You discover that the lineage is unclear. The regulator’s deadline passes while you’re still figuring out what you have.

This happens constantly. Data governance is the difference between “we can respond to this change” and “we can’t move fast enough.”

The Capabilities That Matter

Most data governance frameworks focus on the wrong things. They care about: Is our data documented? Do we have a data dictionary? Is lineage tracked?

These are necessary. They’re not sufficient.

What matters for strategic governance is:

1. Semantic consistency. The same concept is called the same thing everywhere it’s used. “Customer age” is called “customer_age” in the data warehouse, “age” in the ML pipeline, and “customer_demographics.age” in the API. That inconsistency is a problem because it makes tracing lineage hard.

Enterprises that solve this have a common semantic layer. A single source of truth for what “customer age” means across all systems. When someone asks “where is customer age used?” you have one answer.

2. Lineage tracking with purpose. You track not just “field X comes from database Y” but “field X is used for purpose Z.” When a regulator asks for fairness for demographic group Z, you can quickly find all the places that data is used.

Most enterprises track lineage. Few track it with purpose. This means when something changes, you’re always discovering new dependencies and new implications.

3. Quality metrics tied to use cases. Data quality isn’t absolute. It’s relative to how you use it. If customer age is used for marketing segmentation, you need less precision than if it’s used for fairness auditing.

Enterprises that do this well have different quality thresholds for data depending on its use case. This means you can make trade-offs: “This data is good enough for fraud detection. It’s not good enough for fairness auditing. If we want to use it for fairness auditing, we need to improve it.”

This matters when regulators change requirements. You can’t always upgrade data quality across the board. But you can make deliberate trade-offs if you understand the use cases.

4. Access and audit trails. When data is accessed, by whom, for what purpose, is that tracked? Can you answer: “Who used this demographic data in the last month? Who accessed these fairness metrics?”

This sounds like a compliance thing. It’s also a strategic thing. When an incident happens or a regulator asks questions, you can quickly trace what happened, who was involved, what they were doing.

5. Data ownership with clear responsibility. For each critical data field or dataset, someone owns it. Not “the data team.” A person. They’re responsible for: Does this data serve our current governance requirements? If regulations change, what would we need to do to this data? How do we maintain its quality?

Clear ownership means clear accountability. When something needs to change, you know who to talk to.

Why Enterprises Don’t Do This

Building this level of data governance is expensive. It requires infrastructure. It requires discipline. It requires that teams move together on semantic consistency, even when they’d prefer to move independently.

Most enterprises skip it because it doesn’t show up in incident response or crisis. When a model breaks, it’s not usually because data governance is bad. It’s because the model was poorly designed or trained.

So data governance gets deferred. It becomes a backlog item. Something we’ll do when we have time.

Then a regulatory change comes. Or an integration breaks because different systems use the same field name for different things. Or you need to trace an incident and you can’t figure out how data flowed through your systems. Then you discover that the cost of having good data governance now is lower than the cost of building it in crisis.

How to Start

You don’t rebuild your entire data infrastructure. You start with the critical path:

Identify critical data. Which data fields are most important for governance? Probably: demographic data, decision data, accuracy metrics, fairness metrics, model inputs, model outputs. These are the fields that regulators will ask about. Map them.

Create semantic consistency for critical data. Define what these fields mean. Call them the same thing everywhere. Create a data dictionary. This is not a one-time thing. It requires discipline and periodic review.

Track lineage for critical data. How does demographic data flow from source systems through ML pipelines to decision systems? If someone asks “where is demographic data used?” you should be able to answer in minutes, not weeks.

Define quality thresholds by use case. For each critical data field, what quality do you need? Does it vary by use case? Build that into your data quality monitoring.

Assign ownership. For each critical dataset, name the owner. They’re responsible for keeping it current, maintaining quality, understanding dependencies.

The Competitive Advantage

This sounds like overhead. It’s actually a strategic advantage.

Enterprises with good data governance can: – Respond to regulatory changes in weeks, not months – Make trade-offs deliberately (“we’ll use this data for this purpose but not that one”) – Debug incidents faster (clear tracing of data flow) – Integrate new systems faster (semantic consistency means less mapping work) – Make better decisions about what to fix first (clear understanding of dependencies)

Over three to five years, this accumulates. The enterprises with strong data governance pull ahead. Not because they’re more compliant. Because they’re more adaptive.

The Real Reason This Matters

You’re going to need to change your AI governance multiple times in the next five years. Regulations will change. New risks will emerge. Your systems will evolve. Each time something changes, you’ll need to understand how it flows through your systems, what you need to change, what the dependencies are.

Data governance is what makes that possible. Without it, you’re building everything from scratch every time. With it, you’re adapting within a clear framework.

That’s the difference between competitive and struggling. Data governance becomes strategic not because regulators demand it, but because it’s the foundation for adaptive governance at scale.