The Governance Gap
In the past six months, we have reviewed AI governance frameworks from over a dozen enterprises. The pattern is depressingly consistent: a well-designed document created by a committee of senior leaders, reviewed by legal, approved by the board, and completely disconnected from how AI decisions are actually made on the ground.
This is governance theater. It protects the company from the accusation that they have no governance. It does not actually govern anything.
Why Frameworks Fail
- They are too abstract. Principles like "fairness," "transparency," and "accountability" are unobjectionable and unactionable. When an ML engineer needs to decide whether a model's error rate on a specific demographic is acceptable, "be fair" does not help. They need a specific threshold, a process for evaluating it, and clarity about who makes the final call when the numbers are borderline.
- They lack enforcement mechanisms. Most frameworks describe what should happen but not what happens when it does not. There is no consequence for deploying a model without the required documentation. There is no gate in the deployment pipeline that checks for governance compliance. The framework is advisory, which in practice means it is optional.
- They are written by people who do not build AI. Governance committees are typically composed of executives, lawyers, and ethicists. These are important perspectives. But if no one in the room has deployed a model to production, the framework will not account for the practical realities of AI development, including the speed at which decisions need to be made and the trade-offs that arise in the moment.
What Actually Works
Effective AI governance has three characteristics that most frameworks lack.
First, it is embedded in the development process. Governance checks are automated gates in the CI/CD pipeline, not manual reviews that happen after deployment. If a model cannot pass the bias evaluation, it cannot be deployed. This is not a policy. It is a technical control.
Second, it is specific. Instead of "ensure fairness," it says "model accuracy must not vary by more than X% across defined demographic groups." Instead of "maintain transparency," it says "every model in production must have a model card updated within 30 days of any retraining."
Third, it is owned by the engineering team, not a committee. The people building the AI are responsible for the governance of the AI. A separate governance body reviews and audits, but ownership sits with the builders.
The Test
Ask your ML engineers whether they have ever been blocked from deploying a model because of your governance framework. If the answer is no, you do not have governance. You have a document.