Not registered? Create an Account
Forgot your password? Reset Password
Artificial intelligence governance has become a central concern for regulators and boards. New frameworks such as the European Union’s AI Act and ISO/IEC 42001:2023 have raised expectations that organizations will demonstrate control over how their AI systems operate. Yet surveys continue to show that most companies remain unprepared. AuditBoard’s 2024 Blueprint to Reality report found that only one quarter of organizations have fully implemented AI governance programs, even though awareness of regulation is high (AuditBoard, 2024).
The explanation often defaults to technical difficulty. Algorithms are complex, datasets are vast, and system interactions are unpredictable. However, research indicates that the real barriers are organizational rather than technical. A lack of clear ownership, cultural resistance, and fragmented structures prevent organizations from moving beyond policies into practice (AuditBoard, 2024; Barth et al., 2024).
When responsibility for AI governance is not clearly assigned, policies rarely translate into action. AuditBoard reported that nearly half of organizations surveyed could not identify who was accountable for governance across their AI systems (AuditBoard, 2024). Because AI touches multiple functions—engineering, compliance, legal, and operations—no department is willing to take full responsibility. This creates diffusion of responsibility, where each group assumes another will manage the risks.
Governance also collides with organizational culture. The AstraZeneca case study on ethics-based auditing found that aligning decentralized business units was less a technical problem than a cultural one. Employees worried that audits would slow innovation or expose failures, leading to resistance and disengagement (Barth et al., 2024). In other organizations, “ethics fatigue” has set in. Governance boards exist but lack authority, and employees treat them as symbolic rather than operational. Without cultural trust, governance initiatives can trigger avoidance rather than compliance.
Even when governance programs exist, they are often layered on top of existing operations rather than integrated into them. AstraZeneca’s experience showed how different units interpreted governance in inconsistent ways, resulting in patchy coverage (Barth et al., 2024). When AI governance is isolated from enterprise risk management and internal audit systems, it competes for attention instead of reinforcing existing structures.
Effective AI governance requires more than technical expertise. It requires a layered response that addresses ownership, culture, and structure.
The first step is establishing explicit accountability frameworks. A RACI model that defines who is responsible, who is accountable, who must be consulted, and who is informed helps prevent diffusion of responsibility.
The second step is strengthening ethics boards so that they influence operational decisions rather than providing symbolic oversight. Requiring sign-off on risk registers or incident playbooks ensures governance bodies have practical authority.
The third step is embedding governance representatives within business units. These “nodes” translate central standards into local practice and ensure evidence flows back to a unified governance framework.
The fourth step is creating communication rhythms. Regular cross-functional councils, evidence reviews, and escalation drills build trust that governance is continuous and not ceremonial.
The fifth step is investing in change management. Training programs should emphasize not only regulatory requirements but also the social value of governance. Employees are more likely to participate when they see governance as protecting citizens rather than punishing engineers.
The final step is integrating AI governance into enterprise risk systems. Including AI risks alongside financial and cybersecurity risks prevents governance from becoming an isolated initiative.
AI governance does not fail because algorithms are inscrutable. It fails because organizations are unprepared to assign ownership, overcome cultural resistance, and integrate governance into existing structures. Evidence from AuditBoard’s survey and AstraZeneca’s case study demonstrates that these barriers are decisive.
The path forward requires clear accountability, empowered governance bodies, decentralized alignment, consistent communication, cultural engagement, and integration with enterprise risk management. Only when governance is owned and embedded will organizations move from symbolic compliance to genuine stewardship of AI systems.
AuditBoard. (2024). From blueprint to reality: The state of AI governance programs. AuditBoard. https://auditboard.com/blog/new-research-finds-only-25-percent-of-organizations-report-a-fully-implemented-ai-governance-program
Barth, S., Wanner, D., Zimmermann, H., & Andreeva, J. (2024). Operationalising AI governance through ethics-based auditing: An industry case study. arXiv. https://arxiv.org/abs/2407.06232
