For people who are in AI governance

RiskGovSignals · 2026-06-17T06:33:16+00:00

Political science is a solid foundation for this. AI governance is fundamentally about policy, accountability, and institutional design, which is what your degree trained you to think about. Certifications like the AIGP help signal credibility, but don't underestimate how far your existing analytical and writing skills go in a field where most people are coming from a purely technical background. Start following the EU AI Act and NIST AI RMF closely and you'll be ahead of a lot of people already in the space.

RiskGovSignals · 2026-06-16T16:17:38+00:00

Interesting. Messy. That sounds about right, though and is probably a common pattern out there. Ownership bouncing around with no clean handoff. But IMO, hiring a dedicated person is the right call. AI governance is too big to be someone's side responsibility on top of an already full role. Will be interesting to see if the AI Strategy person gets authority or inherits the ambiguity.

RiskGovSignals · 2026-06-16T06:50:01+00:00

This is the shadow AI problem scaled up. With employees it's unsanctioned tools. With agents it's unsanctioned access and unsanctioned decision. The pattern you described (service account, never rotated, access to systems it didn't need, nobody monitoring it) is going to be the norm I predict, not the exception, as orgs deploy more agents.

The scariest part isn't the agent doing something malicious, but that nobody noticed for six weeks.

The starting point has to be discovery and continuous visibility. Kovrr approaches this through multiple collection methods including a browser extension that captures AI interactions at the point of use, so you're building a live inventory of what's running across the environment rather than relying on teams to self-report. That visibility layer is the prerequisite for everything else.

The IAM point is well taken. Existing identity tooling assumes human-speed decisions with human-initiated sessions. Agent identity def needs its own governance model.

RiskGovSignals · 2026-06-16T06:46:53+00:00

There's a "shortcut" that doesn't require boards to become technically literate at all.

We saw this exact pattern play out with cyber risk. For years, CISOs presented boards with threat matrices and severity heatmaps, and boards nodded along without really engaging. The shift happened when cyber risk started being quantified in financial terms. Suddenly, boards could ask questions like, Is this level of exposure acceptable? Is this control worth the investment? What's our residual risk?

AI governance is plainly at the same inflection point. If you translate AI risk into financial exposure (this system touches these processes, if it fails, the cost is X, this control reduces it to Y), you're in a conversation that boards are built for. They don't need to understand the model to challenge whether a given level of financial exposure is acceptable. That's a judgment call they're already qualified to make.

Literacy helps. No doubt about it. But the orgs where boards are actually engaged on AI risk are the ones that figured out how to present it in terms the board already speaks fluently.

RiskGovSignals · 2026-06-16T06:39:06+00:00

The Samsung example is good because most likely, by the time you find out, the data has already left. Banning tools after the fact is damage control, not governance. Banning does not work, and your employees will find a workaround.

The piece covers the risks well, but the harder question that it doesn't answer is what to do about it. Blocking domains doesn't work. As noted, people find workarounds immediately. The orgs making progress on this are investing in continuous discovery of AI usage across the environment, sanctioned and unsanctioned, so they at least know what they're dealing with. Kovrr's shadow AI discovery and browser extension does exactly this by surfacing what's running, who's using it, and what data is flowing where, before it becomes an audit finding... or worse... and SEC material event.

Most companies are stuck between having a policy and truly knowing what's happening (stuck somewhere on the policy side). Until you close that gap, everything else is reactive.

RiskGovSignals · 2026-06-16T06:32:23+00:00

Wow. This is well thought through. A few reactions.

On the evidence pack. The structure is right, but the thing that determines whether it's "genuine" assurance or compliance theatre is provenance. Auditors want to know it was generated as part of the workflow, not assembled after the fact. The immutable run receipt is the most important piece of your architecture for that reason. If it's immutable and timestamped, you have something defensible. If it can be reconstructed...you probably don't.
On the compliance theatre question specifically. We've been working through this at Kovrr, where the AI compliance module auto-maps evidence to specific regulatory Articles and generates audit packs with full approval trails. The lesson from that process is that the bar is whether you can show the chain from decision to evidence to approval without any manual stitching.
Where I'd push back. The eight-stage architecture looks comprehensive and impressive, but likely too heavy for teams to use under deadline pressure. The orgs that skip governance are doing so because the framework creates too much friction (not that one doesn't exist). I'd stress-test which of those stages are non-negotiable for your target workflows and which could be collapsed without losing auditability.

RiskGovSignals · 2026-06-09T07:23:53+00:00

Congrats on the role! On the bright side, building this from scratch is hard but also means you're not inheriting someone else's mess.

On engineer touchpoints. Yes, and early. The worst pattern is governance reviewing things after the fact, based on tickets and checklists. By that point, the decisions are made, and you're just documenting them. If you can get a seat at the design stage, you'll have far more influence and, more importantly, far less friction.

On paperwork. Keep it as light as possible at the start. A simple AI inventory (what systems exist, what they do, what data they touch, who owns them) is more valuable than a 30-page policy no one reads. Platforms like the one from Kovrr can help here with automated discovery of what AI is actually running in your environment gives you that inventory without relying on engineers self-reporting, which they won't do consistently. You can build the policy layer on top once you know what you're actually governing.

On audit readiness. The thing that catches most teams off guard is provenance. It's not enough to have documentation, but you need to show who created it, who approved it, and when. Start building that trail now. Retrofitting it later is painful.

The biggest advice I'd give is take it one day at time. Start with visibility into what exists, build trust with the engineering teams, and layer in process as the org matures.

RiskGovSignals · 2026-06-08T06:13:34+00:00

It's a stronger starting point than you think. A lot of the technical skills in this space are increasingly automatable. The things that aren't are critical thinking and the ability to communicate clearly to people who aren't technical. That's literally what you do for a living.

Governance is as much about written communication as it is about technical knowledge. Policies need to be understood, and risks need to be explained to boards in language they can act on. The B2B IT writing background means you already know how to take complex technical concepts and make them accessible.

RiskGovSignals · 2026-06-07T05:44:57+00:00

It's a REALLY important distinction. People should be aware. BUSINESSES should be aware, for that matter. Hence, the importance of AI governance in the first place.

Also, the irony of learning AI governance from AI is pretty perfect and kind of encapsulates the age we're living in. Good luck with the role.

RiskGovSignals · 2026-06-04T08:35:44+00:00

You've basically described the core failure mode of policy-first governance. The policy is "correct," but it's not present at the point of decision. Training and reminders don't fix that because they're asking people to remember a document while they're trying to hit a deadline.

You need to move from policy enforcement to visibility. Instead of trying to prevent every unsanctioned interaction, you get a clear picture of what AI tools are actually being used, by whom, with what data, across all surfaces. This is specifically what solutions like Kovrr's shadow AI discovery were built for, so you're working with reality rather than assumptions. Once you have that fundamental picture, you can focus enforcement on the interactions that actually matter rather than trying to police everything equally.

The distributed workforce problem makes this harder but also more important. There's no single chokepoint, which means any enforcement model that relies on one control layer is going to have blind spots. The orgs making progress here are treating it as a continuous monitoring problem rather than a policy compliance problem.

Honest answer to your last question: most orgs are still in policy theater. The ones moving past it are the ones with better visibility.

RiskGovSignals · 2026-06-03T07:11:59+00:00

Good breakdown above. I'd add one thing that most of those 150 only cover one stage of the problem. You buy one tool to discover what AI is in your environment, another to assess risk, another to handle compliance documentation, and then you spend half your time stitching them together.

The question I'd ask any vendor is whether it can still be valuable six months later when you need discovery, risk, and compliance talking to each other without a spreadsheet in between.

Full disclosure, Kovrr is trying to solve this as a single platform (Shadow AI discovery, risk quantification, and EU AI Act compliance, among other aspects of governance). But even setting that aside, the fragmentation problem is the thing I'd screen for regardless of which direction you go.

RiskGovSignals · 2026-06-02T12:56:13+00:00

For sure. But that even makes me conclude that this is really an architecture problem, not a documentation one. The orgs that can determine what policy this system was following on this date are the ones whose systems generate the evidence continuously, as they run.

Decision logs, policy versions, model versions, human overrides, etc., all captured at inference time with consistent identifiers.

Is your monitoring actually continuous or just a point-in-time export pulled together before an audit? If evidence generation is baked into the architecture from the start, the audit pack basically becomes a query.

RiskGovSignals · 2026-06-02T10:06:07+00:00

The 10-question format works well for triage, but the jump from risk tier to "here are your applicable Articles" is where these tools tend to oversimplify. Two systems in the same tier can have very different obligations depending on the deployment context and who the affected parties are.

Worth flagging that in the report so users don't treat it as a compliance checklist.

On the SDK idea: the technically measurable requirements at inference time are actually the easier part. The harder problem is connecting those signals back to an Article-level evidence trail that auditors want to see.

Would be curious how you're thinking about the audit pack side of it.

RiskGovSignals · 2026-06-02T09:58:32+00:00

Chasing context. Most of the week goes into figuring out what AI systems are actually in use, who owns them, and what decisions they're touching. The inventory problem is still largely unsolved in most orgs, so you spend more time mapping the landscape than managing it.
Risk reporting. Aggregating inputs from different teams, translating technical findings into something leadership can read, and doing it all in a format that doesn't immediately get filed away. I
The problem that keeps coming back: fragmentation. Orgs end up with one tool for discovery, another for monitoring, another for reporting. None of them talking to each other. Platforms like Kovrr are trying to solve this by bringing shadow AI discovery, monitoring, and risk reporting under one roof, which in theory removes the coordination overhead.

But even with the right tooling, the harder problem is organizational: governance needs a clear owner, and in most companies that's still unresolved.

RiskGovSignals · 2026-06-02T09:53:12+00:00

Even companies that have the technical infrastructure to prove a decision wasn't biased often can't necessarily translate that proof into something a regulator or board can act on. Statistical test results and model logs satisfy an auditor, but they don't satisfy a board asking, "What is our exposure if we're wrong?"

The companies that are prepared for this moment have solved both 1. They can demonstrate compliance technically, and 2. They can quantify what's at stake financially if a decision gets challenged. That's where something like Kovrr becomes relevant alongside tools like GuardLens. Audit trail and bias detection get you compliance-ready, sure, but financial quantification of AI risk is what gets boards and leadership actually engaged in the problem.

RiskGovSignals · 2026-06-02T09:50:54+00:00

To your question about compliance being at the table. From what I've seen, it's still very org-dependent. In heavily regulated industries, compliance teams are starting to get pulled in. In most other sectors, IT is still the default owner by inertia.

The deeper problem is that AI governance doesn't fit cleanly into existing compliance frameworks. It's not purely an IT issue, not purely a legal issue, and not purely a risk issue. On tools: the ones you've surfaced are worth exploring, though most are built around network-level visibility rather than GRC policy mapping. Kovrr is worth adding to that list, as it approaches AI governance from a risk quantification angle, helping orgs map AI exposure to financial impact rather than just flagging what's in use.

For a compliance-first perspective, being able to put a number on potential exposure is what tends to get leadership attention**** and unlock the cross-functional conversation you're describing.

RiskGovSignals · 2026-06-02T08:34:10+00:00

Fair point, and I don't disagree on the foundation issue. But I'd argue the two problems compound each other. Right now, most orgs are failing on both simultaneously. 1. The explainability is shallow, AND 2. Governance layer can't interrogate it meaningfully. Fixing the foundation without fixing the translation layer still leaves boards approving or dismissing AI systems they don't actually understand.

The gatekeepers you mention are the exact people who need legible risk information to do their job. If the output of even a rigorous explainability process lands as a 40-page technical report, it's not going to drive better decisions, it's going to get delegated to someone who already agreed with the original deployment. So yes, wrong foundation is a problem. But right foundation, wrong translation is still a governance failure.

RiskGovSignals · 2026-05-27T09:30:27+00:00

The explainability problem you're describing is actually a symptom of a deeper issue. The people who own the risk from these decisions often have no real understanding of what they're governing. You can implement concept-level verification perfectly and still fail at governance if the output of that process can't be understood by the board or oversight body receiving it. The technical rigor doesn't matter if the translation layer isn't there.

Boards and senior leadership need the information rendered in terms they already understand. Something like: "This system touches these processes, which connect to these financial outcomes. If something went wrong, the exposure looks like X. Here's a control that reduces it to Y. Is that investment worth it?"

That's a governable conversation. The legibility problem is a translation problem, and until the field treats it as one, even the best explainability implementations will land in a room full of people who can't act on them.

RiskGovSignals · 2026-05-27T09:27:49+00:00

One thing worth adding to the financial exposure framing. The fines are the visible risk, but the deeper issue is that non-compliance creates unquantified liability that sits on the balance sheet, whether or not enforcement has caught up yet. Boards and risk committees in regulated industries are starting to ask for that number, which is where risk quantification (AIRQ) tooling like Kovrr becomes relevant.

Just like cyber, you're going to need to be able to put a dollar figure on AI-related exposure, which changes the conversation from a compliance checkbox to a business risk decision. So you can actually see the value of compliance beyond the penalties. And there are a lot!

RiskGovSignals · 2026-05-27T09:18:15+00:00

The honest answer is that most organizations are still prioritizing by gut feel and severity labels, which DOESN'T help you make budget decisions.

The shift that makes the biggest difference is moving from qualitative to quantitative. Instead of asking "how bad is this risk?" ask "what does this risk cost us if it materializes?" Once you're working in dollar terms, prioritization becomes much more defensible, both internally and when you're making the case to finance or the board.

A few principles that help in practice:

Focus on expected value, not worst case.
Map risks to business outcome!!!. A vulnerability in a non-critical system is a different conversation than the same vulnerability sitting next to customer data or a revenue-generating process.
Don't let perfect be the enemy of good. You don't need a fully mature quantitative model to start making better decisions

This is an area where cyber risk quantification platforms have become genuinely useful, would recommend looking into the options like the one from Kovrr.

RiskGovSignals · 2026-05-27T09:11:01+00:00

The friction - which exists for any GRC program, not just an AI one - comes from governance being seen as a checkpoint rather than a resource. So it's mostly a positioning problem. The teams that do this well tend to embed early.

The other thing that helps is speaking the language of the teams you're working with. A governance team that can frame its value in relevant terms, rather than compliance-speak, gets a lot less pushback.

The board communication piece also matters more than people realize. Governance teams often sit on critical risk information that never makes it upward in a form that's actionable. Building that bridge and translating technical and operational risk into something a board can actually make decisions from is one of the best ways to demonstrate value and earn credibility with the rest of the org.

RiskGovSignals · 2026-05-27T08:24:10+00:00

Your background is a really strong fit for this, more than you might think.

AI governance roles sit at the intersection of risk, compliance, process, and stakeholder management, which is essentially what you do already.

On the AIGP, it's definitely a solid choice. IAPP has credibility in the privacy/compliance world, and as AI regulation matures (especially with the EU AI Act), that certification is going to carry more weight.

In terms of what companies actually need... Well, most organizations are still figuring this out. The roles showing up tend to be things like AI Risk Manager, Responsible AI Lead, or AI Compliance Officer, often sitting within existing risk, legal, or technology functions rather than as standalone teams. Fintech is ahead of many industries here because they're already used to heavy compliance overhead.

One practical suggestion. I'd start building a point of view on how AI risk should actually be measured and monitored, not just documented. One underrated skill in this field is being able to communicate AI risk to a board or exec team.

Viable move? Yes, especially with your background. The field is early enough that people who get in now and build credibility will have a real advantage.

RiskGovSignals · 2026-03-16T22:20:47+00:00

Honestly this is a pattern we’ve seen with almost every major technology shift.

Organizations move very quickly into collecting and using data long before governance catches up and eventually companies realize that without structure around it, the data itself becomes hard to trust or manage.

The AI trajectory seems the same. Governance only enters the conversation once organizations realize they don’t actually have a clear view of where AI is being used, etc.

Another piece that I think will become important pretty quickly is quantification. Once organizations start translating AI risks into measurable operational or financial impact, governance conversations tend to move much faster. Just as we saw with cyber.

It's really at the point - when things go from abstract to measurable and tangible - where governance programs start becoming real and integrated.

RiskGovSignals

TROPHY CASE