Governing AI in 2026: Managing Risk and Unlocking Value

Introduction

Artificial intelligence (AI) has shifted from a back‑office novelty to a central engine of innovation across industries. Generative models are writing code, summarising documents and conversing with customers; agentic systems are automating workflows; and predictive analytics are reshaping supply chains. Yet the speed of adoption has outpaced organisational readiness. Leaders worry about opaque algorithms, regulatory scrutiny and brand‑damaging mistakes.  At the same time, they see responsible AI as a source of competitive advantage and trust. 

This article looks at the evolving landscape of AI governance — including new regulations, emerging frameworks and the latest survey data — to help SMC and enterprise leaders build programs that manage risk and unlock value.

An Expanding Regulatory Landscape

Europe leads with the world’s first comprehensive AI law. The European Union’s AI Act entered into force on 1 August 2024 and has been rolling out in stages. The Act adopts a four‑tier risk‑based approach to AI systems: minimal risk systems face few obligations, limited‑risk systems must provide transparency, high‑risk systems must meet stringent requirements (documentation, human oversight and risk management) and “unacceptable‑risk” practices—such as manipulative AI, social scoring, scraping facial recognition databases and emotion recognition in workplaces—are banned outright.¹ The bans became enforceable in February 2025 and the entire act will be fully applicable by 2 August 2026.¹.  High‑risk use cases include AI for critical infrastructure, education, employment, law enforcement and migration decisions.¹  Compliance involves risk assessments, data‑quality management, transparency, human oversight and registration in an EU database. The act also establishes the AI Pact to encourage voluntary compliance and an AI Act Service Desk to support industry.¹

Other jurisdictions are following suit. In the United States, the National Institute of Standards and Technology (NIST) released its AI Risk Management Framework (AI RMF 1.0)⁷ in January 2023 and continues to update it. While voluntary, the framework provides a globally recognised structure for managing AI risks across the lifecycle.² It emphasises four pillars—transparency, fairness, accountability and robustness—to guide organisations in building trustworthy AI.²  NIST stresses that risk management is not only a technical exercise; it demands cross‑functional ownership. Rising regulatory scrutiny — such as the EU AI Act and U.S. executive orders — means companies must be prepared to demonstrate risk management practices.²

Legislative activity is also intensifying globally. A 2025 Diligent analysis notes that legislative mentions of AI have increased 21.3 % across 75 countries since 2023, a ninefold increase since 2016, underscoring that AI accountability is no longer optional.²  Nations from Canada to China are developing laws on data quality, algorithmic transparency, model certification and sector‑specific controls.  For SMCs and enterprises, these developments mean that governance cannot remain ad‑hoc; it must be systematic, auditable and aligned with evolving law.

Frameworks for Trustworthy AI

While regulations set boundaries, frameworks provide scaffolding for operationalising AI governance.

NIST AI Risk Management Framework

NIST’s AI RMF offers a flexible roadmap for identifying, assessing and managing AI risks.  It operates through four cyclical functions:

1. Govern: Establish organisational policies, roles and accountability for AI. This includes board‑level oversight, alignment with enterprise risk management and integration with data governance, privacy and cybersecurity functions.  The framework stresses that ownership should sit with risk, legal or compliance leaders — not just data scientists — while ensuring cross‑functional collaboration.²  Boards, CISOs and product teams all play a role.

2. Map: Understand the context of the AI system — its purpose, intended users, data sources and potential impacts. Mapping clarifies how the model fits into business processes and what stakeholders it affects.

3. Measure: Evaluate risks such as bias, robustness, privacy leakage and security vulnerabilities. This step involves testing, model audits and benchmarking using metrics aligned with fairness, transparency and robustness.

4. Manage: Implement mitigation controls, monitor performance and adapt as the environment changes. Managing includes creating incident response playbooks, establishing human‑in‑the‑loop mechanisms and updating models when drift occurs.

The AI RMF’s emphasis on transparency, fairness, accountability and robustness mirrors growing societal expectations.² For example, ensuring that decisions can be explained to stakeholders (transparency) and that models are resilient to adversarial attacks (robustness) builds trust. The framework’s voluntary nature makes it a useful starting point for organisations seeking to demonstrate due diligence while awaiting formal regulation.

EU AI Act Compliance Roadmap

For companies operating in or serving EU markets, the AI Act demands a structured compliance plan. Key steps include:

1. Classify your AI systems under the Act’s risk categories. Unacceptable‑risk applications must be discontinued or redesigned; high‑risk systems require conformity assessments, documentation, human oversight and registration in an EU database.¹ Limited‑risk systems need to inform users they are interacting with AI.

2. Strengthen data‑quality and governance. The act mandates rigorous data‑management practices to prevent bias and ensure accuracy. Organisations should align data governance with AI governance, emphasising lineage, quality and ethical sourcing.

3. Integrate human oversight. High‑risk systems must involve qualified humans who can intervene in or override AI decisions. Training and empowerment of staff are therefore essential.

4. Document and report. Detailed technical documentation, risk assessments and post‑market monitoring reports are required. Companies should prepare for audits and maintain records of model performance and incidents.

5. Engage with the AI Pact. Early participation can build goodwill with regulators and stakeholders. It also allows organisations to shape implementation guidelines and share best practices.

Other Industry Standards

In addition to NIST and the EU AI Act, several frameworks contribute to AI governance:

• ISO/IEC 42001 (2023): The first international standard for AI management systems, covering policy, competence, risk assessment and impact evaluation. It emphasises continuous improvement and third‑party certification.⁸

• NIST Generative AI Profile (2024): A companion resource to the AI RMF that offers specific guidance for generative models, including prompt injection testing and output quality evaluation.

• Sector‑specific guidance from regulators (e.g., U.S. Federal Trade Commission, Health Canada) addressing AI in marketing, healthcare and financial services.

These frameworks reinforce the need for proportional governance—tailoring controls to the risks and context rather than imposing one‑size‑fits‑all rules.

Current State of AI Governance Adoption

Recent surveys offer a window into how organisations are implementing governance.

AI Governance Profession Report 2025 (IAPP & Credo AI)

This 2025 study surveyed hundreds of organisations worldwide and found that 77 % are already working on AI governance, rising to nearly 90 % among AI‑using organisations.³ Surprisingly, 30% of organisations not yet using AI have begun building governance structures.³ The report highlights several trends:

• Incremental staffing: Organisations are gradually building dedicated AI governance teams. Existing privacy, legal and IT staff often take on AI governance responsibilities before dedicated specialists are hired. A talent shortage is evident; 23.5 % of respondents cite difficulty finding qualified AI governance professionals.³

• Cross‑disciplinary leadership: The top functions leading AI governance are privacy (22 %), legal and compliance (22 %), IT (17 %) and data governance (10 %).³ Mature programs involve specialists from multiple departments, reflecting AI’s broad impact.

• Integration with privacy and data governance: Many organisations extend existing privacy impact assessments to cover AI risk, indicating a “governance first” approach.

• Evolving best practices: AI governance remains a moving target. As new technologies and regulations emerge, organisations must adapt. Mature programs highlight the importance of embedding governance within strategic planning and aligning it with ethics and compliance.

PwC 2025 Responsible AI Survey

PwC’s 2025 survey of U.S. executives positions Responsible AI as a driver of business value.  Nearly 60% of executives say responsible AI initiatives improve return on investment and efficiency, 55% report enhanced customer experience and innovation, and about half cite improved cybersecurity and data protection.⁴ The survey breaks organisations into maturity stages:

• Strategic (28 %) and embedded (33 %) stages: Responsible AI is actively integrated into core operations. These leaders are 1.5–2 times more likely to have effective development standards, clear roles and comprehensive inventorying of AI compared with those still training.⁴

• Training stage (21 %): Companies are building employee training, governance structures and guidance.

• Early stage (18 %): Organisations are just beginning to establish policies and frameworks.

Operationalising responsible AI is the biggest hurdle—half of respondents cite turning principles into repeatable processes as their main challenge.⁴ As AI evolves from generative models to agentic systems that act autonomously, continuous monitoring and feedback loops become essential.⁴

Pacific AI 2025 AI Governance Survey

Pacific AI’s survey of 351 participants—conducted from February to May 2025—focuses on generative AI adoption. The findings paint a picture of cautious experimentation and significant gaps:

• Production reality gap: Only 30% of organisations have deployed generative AI to production, with just 13% managing multiple deployments.⁵ Large enterprises are five times more likely than small firms to have multiple systems running (19% vs 4%).⁵

• Pressure to ship quickly: 45% of respondents cite pressure to deliver solutions rapidly as the top governance barrier, rising to 56 % among technical leaders.⁵

• Monitoring blind spots: Fewer than half (48%) monitor production systems for accuracy, drift and misuse, and this drops to 9% among small companies.⁵ Without monitoring, organisations cannot detect model degradation or malicious exploitation.

• Policy–practice disconnect: Although 75% have AI usage policies, only 54 % maintain incident response playbooks and 59 % have dedicated governance roles.⁵ This indicates that policies often exist on paper but are not operationalised.

• Small company vulnerability: Small firms lag behind larger ones in governance maturity; only 36% have governance officers and 41% provide annual AI training.⁵

ModelOp 2025 AI Governance Benchmark Report

ModelOp’s survey of 100 senior AI and data leaders reveals a widening gap between pipeline ambition and production reality:

• 80% of enterprises have 50 or more generative AI use cases in the pipeline, yet most have only a few in production.⁶

• 56% say it takes six to eighteen months to move a generative AI project from intake to production.⁶  Governance processes are viewed as the bottleneck; 44% call them too slow and 24% find them overwhelming.⁶

• 58% cite disconnected systems as a top blocker.⁶ Many organisations rely on ad‑hoc spreadsheets and siloed tools, preventing holistic oversight.

• Only 14% enforce AI assurance at the enterprise level.⁶ This suggests that formal testing, validation and approval processes are rare.

Taken together, these surveys illustrate that while awareness of AI governance is widespread, implementation maturity varies. Larger enterprises often lead in establishing governance structures but struggle to scale assurance and monitoring. Small and medium companies lag behind, highlighting an opportunity for consultancies and regulators to provide accessible, proportional guidance.

Business Implications of AI Governance

Governance as a Value Driver

The notion that governance stifles innovation is outdated.  Responsible AI is emerging as a source of competitive advantage: PwC’s survey shows that nearly 60% of executives credit responsible AI with improved ROI and efficiency,⁴ and over half report enhanced customer experience and innovation.⁴  Robust governance builds trust, which in turn drives adoption. Transparent, fair and accountable systems attract customers, investors and partners who may otherwise hesitate to engage with opaque AI.

Alignment with Data Governance and Cybersecurity

Effective AI governance cannot exist in isolation. High‑quality AI requires high‑quality data; thus, data governance — ensuring data lineage, integrity, privacy and compliance — forms the foundation.  Similarly, AI governance intersects with cybersecurity governance: AI models are vulnerable to adversarial attacks, prompt injection and data exfiltration. Pacific AI’s survey notes that many organisations lack protocols for AI‑specific failure modes.⁵  Integrating AI risk management with cybersecurity incident response plans is therefore critical.

Talent and Culture

Finding qualified AI governance professionals is a key challenge.  The IAPP report notes that 23.5% of organisations struggle to find appropriate talent.³ Building capacity involves cross‑training privacy, legal and IT professionals in AI technologies and risk management. Boards and executives must champion a culture that values responsible innovation, not just speed.

Accelerating Time‑to‑Value

ModelOp’s findings suggest that lengthy governance processes can delay production. To avoid being trapped in “proof‑of‑concept” purgatory, organisations should:

• Standardise intake and approval: Develop clear criteria for evaluating use cases and move away from ad‑hoc approvals. Use templates for model cards, risk assessments and documentation.

• Automate assurance: Adopt tools for continuous testing, monitoring and compliance tracking. Automation reduces manual overhead and allows governance to scale with the number of models.

• Integrate governance into DevOps/MLOps: Embedding risk controls into model development pipelines accelerates deployment while maintaining oversight.

Preparing for Future Regulations

With the EU AI Act becoming fully enforceable in August 2026, organisations should proactively align with its requirements. Early compliance not only reduces regulatory risk but can also influence product design and market strategy. The AI Pact offers a forum for companies to engage with regulators and peers. Likewise, the evolution of NIST’s AI RMF and ISO standards points to a convergence of best practices. By adopting these frameworks now, organisations future‑proof their AI systems and avoid costly retrofits.

Reflective Advice for Leaders

Based on the research, here are practical, reflective pointers for SMC and enterprise leaders:

1. Start with purpose. AI governance should be anchored to your organisation’s mission and values. Define why you are building AI and what outcomes you want to achieve. Purpose‑led governance mitigates the temptation to deploy AI for its own sake.

2. Establish cross‑functional ownership. Assign clear responsibility for AI governance to a senior leader (e.g., Chief Risk Officer, General Counsel) while engaging privacy, cybersecurity, HR, product and data teams.² Include board oversight.

3. Invest in data and cybersecurity foundations. Without trustworthy data and resilient infrastructure, AI cannot be trustworthy. Align AI governance with existing data governance and cybersecurity frameworks.

4. Operationalise policies. Policies are necessary but insufficient. Develop training, incident response playbooks, monitoring dashboards and automated controls. Pacific AI’s findings show that many organisations have policies but lack incident response and monitoring.⁵

5. Scale with automation. Adopt tools for model inventory, testing and continuous compliance. ModelOp’s report reveals that disconnected systems and manual processes hinder progress.⁶

6. Build a culture of ethical innovation. Encourage experimentation, but within guardrails. Reward teams for flagging ethical concerns and emphasise that innovation and governance are complementary.

7. Prepare for audits. Document decisions, data sources, model performance and risk assessments.  The EU AI Act and NIST frameworks emphasise transparency and documentation.¹˒²

Conclusion

AI governance has moved from a theoretical discussion to a business imperative.  The EU AI Act and other emerging regulations will soon require organisations to demonstrate control over their AI systems. Meanwhile, frameworks like NIST’s AI RMF, ISO 42001 and sector‑specific guidelines provide practical roadmaps. Surveys show that most organisations recognise the need for governance but vary widely in maturity. The gap between ambition and execution remains large — especially for small and medium companies. Yet the opportunity is clear: responsible AI drives ROI, enhances customer trust and positions businesses for regulatory compliance. By taking a purpose‑driven, cross‑functional and proactive approach, leaders can harness AI’s power while safeguarding their stakeholders.

1. European Commission, “AI Act,” Shaping Europe’s Digital Future (July 2024), accessed May 2026, lines 91–165 https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai.

2. Diligent Corporation, “NIST AI Risk Management Framework: A Simple Guide to Smarter AI Governance,” blog post, July 24 2025, accessed May 2026, lines 438–579 https://www.diligent.com/resources/blog/nist-ai-risk-management-framework.

3. International Association of Privacy Professionals and Credo AI, AI Governance Profession Report 2025 (April 16, 2025), accessed May 2026, lines 83–146 https://iapp.org/resources/article/ai-governance-profession-report.

4. PwC US, “PwC’s 2025 Responsible AI Survey: From Policy to Practice,” October 30 2025, accessed May 2026, lines 693–849 https://www.pwc.com/us/en/tech-effect/ai-analytics/responsible-ai-survey.html.

5. Pacific AI, “2025 AI Governance Survey,” May 2025, accessed May 2026, lines 78–151 https://pacific.ai/2025-ai-governance-survey/.

6. ModelOp, “2025 AI Governance Benchmark Report,” 2025, accessed May 2026, lines 14–29 https://www.modelop.com/ai-gov-benchmark-report.

7. NIST, AI Risk Management Framework (AI RMF 1.0), National Institute of Standards and Technology, January 2023 https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf.

8. ISO, ISO/IEC 42001:2023 Artificial Intelligence Management System.  International Organization for Standardization https://www.iso.org/standard/42001.