The Real Question to Ask About AI Governance

Leaders at literally every Fortune 500 company will tell you that they are governing their AI — every single one of them. Now ask those same leaders who’s responsible for shutting down an AI model that’s causing harm. Most people can’t answer that question.

That silence is the most important story in enterprise technology right now, and it’s rarely, if ever, addressed.

During the past several years, a governance industry has quietly grown up around artificial intelligence. Companies have built registries to catalog their AI models. They have implemented classification systems to label their data. They have stood up dashboards to monitor model behavior, and risk councils to review new deployments. They have written policies, hired compliance officers, and presented slides to their boards. The infrastructure of governance has proliferated.

What’s missing is the governor.

Who Can Shut Down an AI Model

I run AI and data governance at Adobe. My job is to build exactly the kind of program that every company now claims to have. And what I have learned from the inside, while getting my hands dirty, is that the hard part is never the technology. The hard part is a question that sounds almost insultingly simple: When an AI model does something it shouldn’t, who has the authority to stop it?

The question is not who gets notified. It’s not who writes the incident report. It’s who has the authority, the organizational standing, and, frankly, the job security, to walk into a meeting and say, “We are shutting this down.”

In most companies, that person either doesn’t exist or is a paper tiger set apart from development teams organizationally. Roles like chief AI ethics officers and groups like data governance councils and responsible AI teams are completely necessary but merely advisory. They can flag. They can recommend. They can escalate. What they generally cannot do is hit the stop button. The actual decision authority sits somewhere else. Inside most Fortune 500 companies, it generally sits with someone whose primary job is shipping products and hitting revenue targets and who has every incentive to treat the governance flag as an afterthought rather than a mandate.

This is not a criticism of individuals; it is a description of a structural problem that the governance industry has largely chosen to ignore because the governance industry is selling tools, not accountability.

These tools are genuinely useful and vital to regulatory compliance and effective governance. A model registry tells you what AI systems exist and what they’re doing. A risk classification framework tells you which ones deserve the most scrutiny. A data lineage system tells you where the inputs came from and whether they were clean. All of this is real and important infrastructure. But it is infrastructure for visibility, not infrastructure for action.

You can have perfect visibility into a problem and no mechanism for solving it. You have to see something to do something, but you also have to pick up the hose to put out a fire.

Think of it this way: A fire alarm is not a fire department. You can wire every room in your house, dutifully change the battery of every smoke detector annually, and route every alert to a beautiful dashboard — but still have your house burn down because nobody picked up the hose. Yes, it’s critical to know that the house is burning — otherwise, you wouldn’t know that you need a hose. But you need somebody to tell the fire department to take action.

At Adobe, we addressed this by creating a federated governance model with named owners for every AI system and a centralized steering committee, with escalation authority, reporting into the trust and security organization, not the product team. That’s the key design choice we made: to give governance a reporting line independent of the teams shipping AI products. This is essential so that the person who can say “no” to an AI decision doesn’t report to the person who benefits from saying “yes” to shipping products.

Why Urgency Is Required

The stakes here are rising fast. The European Union’s AI Act is now in force, and it does not ask companies to demonstrate that they have dashboards. It asks them to demonstrate that they have meaningful governance. It requires documented decision-making, clear lines of accountability, and the ability to show, after the fact, who made a consequential choice about an AI system and why. When regulators come asking those questions, a policy document and a risk registry aren’t going to be sufficient answers. Regulators want a name.

The urgent need for governance is compounded by the speed of AI deployment. Most large enterprises are now running hundreds of AI systems across their organizations, in places leaders may not even be aware of. You will find AI tools being used in customer service, hiring, content moderation, pricing, fraud detection, and anyplace well-intentioned employees are just trying to make their lives easier. Many of these systems were deployed quickly, under pressure, with governance treated as something to be sorted by future-them. The time for future-them has arrived.

The answer is not to slow down AI adoption. It is to take the organizational design question as seriously as the technical one. Every AI governance program should be able to answer three questions: Who has the authority to stop a model? Do they know it’s their job? And do they have the standing to exercise that authority when it conflicts with someone else’s road map?

If your company cannot answer those questions, you do not have a governance program. You have paperwork.

The companies that will navigate the next five years of AI regulation and public scrutiny are not necessarily the ones with the most sophisticated tooling. They are the enterprises that did the harder, less glamorous work of building a human accountability structure to sit underneath the technology.

These organizations are the ones that appointed an AI governor, gave them real authority, and made clear that the job was not to make AI deployment easier but to make it defensible. These organizations have a federated team deputized to identify, remediate, and escalate, and they know that escalation requires a destination. That means a governance function with a direct line to senior leadership, independent of the product teams shipping AI, with explicit authority to stop an AI deployment.

Every company says it governs its AI. The real question separating governance from theater is simpler than any framework. Ask yourself: Who in my organization can say “no” and have the authority to mean it?