AI Governance Can’t Be an Afterthought

As enterprises rush to deploy AI agents across their operations, governance is increasingly becoming the overlooked side of the AI boom.
AI Governance AI Governance

As enterprises rush to deploy AI agents across their operations, governance is increasingly becoming the overlooked side of the AI boom. While organizations focus heavily on innovation and automation, far fewer are addressing the operational risks that come with autonomous systems.

According to Melissa Cahoe, Global Strategist for Security, Risk, & Resilience at NewRocket, that imbalance could create serious consequences for businesses scaling AI too quickly without proper oversight.

“The biggest misconception is that AI governance is a risk or compliance problem, when in reality it is a business problem,” Cahoe said.

Advertisement

She argues that many organizations mistakenly treat governance as something that happens only after AI systems are deployed, relying on “policies, approvals and audits” once systems are already in production. In reality, she says, the greatest risks emerge much earlier.

“The real risk is introduced much earlier in how agents are designed, trained, integrated and iterated,” she explained. “Governance is not a gate at the end. It needs to be embedded across the entire AI lifecycle.”

Approaching governance – how not to do it

Cohoe warns that companies approaching governance as a final checkpoint often create friction that slows adoption and encourages teams to bypass safeguards altogether.

“What we see in practice is that when governance is treated as a final gate, it becomes a roadblock,” she said. “The organisations getting this right are reframing governance as guard rails that enable speed and scalability.”

That shift is becoming increasingly urgent as AI systems evolve from simple productivity tools into what many companies now describe as a “digital workforce.”

“The term ‘digital workforce’ is a more accurate reflection of what AI actually is,” Cahoe said. “Tools are deterministic. You use them and expect a known outcome. A workforce, whether human or digital, operates with a degree of autonomy.”

That autonomy fundamentally changes how organizations must think about trust and oversight.

“You can trust a tool to do exactly what it is designed to do. You cannot apply that same trust to a workforce,” she said. “When AI becomes part of the workforce, it has to be managed accordingly. Not merely trusted, but governed with structure, accountability and the ability to see and intervene when behaviour deviates from intent.”

Malicious systems or lack of visibility and control?

While fears about malicious AI actors dominate many public discussions, Cahoe believes the greater danger may actually come from systems built with good intentions but operating without sufficient visibility or controls.

“The latter, definitely,” she said when asked whether malicious threats or unsupervised AI concerns her more. “What is more difficult and often more dangerous, is well intentioned AI operating without sufficient oversight, introducing risk into critical processes.”

Even small deviations in agent behavior, she warns, can create major operational consequences.

“A single agent with a slight misalignment can create a material issue,” Cahoe said. “Without visibility into how AI systems are behaving, how they interact and how decisions propagate across workflows, you are effectively operating blind.”

Recovery Strategies

That concern also extends to disaster recovery strategies—an area Cahoe believes many organizations have not adequately updated for AI-driven environments.

“The most overlooked aspect is that you are no longer just recovering systems, you are recovering a part of your workforce,” she said.

Traditional disaster recovery frameworks focus on restoring infrastructure, applications, and data. AI systems, however, introduce continuously evolving decision-making logic that cannot simply be recovered from a static backup.

“If you have not captured how an agent was behaving, its context, its dependencies and its interactions, you can restore the system and still lose the outcome it was meant to achieve,” Cahoe explained. “Otherwise, recovery is incomplete.”

For CISOs and CIOs struggling to communicate AI risk to executive leadership, Cahoe advises simplicity and precision over technical complexity.

“Start with outcomes, not technical details,” she said. “Executives do not need to understand models or architectures. They need to understand how AI changes the organisation — both in terms of risk and benefits.”

She also encourages security leaders to frame AI risk in measurable business terms whenever possible.

“Define what could go wrong, the potential impact and how likely it is,” Cahoe said. “Precision and clarity build understanding, which is what drives better business decisions.”

As AI adoption accelerates across industries, Cahoe believes organizations that successfully balance innovation with governance will ultimately be the ones best positioned to scale safely.

“It is less about stopping or slowing AI innovation,” she said, “and more about enabling it to evolve safely.”

Last updated: July 1, 2026

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Advertisement

Pin It on Pinterest

Share This