Why AI Governance Starts With Accountability, Not Policy
The Policy-First Trap
When regulators and boards start asking questions about AI, the instinct is to produce documentation. Risk registers. Acceptable-use policies. Model cards. These artefacts are real and necessary, but they share a common failure mode: they describe what should happen without specifying who is responsible when it does not.
A well-written AI policy that sits in a SharePoint folder and is reviewed annually does not constitute governance. Governance is the set of mechanisms that ensure someone is watching, someone can intervene, and someone will be held to account.
What Accountability Actually Requires
Accountability for AI systems is harder to assign than for traditional software because the output is probabilistic, the failure modes are subtle, and the causal chain from model to harm is rarely linear. Three things make it tractable:
1. Named owners for named systems Every AI system in production should have a documented owner — not a team, a person. That person is responsible for monitoring, for escalation, and for the decision to shut the system down.
2. Decision logs, not just audit trails Audit trails record what happened. Decision logs record why a human chose to act on or override an AI output. The distinction matters enormously when an incident occurs months later and the original context has been lost.
3. Regular adversarial reviews Accountability structures atrophy. Scheduling quarterly sessions where a designated challenger probes the assumptions behind a live AI system is not bureaucracy — it is hygiene.
The Governance Stack
Think of AI governance as a stack, not a document:
| Layer | What it covers |
|---|---|
| Regulatory compliance | GDPR, EU AI Act, sector rules |
| Organisational policy | Acceptable use, prohibited applications |
| System accountability | Named owners, incident protocols |
| Operational monitoring | Drift detection, performance tracking |
| Human override | Clear escalation paths, kill-switch authority |
Most organisations have the top two layers and the bottom one. The middle two — system accountability and operational monitoring — are where governance actually lives.
Starting the Conversation
If your organisation is at the beginning of this journey, the most useful first step is not a policy workshop. It is a survey: for every AI system currently in use, ask three questions.
- Who owns this system today?
- How would we know if it were producing harmful outputs?
- Who has the authority to take it offline?
The gaps in those answers are your governance gaps. Start there.