When something goes wrong with an intelligent system, the question the public conversation reaches for first is: was this negligent? Was it malicious? Who is to blame? That framing is understandable. It also, in the majority of cases, misidentifies the actual cause.

ISACA’s review of the major incidents of 2025 reached a direct and instructive conclusion: the biggest failures were not technical. They were organisational. Weak controls. Unclear ownership. Misplaced trust in systems that nobody was adequately monitoring. The organisations involved were not, in most cases, acting in bad faith. They were organisations with structural gaps that made damaging outcomes probable regardless of anyone’s intentions.

Three Gaps That Drive Most Failures

Most governance failures across industries trace back to the same small set of structural problems.

The first is unclear accountability. When an intelligent system produces a harmful or incorrect output, the question of who was responsible for its design, deployment, oversight, and continued operation frequently cannot be answered with a name. Not because nobody cares, but because ownership across the full lifecycle was never explicitly assigned. Grant Thornton’s research found that the organisations able to demonstrate clear accountability at every stage of deployment are ten times more likely to pass an independent governance audit than those that cannot. The differentiator is not good intentions. It is visible, documented ownership.

The second is undefined decision-making processes. This shows up as inconsistency: one business unit deploys with rigorous testing and bias evaluation; another deploys a similar tool with none of those safeguards, because no organisational standard told them safeguards were required. Both affect real people. Only one has been verified as reliable. A 2025 Pacific AI survey found that while 75% of organisations have written policies on the use of intelligent systems, only 36% have adopted a formal governance framework. Policy without process is aspiration, not governance.

The third is absent monitoring after deployment. Fewer than half of organisations in the Pacific survey monitor their production systems for accuracy, degradation, or misuse. That figure falls to 9% among smaller organisations. A system that performed adequately at launch will change as conditions change. Data shifts. The environment it was trained in diverges from the one it operates in. Without ongoing monitoring, nobody knows when it has stopped being reliable until the consequences arrive.

What Intelligent Systems Amplify

The framing of governance failures as technology failures allows organisations to remain comfortable. If the system failed, the solution is a better system. If the problem is structural, the solution requires examining how the organisation makes decisions, who owns what, and whether the disciplines that should govern complex, consequential work are actually present. Intelligent systems do not introduce structural weaknesses into organisations. They amplify the weaknesses that already exist.

An organisation with ambiguous accountability and a cultural tendency to defer difficult ownership questions will find those tendencies become more consequential when systems are operating at scale on decisions affecting real people. A business unit that has always moved fast without robust review processes will find that behaviour produces very different outcomes when the work involves automated outputs rather than individual human judgements that can be corrected one at a time. A leadership team accustomed to treating risk management as a downstream documentation function will discover, when systems begin to fail, that the gap between stated values and operational reality is much larger than anyone had formally acknowledged. Deploying new capability without building new governance infrastructure does not transform an organisation. It magnifies, at speed and scale, whatever was already there.

What Adequate Infrastructure Requires

The organisations navigating this well are not doing so through more sophisticated technology. They are doing so through disciplined structural choices that most organisations have not yet made.

The first is named ownership across the full lifecycle of every significant deployment. Not shared responsibility, which in practice tends to dissolve into no one’s clear obligation. Named individuals who made the deployment decision, who monitor ongoing performance, and who carry the authority and the obligation to pause or retire a system when the evidence requires it.

The second is consistent standards applied across the organisation, regardless of which team is deploying or how fast they want to move. The same questions asked of every deployment in the same category: What is this system deciding? What are its known limitations? What bias evaluation was conducted? Who reviews outputs, and how often? What triggers an escalation? These are not technically complex questions. Answering them reliably requires discipline, which is precisely why they get skipped under deployment pressure.

The third is monitoring that continues after launch. Deployment is not the end of the governance obligation. It is the beginning of an ongoing one. A system without post-deployment monitoring is not governed.

The governance argument is sometimes framed as a constraint on AI deployment, an obstacle that slows the organisation down in the name of responsibility. The evidence does not support that characterisation. Grant Thornton’s research found that organisations with fully integrated governance are nearly four times more likely to report revenue growth than those still in the piloting stage: 58% against 15%. The difference is not the technology they are using. It is whether they can demonstrate how decisions are made, who is accountable for outcomes, and what happens when something goes wrong.