Most organisations have something they call governance. It is either a principles statement or an ethics checklist or a committee that convenes to review significant deployments. In some cases, it is a dedicated policy document that runs to several pages and bears the signatures of senior leaders. What significantly fewer of them have is governance that actually shapes how decisions get made in the daily operational reality where intelligent systems are built, deployed, extended, and eventually retired.

An AuditBoard study found that only one in four organisations has fully operational governance, despite widespread documentation. A Gartner survey of large organisations found that while 80% claimed to have governance initiatives in place, fewer than half could demonstrate measurable maturity. McKinsey’s 2026 AI Trust Maturity Survey, drawing on approximately 500 organisations across industries and regions, found an average maturity score of 2.3 out of 4, and only around a third had reached level 3 or above in strategy, governance, and oversight structures. The gap between having a framework and embedding one is wide. Most organisations are on the wrong side of it.

Why Governance Frameworks Fail

Governance frameworks fail for identifiable, structural reasons. They do not fail because organisations lack good intentions, but because the frameworks themselves are designed in the wrong place, by the wrong people, and for the wrong purpose.

The most common failure mode is isolation. This happens when ethics committees and risk functions produce principles and policy documentation without sustained, working engagement with the business units, technology teams, and operational workflows where the decisions they are meant to govern actually live. The result is a governance architecture that is coherent on paper and largely invisible in practice. It exists as documentation. It does not exist as decision-making infrastructure. McKinsey’s 2026 research found that nearly 60% of organisations cite knowledge and training gaps as the primary barrier to embedding responsible governance. But the problem is not only about what people know. It is structural. Grant Thornton’s 2026 AI Impact Survey found that none of the organisations still in the early exploration stage of deployment could demonstrate the ability to pass an independent governance audit. The pipeline from policy to operational practice requires deliberate design, and most organisations have not built it.

A secondary failure mode is treating governance as a compliance function rather than an operational discipline. When governance sits inside legal or risk as a documentation activity disconnected from how systems are built, tested, deployed, and monitored, it cannot shape the decisions that determine whether deployment is actually responsible. That is record-keeping, not governance.

What Effective Governance Requires

Effective governance has four characteristics that distinguish it from the version that exists on paper.

The first is integrated ownership. McKinsey’s research found that organisations which assign explicit, named accountability for governance (through defined roles, clear decision rights, and specific escalation paths) achieve materially higher maturity than those where responsibility is ambiguous or distributed without structure. The average maturity score among organisations with explicit ownership was 2.6, compared to 2.3 overall. Accountability that cannot be named does not exist. If a governance failure occurs tomorrow and there is a question about who was responsible for the oversight structure that should have prevented it, the governance model has already failed.

The second is embedding within existing workflows rather than layering over them. When the governance questions that matter are answered within the operational processes teams already use, governance becomes part of how decisions get made rather than a separate process that reviews them after the fact. When those questions exist only in a committee that convenes monthly, they arrive too late to shape most of what they are meant to govern.

The third is practical specificity. Fewer than 25% of organisations have board-approved, structured governance policies rather than principles or values statements, according to McKinsey’s board governance research. The distance between a stated commitment to responsible deployment and a defined approval process with named decision rights is the distance between intent and accountability.

The fourth is continuity. Systems that are deployed today will be updated, extended, and operated under conditions that differ from those in which they were approved. Governance built for point-in-time review becomes inadequate as those conditions change. It therefore requires building monitoring, documented audit trails, and defined review cycles into their operating models as standard practice; not as responses to incidents, but as designed components of how the work runs.

The Proportionality Principle

Not every deployment of an intelligent system carries the same consequence. An internal tool that assists with document drafting operates in a different risk environment from an automated system that influences credit decisions, clinical triage, or performance evaluation. Governance that applies identical scrutiny to both or one that responds to the challenge of oversight by creating blanket restrictions generates friction that has no relationship to the risk it is trying to manage, and friction without purpose gets circumvented.

The principle of proportionality is not a concession to convenience. It is a design requirement. Governance controls should scale with consequence. Where systems operate with significant autonomy, where decisions affect individuals’ access to services or opportunities, where regulatory exposure is real, and where the potential for harm is material, the applications require structured review, documented accountability, defined oversight mechanisms, and the capacity to demonstrate, if challenged, that appropriate controls were in place and operating. Where the consequence is lower, governance should be lighter but still owned, still documented, and still subject to review. The goal is not to impose a uniform process across everything. It is to ensure that the level of scrutiny applied is proportionate to what is actually at stake, and that the determination of what is at stake has itself been made deliberately rather than defaulted.

The framing of governance as a constraint on innovation is understandable. It is also, in the evidence, incorrect. Organisations with mature governance structures can deploy intelligent systems into higher-value and higher-risk domains because they have built the oversight mechanisms to manage it if something goes wrong. The organisations without that maturity are not moving faster. They are confining their deployments to lower-stakes applications where the potential for both harm and value is limited.

A bank that can demonstrate to a regulator, an auditor, and its own board exactly who approved a deployment decision, what controls were in place, how performance is being monitored, and what the escalation path looks like when something deviates can move into complex applications that others cannot touch. It has earned the confidence that makes ambitious deployment possible. That confidence is built from the same place as any other operational capability: through deliberate design, clear ownership, and sustained execution. It is not produced by a principles statement. It is produced by the discipline of building governance that works, not just governance that exists.