While financial services firms continue to accelerate AI adoption, governance maturity is lagging. Legacy frameworks around models, data, and technology were not designed for today’s AI landscape: probabilistic models, opaque third-party dependencies, and, increasingly, autonomous agentic systems. As a result, firms attempting to scale AI using traditional governance approaches may find themselves exposed to risks that are difficult to detect, quantify, or control.
Weak AI governance can translate directly into misinformed investment decisions, security vulnerabilities, and ultimately, financial and reputational losses. Conversely, firms that build effective governance frameworks can better align AI with business objectives, manage downside risks, and create a more durable competitive advantage.
To address this challenge, I propose a two-tiered AI governance framework that integrates program-level oversight with use-case-specific controls. Much like the complementary top-down and bottom-up approaches in investing, this structure enables both consistency at scale and precision in execution.
The program-level component centers on three core actions:
Discover your AI assets in order to govern them effectively
Establish enterprise-level governance structures and mechanisms
Focus enterprise-level governance on a few critical domains
Discover: A foundational step is establishing comprehensive inventories of AI assets, use cases and agents. These will serve as the building blocks for governance processes at both the program level and the use case level and should be linked into enterprise’s overarching governance and risk management mechanisms and tools. As we look to the future, it’s becoming critical to apply some of the same institutional and organizational processes to managing AI agents that we commonly apply to managing people, which is near impossible without these inventories in place.
Establish: Oversight mechanisms fall into this category including policy and procedures, risk appetite statements, chain of authority and escalation, and the creation of an enterprise AI literacy program. These elements define the “rules of the road” and act as a first line of defense against internal and external pressures that will inevitably arise during AI implementation.
Focus: The rapid proliferation of AI governance frameworks and controls can create the impression that effective governance requires a “boil the ocean” approach. In practice, this is neither feasible nor necessary. AI governance should instead be deliberately scoped and aligned with an organization’s specific risk profile, operating model, and strategic priorities. The objective is not completeness, but effectiveness.
