An ExCom asks me to audit their "AI strategy". I show up. I find seven internal chatbot initiatives. Seven. Three of them in the same HR department. Each with its own budget, vendor, tech stack. Estimated total cost: 2M€. Real value: a single one would have done the job.
Nobody was steering this portfolio. Nobody had the mandate to say "stop, we keep one". And it's not an isolated case — it's the pattern I see in the majority of large organizations I support in 2026.
Only 21% of AI projects deliver real value (Gartner). It's not a technology problem. It's a governance problem. And it's the most underestimated topic in AI transformation — also the most rentable to fix.
The word "governance" makes people flee, and that's exactly the problem
When I say "governance" in front of an ExCom, I see faces close off. The word evokes PowerPoint committees, six-level approval processes, compliance checklists that kill innovation.
I understand the reaction. Except AI governance as I practice it is not bureaucracy. It's a decision architecture.
Concretely, it answers five questions:
- Who decides which AI use cases are priorities?
- How do we prevent 12 teams from building the same chatbot?
- Where is the data, who has access, and is it usable?
- What is the acceptable risk framework (ethical, regulatory, technical)?
- How do we move from POC to production without losing 18 months?
If you don't have clear answers to these five questions, you don't have an AI strategy. You have a collection of POCs.
The 5 pillars of operational AI governance
What follows is not a theoretical framework from a consulting firm. It's the five pillars I've seen work — and whose absence explains 90% of AI transformations that stall.
Pillar 1 — Targeted data audit, not universe inventory
Garbage in, garbage out, at industrial scale.
Every AI project I've seen fail had the same upstream problem: data. Not a volume problem — a quality, cataloging, accessibility problem. The most sophisticated model in the world, plugged into 14 silos with incompatible formats and unclear access rights, will produce structured noise, not value.
AI governance starts with a realistic data audit. Not an exhaustive inventory that takes 18 months. A targeted audit: for each priority use case, what data is needed, where it is, its quality, who owns it.
One data owner per dataset. An SLA on quality. Three weeks are enough to identify 5 to 10 processes ready to receive AI — and as many you should definitely not connect to it yet.
Pillar 2 — Living portfolio mapping
The seven chatbots case mentioned above is no accident. It's what systematically happens when nobody keeps the registry.
AI governance requires a living mapping of all initiatives — ongoing, planned, completed. Not to control — to rationalize. Identify duplicates. Pool efforts. Kill zombie projects consuming budget without producing anything.
A registry kept up to date every two weeks, not an Excel forgotten in SharePoint. And one simple rule: no new AI project starts without verifying that an equivalent doesn't already exist somewhere else in the group.
Pillar 3 — Operational risk grid (1 page, not 200)
The EU AI Act is in force. Most companies I meet haven't even started their risk classification. "We'll figure it out when sanctions hit" — that's exactly what the same companies said about GDPR in 2017. We know how that ended.
An operational AI risk framework covers four dimensions:
- Ethical: algorithmic bias, decision transparency, impact on employees. Not a decorative ethics committee — measurable criteria integrated into the development cycle.
- Regulatory: AI Act classification (unacceptable, high, limited, minimal risk), mandatory documentation, GDPR compliance for training data.
- Technical: model robustness, hallucination management, fallback plan, production monitoring.
- Operational: vendor dependency, service continuity, model update management, reversibility plan.
Every AI initiative goes through this framework before going to production. Not after. Not "when we have time." Before.
Pillar 4 — Decision-making AI committee (not a PowerPoint one)
The difference between an AI committee that works and a decorative one comes down to three words: decision-making power.
I've seen "AI committees" that meet once a month to listen to presentations. Zero decisions. Zero arbitration. Zero value. Corporate theater.
An operational AI committee is small (5 to 8 people max), cross-functional (business + tech + legal + data), and decision-making. It validates or rejects initiatives. It arbitrates priorities. It allocates budget. It meets every two weeks, not every quarter. It reports to the ExCom with concrete metrics, not slides.
Simple test: if your AI committee doesn't have the power to kill a project, it's not a committee. It's a bi-weekly seminar.
Pillar 5 — AI Champions network, not a top-down training plan
This is where governance meets managerial transformation, and where the M3K framework kicks in.
Deploying AI without a Champions network is like building a highway without on-ramps. M3K structures the capability building in four layers: Mindset (Champions change the culture), Methods (they spread best practices), Metrics (they measure real adoption), Knowledge (they capitalize on feedback).
Concretely: 2 to 3 Champions per business unit, trained with a real program (not a half-day awareness session), 20% of their week dedicated, measurable objectives. On missions where this was deployed seriously, adoption accelerated noticeably — and more importantly, projects that were going to fail failed earlier. Paradoxically a win: less budget burned on dead-ends.
What happens when you skip governance
The false problem: "governance will slow our teams down". The real problem: its absence is already slowing everything down, silently.
Here's what I systematically observe in organizations that neglect it:
- Widespread Shadow AI — your employees use unauthorized AI tools with confidential data. I've already detailed this phenomenon, 93% of employees are affected. "We can't use Claude, it's confidential" — the same week, the team uses ChatGPT on their personal phone, on the same topic.
- Duplicated efforts — each department builds its own solution in a silo. No pooling, no economies of scale, no cross-learning. The seven chatbots from the ExCom.
- Unmanaged risks — a model deployed without bias evaluation causes a reputational incident. A training dataset contains unconsented personal data. The AI Act sanctions.
- POCs that never scale — they work in lab conditions, never in production. Unprepared managers block deployment or passively sabotage it.
The cost of missing governance doesn't show up on a balance sheet. It's measured in lost opportunities, competitive delays, and avoidable crises.
IAgile: governance by sprints, not by cathedrals
The biggest mistake I see in AI governance attempts: trying to define everything before starting. Six months writing a 200-page policy. By the time the document is finished, the AI landscape has changed three times.
That's why I designed IAgile — applying agile principles to AI governance itself.
IAgile governance works in 4-week sprints:
- Sprint 1 — Map existing initiatives + data audit for the top 3 priority use cases. No theory, fieldwork.
- Sprint 2 — Set up the AI committee (composition, mandate, rhythm). First risk grid applied to a real project.
- Sprint 3 — Identify and train the first AI Champions. First tracking indicators.
- Sprint 4 — Retrospective, adjustment, institutionalize what works.
In 4 months, operational governance. Not perfect — operational. It improves with every sprint. That's the difference from the waterfall approach of large consulting firms: don't aim for theoretical perfection, aim for measurable impact, fast.
What works, what fails, in the field
What works:
→ A C-level sponsor who understands AI, not just politically supports it.
→ An AI committee that has the power to say no, and exercises it.
→ Champions with dedicated time and clear objectives.
→ An iterative approach delivering value from month one.
→ A one-page risk grid, applied systematically.
What fails:
→ Delegating AI governance to the CIO alone — it's business + tech + legal + data.
→ Creating a "Chief AI Officer" without real power — a title without budget or mandate.
→ Writing a 200-page policy nobody reads.
→ Banning Shadow AI without offering an alternative — prohibition has never worked.
→ Making governance a brake on innovation instead of an accelerator.
Well-done AI governance doesn't slow down. It prevents you from starting over. And starting over, that slows down.
Monday morning, where to start
If your organization has no formal AI governance, here are the four actions for this week:
- Count your AI initiatives. All of them. POCs, projects, individual subscriptions, embedded tools. You'll be surprised by the number — and that's exactly the starting point.
- Identify the top 3 immediate risks. Shadow AI? Personal data in public LLMs? No AI Act classification?
- Appoint one owner. Not a committee — one person. With a clear mandate and dedicated time (≥ 30% of their week).
- Plan your first governance sprint. 4 weeks. Concrete objectives. Measurable results.
AI transformation without governance is a construction site without blueprints. Everyone's busy, things move in every direction, and one day someone realizes the walls don't line up. At that point, starting over costs three times more than getting it right from the beginning.
How many AI initiatives are running in your group right now, and how many could you name from memory?