Governed on paper. Instructed in practice.
A regulated organization can point to a great deal when asked whether its AI use is governed. There are policies on acceptable use. There is an oversight committee, or a working group, or a named owner. There are vendor agreements with security and confidentiality terms. There are audit procedures. All of it is real work, and most of it is good work.
And all of it describes what is supposed to happen. None of it, by itself, can establish what did happen — who acted, under what authority, and with what visibility — at the moment a specific action was taken inside a specific system.
The distinction is easy to miss, because the two things sit so close together. Governance describes obligations; the architecture beneath it is what makes those obligations answerable. It is what lets an organization — when regulators ask, when counsel presses, when the board reviews — produce an account of what actually happened rather than a restatement of what was supposed to. Without it, the governance is a set of commitments no one can check. The organization is governed on paper and instructed in practice.
For a long time this was tolerable, because the gap was latent. Incidents were occasional. When one surfaced, the organization could usually assemble an account after the fact — reconstructing, from whatever the systems happened to record, a rough answer to who had done what. Sometimes the reconstruction failed, and the failure was expensive. But it was a contingent risk: a thing that might go wrong, not a thing that was wrong by structure. The architecture's absence could be carried.
Two things are removing the slack.
The first is that systems are beginning to act on people's behalf. An agent initiates a workflow, calls another system, makes an intermediate decision, hands the task to a second agent that does the same — continuously, and at machine speed. There is no longer a single human-at-the-keyboard moment for an inquiry to anchor to. Attribution that is not produced as the action happens cannot be reconstructed afterward, because the after-the-fact window the old approach relied on has closed. Reconstruction stops being slow-but-possible and becomes too slow to matter.
The second is volume. Every new deployment adds actions — accesses, decisions, delegations — faster than the architecture that could account for them is being built. The gap does not hold still; it widens with each deployment. Each one looks bounded on its own, which is why the aggregate goes unmeasured. The faster an organization adopts, the wider the distance between what it does and what it can account for.
Put together, these change the character of the gap. It is no longer a latent risk that surfaces in the occasional incident. It is the operating condition. And this is the point worth being precise about: governance without the architecture to attribute action is not incomplete, and it is not immature. It is structurally insufficient. More policy does not close it. More oversight does not close it. The missing element is a different kind of thing from the things governance is made of — the layer that can establish, at the moment it matters, who acted, under what authority, and with what visibility.
None of this argues against governance. Policies, oversight, and audit procedures are necessary. The argument is that they are not sufficient by themselves — and that deployment decisions are being made right now on the quiet assumption that they are: that the account can be assembled later, that the gap will hold still, that the documentation and the reality are the same thing.
So the question for a leader is not whether the organization's AI use is governed. The honest version is narrower and harder. For the systems already running: if someone asked who acted, under what authority, and with what visibility, could the organization produce an answer — or only a policy that said it should be able to?
The organizations that will be able to stand behind their AI decisions are the ones treating that question as architectural now, before the speed and the volume make the answer impossible to assemble. Governance can require the account. It cannot produce it.
Comments