Boards are starting to ask the right question about AI risk. Unfortunately, many organizations still don’t have a credible answer.
In recent executive and board conversations, directors are now asking whether AI risk is being managed and governed, and if it is auditable in the same way as other enterprise risks.
Yet, when they ask who owns that responsibility, the roles are often unclear. Is it security, IT, legal, product or compliance? The business units deploying AI? In many companies, it’s everyone, which means no one.
This is an ownership and accountability problem, and AI governance is exposing cracks in operating models that are already under strain.
Why AI risk doesn’t fit existing ownership models
Most enterprises are structured around familiar control planes: infrastructure, applications, data, identity. Risk ownership maps reasonably well to those areas. For example, security owns controls. Meanwhile, IT owns platforms, legal interprets policy, and business units make tradeoffs within guardrails.
AI breaks those boundaries. AI systems are embedded across SaaS applications, internal code, third-party services, developer tools, APIs, and now agents acting autonomously. Ownership is fragmented by design. A single workflow might involve a business user prompting a model, a developer integrating an API, a vendor hosting the model, and a security team that never sees the interaction at all.
When something goes wrong like data leakage, regulatory exposure, biased outcomes, or IP risk, the question “who owns this?” doesn’t have a clean answer. That ambiguity plays out in real environments. Security teams can detect some AI usage but can’t enforce decisions. Legal teams can define policy but lack visibility into what’s actually deployed. Product teams ship features faster than governance can keep up. Business units adopt AI tools independently to stay competitive.
Everyone is acting rationally within their silo. Collectively, the enterprise is accumulating unmanaged risk.
Why more tools won’t fix this problem
The instinct is to add tooling that delivers more detection, but this also creates more dashboards and alerts. Those capabilities don’t solve the core problem. Visibility without authority doesn’t create accountability, and policy without enforcement doesn’t create governance.
Recent developments in AI-powered vulnerability discovery make this ownership gap more urgent. Anthropic’s Claude Mythos and other frontier AI models show how quickly AI can accelerate vulnerability discovery, identifying previously unknown flaws at a scale that will overwhelm traditional manual triage and remediation processes. For defenders, that kind of capability is promising, but it also exposes a deeper governance challenge. Finding risk faster does not mean organizations can act on it faster. Someone still has to determine which findings matter, who owns the affected systems, what action is required, and how the organization can prove the risk was accepted, mitigated, or resolved.
As AI systems generate more signals, automate more decisions, and become embedded in more enterprise workflows, organizations need a clear system for converting those signals into owned, auditable outcomes. Most organizations are still figuring out who should be accountable for approving AI use when risk spans multiple domains. Who can shut something down when it violates policy, and who will certify that AI risk is being governed effectively.
What boards should be asking instead
Boards don’t need to become experts in AI models, prompts, or agents. But they do need to insist on having clear owners and decision-making authority. Here are a few questions every board should be asking leaders:
- Where does AI risk management and control formally live? Not which teams are involved, but who has final accountability.
- How are AI decisions made when risk crosses silos? What is the escalation path when security, legal, and the business disagree?
- What evidence exists that AI governance is working? How do we prove where AI decisions are made, risks accepted or mitigated, exceptions tracked?
- When AI systems identify, prioritize, or act on risk, who owns the decision and the evidence trail?
- How quickly can the organization respond when AI risk changes? Manual review processes don’t scale to real-world AI adoption.
If leadership can’t answer these questions clearly, gaps in the organization’s AI coordination will surface under pressure.
AI governance is an operating model problem
AI governance needs to be foundational to program development. It forces organizations to confront how decisions are made across security, technology, and the business. It shows where AI authority is implicit, and where accountability dissolves across teams.
That’s why boards are about to discover this governance problem, which will often be in response to an incident, audit, or a regulator’s question awaiting a clear response.
The organizations that define AI ownership clearly, establish decision authority, and treat AI risk as an operational discipline will be ready to capitalize on its benefits.
AI is moving faster than most governance structures were designed to handle. Many organizations are still figuring out who is responsible for overseeing risk, making decisions, and responding when problems arise. Boards are going to expect clear answers, and the organizations that have done this work in advance will have a clear advantage.

