CIOs look to sharpen AI governance despite uncertainties

As more generative AI projects move from proof-of-concept to production, CIOs will be shouldering the additional pressure of enacting AI governance policies to protect the enterprise — and their jobs.

There is no dearth of AI governance frameworks available from the US government and European Union, as well as top market researchers, but no doubt, as gen AI innovation outpaces formal standards, CIOs will need to enact and hone internal AI governance policies in 2025 — and enlist the entire C-suite in the process to ensure they are not on the hook alone, observers say.

Here, jurisdictional imbalances are in play.

“In terms of responsible AI policy setting and code of conduct creation, US organizations are on par with European organizations based on a February 2024 survey, but lag behind European organizations in establishing multidisciplinary/interdepartmental governance committees as recommended in the EU AI Act,” says IDC research director Grace Trinidad, who urges CIOs to not take on AI governance solo.

IDC, for instance, recommends the NIST AI Risk Management Framework as a suitable standard to help CIOs develop AI governance in house, as well as EU AI ACT provisions, says Trinidad, who cites best practices for some aspects of AI governance in “IDC PeerScape: Practices for Securing AI Models and Applications.”

CIOs acknowledge there are myriad ways to implement AI governance and most have begun implementing at least some programs, though not all the pieces are in place, Trinidad notes.

To that end, Craig Williams, chief digital information officer at Ciena, says the networking company has created AI working groups to iron out governance challenges.

“I don’t see a future where AI governance is owned by a single entity or government itself —  it’s just too challenging. Companies, however, need to establish their own governance processes to ensure end-to-end accountability,” he says. “We recognize the need for transparency, fairness, and accountability in AI systems. As such, we have gone to great lengths to ensure that we’re involving the right stakeholders in the governance process itself.”

That cross-functional effort is key, experts and IT leaders say.

“Governance is really about listening and learning from each other as we all care about the outcome, but equally as important, howwe get to the outcome itself,” Williams says. “Once you cross that bridge, you can quickly pivot into AI tools and the actual projects themselves, which is much easier to maneuver.”

TruStone Financial Credit Union is also grappling with establishing a comprehensive AI governance program as AI innovation booms.

“New generative AI platforms and capabilities are emerging every week. When we discover them, we block access until we can thoroughly evaluate the effectiveness of our controls,” says Gary Jeter, EVP and CTO at TruStone, noting, as an example, that he decided to block access to Google’s NotebookLM initially to assess its safety.

Like many enterprises, TruStone has deployed a companywide generative AI platform for policies and procedures branded as TruAssist.

“All [approximately] 560 team members are using this AI tool to quickly access over 500 policies and procedures, significantly saving time, and adding tremendous value,” Jeter says. “We launched the proof-of-value pilot in November 2023 and rolled it out to all team members by February 2024. It was very quick, and we have learned a lot. We are taking a more conservative approach of leveraging generative AI for member-facing applications, but we are making progress.”

AI governance frameworks and platforms

Travelers is another large enterprise that has been developing its AI governance strategy for some time, says Mojgan LeFebvre, the company’s EVP and chief technology and operations officer.

“As part of the constant evolution and maturation of Travelers’ governance framework, we have also established a Responsible Artificial Intelligence Framework that sets forth foundational principles to guide our development and use of AI, advanced analytics, and modeling,” LeFebvre says. “The goal of this framework is to help ensure we act responsibly and ethically — consistent with the responsible business values at the heart of our business and culture.”

AI governance is not just about protecting the enterprise from data leakage or intellectual property theft but also keeping costs in line with budgets, observers note.

IT leaders should take a “very pragmatic — deliberate and slow — rollout to production of gen AI applications because executives and IT are still learning how to manage risk of a probabilistic enterprise application and because there are real costs that go up with usage,” says Paul Baier, CEO and principal analyst at GAI Insights.

Another factor that increases gen AI risk and costs is the “massive ‘shadow IT’ in most organizations, as employees use personal accounts to use tools like ChatGPT with company data,” Baier says.

One way organizations can get a handle on AI use is by implementing an AI governance platform, according to Gartner, which identified the technology as its No. 2 strategic trend for 2025, predicting that by 2028 organizations that implement AI governance platforms will experience 40% fewer AI-related ethical incidents compared to those without such systems.

The benefits of AI governance platforms, Gartner claims, include creating, managing, and enforcing “policies that ensure responsible use of AI, explain how AI systems work, model lifecycle management, and provide transparency to build trust and accountability.”

The challenges? “AI guidelines vary across regions and industries, making it difficult to establish consistent practices,” Gartner says.

The challenge ahead

CIOs will also need to adapt AI governance frameworks capable of accommodating changes to come, particularly if artificial capable intelligence (ACI) emerges, observer say.

“We are evaluating which AI use policy will best fit our needs right now with a model that offers flexibility to adapt as we move forward and learn what we don’t yet know,” says Tom Barnett, CIDO at Baptist Memorial Health Care in Memphis.

Where that will lead is a vast unknown, especially given the progress on AI in just the past two years. Complicating the issue is not only the complex patchwork of AI regulations that are emerging but also changes in business models and the market itself.

When ChatGPT debuted two years ago, founders of OpenAI cited the need for generative AI to be properly managed as a key reason for the company to be a nonprofit. Since then, all founders but two have left and OpenAI is working to restructure its core business into a for-profit company no longer controlled by its nonprofit board.

Sid Nag, vice president of cloud, edge, and AI infrastructure technologies and services at Gartner, says the NIST’s AI Safety Institute Consortium and Center for Responsible AI have made progress on AI governance since 2021 but there are no approved regulatory standards to guide CIOs who are under increasing pressure to move out of experimentation and make money from the significant investments in generative AI platforms and tools.

He emphasizes there is no single document that captures all aspects of the risks and no clear authority to enforce use of generative AI, which is advancing on a daily basis. “AI is such a runaway train and everybody is trying to make a buck off it,” he says.

Still, it’s rare to find a CIO or C-suite dismissing AI governance. Enterprises large and small are well aware that generative AI in the wrong hands can spell disaster.

Antonio Marin, CIO of medical equipment leasing company US Med-Equip, says AI is enabling his company to grow quickly but all hands are on deck when it comes to governance.

“We are incorporating AI governance as part of our data and cybersecurity governance,” says Marin, who adds that risks spike when POCs move from the sandbox into production. “In some cases, our C-suite sees AI as a solution to some process problems. They see AI as an opportunity to gain market share or reduce operational costs, while maintaining high customer experience quality and operational excellence.”

TruStone’s Jeter expects oversight will become a legal and regulatory requirement in due time. “I view examiners and internal/external auditors as partners, with a shared purpose that aligns with our values,” Jeter says. “As a result, I have no concerns.”