The unprecedented pace of AI’s evolution and its use have put a strain on organizations.
According to a 2026 study from the IBM Institute for Business Value study, 77% of organizations reported that AI adoption is outpacing their governance capabilities.
Although governance practices — including the discipline of IT governance — predate AI, the challenges presented by AI adoption and findings such as those in the IBM study show how important IT governance is to overall organizational outcomes.
“IT governance helps ensure that the organization is making good decisions versus making poor decisions, and it ensures that the ability to make good decisions is embedded in everyday work,” says Sharon Stufflebeme, managing director of CIO solutions at Protiviti.
Despite its proven value, adoption of IT governance is still not universal, according to governance experts. Large enterprises, public companies, and those in regulated industries generally have robust IT governance. Smaller entities and privately held ones are less likely to have a mature IT governance program or any at all.
Moreover, some organizations that have IT governance in place may find it ineffective due to siloed IT activities, miscommunication, and failure to enforce policies, experts add.
That doesn’t just hinder effective and efficient IT operations, it can hurt the organization itself, says Nehawa Ngundam Abam, an IT governance and risk analyst at insurance company Starr and a member of the Emerging Trends Working Group with governance association ISACA.
“IT governance is still highly relevant today, and arguably even more so than in the past, because in the modern enterprise there is so much more technology and technology risk than before,” Abam says. “And without effective governance, IT can easily become super fragmented and misaligned with business objectives, and it can introduce cybersecurity, compliance, and reputational risks.”
IT governance and its value
IT governance is a foundational framework for aligning IT implementations and investments with business strategy.
“At its core IT governance is about ensuring that IT supports and enables the business in a controlled, measurable, and strategic way,” Abam says.
By following a formal framework, organizations can produce measurable results tailored to achieve their strategic goals. A formal program also takes stakeholders’ interests into account, as well as the needs of staff and the processes they follow. In the big picture, IT governance is an integral part of overall enterprise governance.
“It’s how we think about the collection of investments we’re making,” says Bill Briggs, who as CTO of Deloitte Consulting advises executives on the impact that emerging technologies may have on their organizations and who serves as executive sponsor of Deloitte’s CIO program.
“It’s the intentionalizing of expected spend and returns, it’s investing for growth versus keeping the lights on, and it’s ensuring what’s promised is what’s delivered,” he adds.
Briggs says a strong IT governance program creates guidance for how investments get approved, how much autonomy each position should have, how to evaluate and select IT vendors and technical solutions, where and how to innovate, how to best deploy workers, and more.
The pillars of IT governance
IT governance has five domains or pillars. ISACA identifies them as:
- Value delivery
- Strategic alignment
- Performance management
- Resource management
- Risk management
Stufflebeme identifies and lists them slightly differently as strategic alignment, value management, risk management, resource management, and performance management.
“I define them in that order because of the crucial order in which they need to be viewed today. That strategic alignment pillar is critical in this age of AI as is the value management,” she explains.
Furthermore, IT governance through its risk management pillar ensures that the IT department is also aligned with the organization’s overall governance, risk, and compliance (GRC) program, experts add.
As such, IT governance helps organizations adhere to the many regulations governing the protection of confidential information, financial accountability, data retention, disaster recovery, and business continuity.
IT governance also supports the organization’s efforts to meet the expectations of shareholders, stakeholders, and customers — expectations that often exceed regulatory requirements.
IT governance frameworks
To ensure they have an effective IT governance program in place and can mature it over time, CIOs typically use a framework of best practices and controls.
Frameworks include implementation guides to help organizations phase in an IT governance program with fewer speedbumps. They also provide roadmaps on how to improve and mature a governance program.
The most commonly used frameworks are:
- COBIT: Published by ISACA, COBIT is a comprehensive framework of globally accepted practices, analytical tools and models (PDF) designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT’s scope over the years to fully support IT governance.
- ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL focuses on IT service management. It aims to ensure that IT services support core processes of the business. The five foundational stages of the ITIL lifecycle are service strategy, design, transition (such as change management), operation, and continual service improvement. ITIL is designed to bring “together business, product, and service perspectives around value, experience, and outcomes, supporting confident decision-making across strategy and delivery, with continual improvement at its core.”
- ISO/IEC 38500: This international standard provides guiding principles for corporate governance of IT. It is designed to help board members, directors, and executives evaluate, direct, and monitor the use of IT across their organization. It is designed so that organizations of all sizes, regardless of the extent of their IT use, can use it.
Other notable frameworks include:
- CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization’s performance, quality, and profitability maturity level. It allows for mixed mode and objective measurements to be inserted, which some view as critical for measuring risks that are qualitative in nature.
- FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cyber security and operational risk, with the goal of making more well-informed decisions. Although it’s newer than other frameworks mentioned here, it has gained a lot of traction with Fortune 500 companies.
Most IT governance frameworks are designed to help CIOs evaluate how their IT department is functioning overall, what key metrics management needs, and what return IT is giving back to the business from its investments.
Where COBIT is used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery, and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.
Embed governance into everyday work and other best practices
Experts agree that frameworks are useful, but they also stress that adherence to the framework does not necessarily mean effective IT governance is in place.
“Using a framework is not good if it’s just for the sake of checking boxes,” Stufflebeme says. “It’s important to understand the value of each governance pillar and how you measure each pillar.”
“Frameworks are to guide but not replace critical thinking and business judgment and organizational adaptability,” Abam adds. “If it becomes a document exercise, then I think organizations create an appearance of maturity without truly improving their governance, risk management, and resilience.”
Abam and others say the most effective IT governance programs are those where the controls are embedded into everyday work and where workers know and are empowered to follow the policies established by the governance program.
“A lot of governance today can be done with controls that are built digitally into systems,” says Marco Bill, senior vice president and CIO at Red Hat. He uses AI and automation to make adherence to governance happen easily without slowing work and becoming a bottleneck.
Experts offer other best practices for building a strong IT governance discipline:
- Engage business executives in the process. “It’s important that governance is business-driven and not purely IT-driven; it should be a balance between the two efforts,” Abam says. “That creates a tendency for governance to be more effective, when it’s positioned as an enterprisewide function tied to business operational resilience, customer trust, and business risk management.”
- Treat governance as a continuous activity. “It’s not manual, static reporting or point-in-time audits and annual reports,” Abam explains. Rather, it needs real-time risk monitoring, the use of risk registers, dashboard reporting, and ongoing policy enforcements via automation and continuous monitoring. Embed governance early into transformation initiatives.
- Ensure ongoing stakeholder buy-in. “Governance can’t operate in isolation. It has to have stakeholder buy-in and be collaborative and cross-functional, with ongoing conversations between IT, risk, legal, compliance and other teams, because when IT is disconnected from other leaders, actions become reactive rather than strategic,” Abam says
- Establish clear accountability and ownership. Program components must be owned by leaders who have clear accountability for outcomes, Abam adds.
- Create a distinct AI governance program. AI governance should be address separately, while also being part of the overall IT governance discipline, says Thomas Phelps, CIO and senior vice president of corporate strategy at Laserfiche and an advisory board member for the SIM Research Institute. “Because AI is so new, it’s worth having a separate effort. Plus, AI changes so fast, that you need to address [its governance needs] more often that IT governance,” he adds.
- Integrate IT governance into the corporate governance program. “If it’s done right,” Briggs says, “it’s viewed as part of organizational governance, not IT shop governance or CIO governance.”
More on IT governance:
Read More from This Article: IT governance: Best practices for aligning IT and business strategy
Source: News

