AI Governance: Why Compliance Is the Wrong Owner

The hottest compliance topic right now is AI governance. Firms are rolling out policies, forming committees, and tasking compliance departments with writing the rules. The instinct makes sense on the surface: AI introduces new risks, and managing risk is what compliance does.

The problem is that compliance is governing something it doesn't fully understand, resulting in AI adoption at most large institutions being slow, defensive, and largely ineffective.

The Illusion of Control

Here is a telling example. When a well-known LLM needed to use AI to test proprietary code, it couldn't use its own standard LLM product. Instead, it had to build a completely isolated, air-gapped version, one with no connection to the outside world, specifically to ensure that sensitive code had no chance of entering the public domain. Read that again: the company that built the LLM didn't trust its standard data controls with its most sensitive information.

If that doesn't give your compliance team pause, it should.

I spoke with a senior AI infrastructure engineer at a major technology firm who was direct on this point: true data ring-fencing is, in his words, impossible. Firms are contractually prohibited from using client data to train their models, and most have policies that say exactly that. But the architecture of AI systems makes it extremely difficult to guarantee, in practice, that data shared with an AI platform remains isolated. Anecdotal evidence from inside the industry suggests the gap between contractual obligation and operational reality is wider than most compliance teams appreciate.

When you use an AI tool, your data leaves the organization. It travels to data centers, where it is processed, stored, and in ways that are difficult to audit and potentially retained. This is not a fringe concern. It is the reason those massive AI data centers being built across the country exist. They are being filled with something, and a significant part of that something is information generated by users like your employees and your clients.

Compliance's Blind Spot

Most compliance-led AI governance frameworks ask the same three questions: who is authorized to use AI, what is AI permitted to be used for, and what controls exist over the data? These are reasonable questions. They are just not the right questions to be leading with, and compliance is not the right function to be answering them.

Compliance's instinct when faced with uncertainty is to restrict. That is not a criticism; it is how the function is designed. When the risk calculus is unclear, the compliant answer is to limit exposure. The result at most large institutions is that AI usage is either blocked outright, buried under approval processes, or confined to such narrow use cases that the productivity benefit is negligible. Anyone who has tried to roll out AI tools inside a large bank, law firm, or asset manager knows exactly what this looks like.

The Operational Framework

If compliance should not own AI governance, who should? Operations.

The right questions for governing AI are operational ones. Are the people using these tools properly trained? Do they understand what AI does well and where AI makes convincing hallucinations? Is there a review process for AI-generated work product before it reaches a client or a decision-maker? Is efficiency actually being measured, or are we just assuming it exists? What does quality control look like when part of the process is a black box?

These are not compliance questions. They are process questions, and operations is equipped to answer them. Operational oversight of AI looks like training programs, workflow integration, output review standards, and continuous improvement loops. It looks like treating AI the way firms treat any other productivity tool: with accountability for results, not just accountability for risk avoidance.

Compliance still has a role. Vendor due diligence, regulatory reporting obligations, audit trail requirements, and client disclosure considerations are all legitimately within compliance's domain. But owning the governance framework end-to-end is a different matter, and the track record so far suggests it is not working.

The Bigger Picture

The firms that figure this out first will have a meaningful competitive advantage. AI is not a compliance problem to be managed. It is an operational capability to be developed. The sooner governance structures reflect that distinction, the sooner firms will begin realizing what AI can actually do.

The LLM story is worth keeping in mind. If the architects of these tools don't fully trust their own standard controls with sensitive information, the answer is not to write a better policy. The answer is to understand the technology well enough to use it intelligently, and to build the operational discipline to do so responsibly.

Why ESG Get This Right

For investment firms, ESG identifies governance-related risks using non-financial factors. So what are a firm's ESG risks related to AI? They are operational risks and business risks. Operationally, the risk arises when business decisions or client reporting contain AI hallucinations; the business risk arises when AI's productivity gains are not being achieved. Much like cloud computing 15 years ago, AI is a technology that improves business efficiency but operates in an environment outside a firm's control. An ESG lens makes the conclusion clear: the biggest AI risk is failing to maximize its benefits while minimizing operational risk.

Compliance should ensure that internal processes and client commitments conform to operational best practices, not the other way around.

About ESG Administration

ESG Administration (ESGA) was established in 2018 by Joe Holman with a mission of integrating ESG principles into the investment process by identifying sources of ESG risk and opportunity. Since then, ESGA has evolved into a trusted partner for corporations seeking to outsource their ESG reporting responsibilities. Our services span a wide range of frameworks, including CSRD, CDP, EcoVadis, and comprehensive greenhouse gas(GHG) emissions disclosure.

To learn more about ESG Administration, contact Joe Holman at joe.holman@esgadmin.com

ESGA Outsourcing

ESGA seamlessly manages your financial responsibilities and reporting obligations, allowing you to focus on growing your core business.

INQUIRIES

© 2026. All rights reserved.