Governance that enables speed, not compliant mediocrity
Mario Beck

Governance that enables speed, not compliant mediocrity

Mario Beck

2026-06-23


Every AI risk register lists the same things. Data leakage. Compliance failure. Unauthorized use. All real, all worth managing.

Here's the one that never makes the list: the risk of not using AI, or using it so cautiously that you may as well not bother.

This is the easiest risk to ignore, because it never shows up as an incident. A company can spend a year or more perfecting an AI policy while competitors ship, learn, and pull ahead. By the time the policy is signed off, the market has moved. Nothing visibly broke, so nobody calls it a failure. But the cost is real: the product you didn't ship, the hours you didn't save, the ground you quietly gave away while staying perfectly compliant.

I call it compliant mediocrity. Doing everything "right" while the world passes you by. It's the failure mode nobody puts on the register, because it's quiet, and because the people responsible for it are usually being praised for being careful.

Over-governance is a real failure mode

This isn't an argument against governance. It's an argument against the kind that throttles instead of enables.

Think of guardrails on a mountain road. They don't slow you down. They let you take the corners with confidence. Good AI governance does the same thing. It tells you which corners are dangerous so you can move fast on everything else. Bad governance is a roadblock that makes everyone get out and walk.

There's a name for what over-governance quietly costs you: opportunity cost. The value you give up by playing it too safe. It never lands on a budget line or a risk register, which is exactly why it's so easy to keep paying, quarter after quarter.

The goal isn't the lowest-risk AI program. Anyone can achieve zero risk by doing nothing. The goal is the highest-value program you can run safely. That's a different target, and it changes how you design the whole thing.

Govern outcomes, not tools

"Only use approved tools" is a rule you've already lost. Your people are three steps ahead, and the tool list is out of date the day you publish it. Every hour spent maintaining it is an hour spent losing.

The fix is to govern the outcome instead of the tool. "No client data in external systems" is enforceable and stable. The tools can change weekly. The outcome doesn't. Build your governance around a small set of outcomes that must always hold, and you stop chasing a list that never stops moving.

You're in good company here. The NIST AI Risk Management Framework, the most widely adopted AI risk standard, is deliberately outcome-based and technology-neutral. It spells out the results you need to achieve and leaves the specific tools to you, for exactly this reason: the technology moves faster than any approved list can keep up.

A one-page model that works:

  • Define the outcomes that must always hold. Data boundaries, auditability, human sign-off where the stakes are high.
  • Set those as guardrails, then let teams pick the tools that meet them.
  • Name an owner for each outcome, so it's somebody's job and not nobody's.
  • Review the outcomes quarterly. The tools, never.

Outcome-based governance moves at the speed of your business. Tool-based governance moves at the speed of your last policy meeting.

Why centralized AI governance fails

There's a strong temptation to govern AI the way we govern cybersecurity: central authority, tight control, clear perimeters, standardized tools. It's a proven model. It also won't work for AI, and copying it is why so many AI programs stall.

Cybersecurity works centrally because the threat surface is relatively stable. AI is the opposite. Distributed use, emergent applications, constant experimentation, no clear boundary. Try to approve every tool and use case from headquarters and you become the bottleneck everyone routes around. The control looks tight on paper and leaks at the edges in practice.

What works is federated control, not central command:

  • Headquarters sets the principles and the non-negotiable outcomes.
  • Teams choose how to meet them, using their own context.
  • A light central function curates, supports, and audits, instead of approving everything.
  • Accountability sits with the team, measured against clear outcomes.

Clear principles, distributed execution, outcome-based accountability. That's how you govern something that changes faster than your approval process. The tell is speed. If your AI requests sit in a queue for weeks, you don't have control. You have a backlog people are quietly skipping.

This tracks with what the analysts see in practice. McKinsey's guide to the gen AI operating model describes the same arc: most companies begin with a centralized team, then deliberately shift to a federated model as they mature, so AI gets built into everyday workflows instead of waiting in a central queue.

The EU AI Act is guardrails, not a brake

Half the rooms I walk into treat the EU AI Act like a handbrake on innovation. I think that's exactly backwards.

Strip away the legalese and a lot of the Act is just good practice you'd want anyway. Know what AI systems you actually have. Be able to explain why a high-stakes system gave an answer. Keep a human in the loop where the stakes are high. Document your decisions so they survive an audit. If those feel impossible, the problem isn't the regulation. It's that you don't yet have visibility into your own AI.

It helps to know how the Act is actually built. The European Commission's framework sorts AI into four risk tiers: unacceptable (prohibited), high, limited (transparency obligations), and minimal. Most of what a normal company does lands in the minimal or limited tiers, where the burden is light. The heavy obligations are reserved for genuinely high-risk uses like recruitment, credit scoring, and critical infrastructure.

The timeline also gives you more room than the headlines suggest. The Act entered into force on 1 August 2024. Prohibited practices applied from February 2025, and obligations for general-purpose AI models from August 2025. The most demanding wave, the obligations for stand-alone high-risk systems, was pushed back under the Digital Omnibus agreed in 2026, and now applies from 2 December 2027 (with high-risk AI embedded in regulated products following on 2 August 2028).

That's not an excuse to wait. It's time to get visibility in place calmly instead of in a panic. Compliance and speed aren't opposites here. The companies that build the guardrails first are the ones that can floor it later, because they're not afraid of what they'll hit.

Start with the inventory, end with an owner

There's a quiet logic chain in the AI Act that teams miss until late. Without discovery, there's no inventory. Without an inventory, there's no governance. Without governance, you're not compliant. So an AI asset inventory stopped being a nice-to-have and became the foundation everything else sits on. "We didn't know what AI our people were using" is no longer an acceptable answer.

The good news is that an inventory is the most concrete, least theoretical step in the whole thing. A usable one is just a few columns: the system and what it does, the data it touches, the risk level, the owner, and whether it's sanctioned or shadow. Start it as a shared sheet. The point isn't a perfect document. It's that you can finally see what you're governing.

If you'd rather not start from a blank sheet, our free embedded shadow AI scan shows which of your approved tools quietly switched AI on, what data they can reach, and what that means for your AI Act duties. It's a fast way to fill in the first rows.

Your board doesn't need 200 pages of regulation either. It needs a short readiness checklist where each item is a yes or a no, and every "no" is a place to start. Do we have an inventory, including the shadow systems? Can we classify each by risk? Can we explain how the high-stakes ones reach a decision? Is there a human accountable where it matters? Do we keep records that would survive an audit? Does someone own this, by name?

That last one matters most. Ask five leaders "who owns AI governance here?" and you'll get five different answers, or five blank stares. AI risk sits across security, data, legal, and the business, so it falls into the gap between them, and things in the gap don't get governed. They get hoped about. You don't need a Chief AI Officer on day one. You need one named person who can't say "that's not my job," backed by a cross-functional group and real air cover from the top.

Guardrails on a fast road

Governance that blocks produces compliant mediocrity. Governance that enables produces speed you can defend. The difference isn't how strict you are. It's whether you govern outcomes instead of tools, distribute execution instead of centralizing it, and treat visibility as the foundation instead of the afterthought.

The quiet opportunity cost of waiting is the part most teams never put a number on. You can. An AI strategy report maps where the highest-value, lowest-friction AI wins actually sit in your business, and our EU AI Act readiness sprint turns the board checklist above into a concrete, board-ready roadmap.

Prefer to start free? I packaged the practical pieces into a governance starter pack: the one-page outcome-based model, the EU AI Act board checklist, and a starter AI inventory template. You can grab it through our newsletter here.

If you're trying to figure out who should own this in your organization, DM me. It's the question I get asked most, and it's usually the fastest thing to fix.

Keep me updated

One useful email a week on sovereign AI, governance, and enterprise AI that ships. Sign up and get the free Sovereign AI Playbook.

Subscribe on our newsletter page