AI Transformation

AI Governance for the Real World

Most AI governance I see is designed to protect the company from itself. It slows every project to the speed of its most nervous stakeholder. That is a mistake. Good governance should make you faster, not safer-on-paper and slower-in-practice.

I run AI and ERP change at Novartis, and I also build my own products. So I sit on both sides: the enterprise that fears the downside, and the founder who ships on Friday. The lesson from both is the same. Governance that blocks gets ignored. Governance that enables gets used.

Here is the version that actually works in the real world.

Start with ownership, not policy

Every AI use case needs one name attached to it. Not a committee. A person who owns the outcome, the failures, and the decision to turn it off.

The moment governance becomes "the AI board will review your request in three weeks," you have lost. People route around it. They paste customer data into a public chatbot and tell no one. Shadow AI is the direct product of slow governance.

Assign an owner per use case before you write a single rule. That owner answers three questions: What does this do? What happens when it is wrong? Who do we call? If nobody can answer those, the use case is not ready, no policy required.

Tier by risk, not by hype

Treating a meeting-notes summarizer like a credit-scoring model is how you kill momentum. Sort use cases into three tiers and match the controls to the tier.

Ninety percent of your use cases are low or medium. If your process treats all of them as high, you have built a bottleneck and called it responsibility.

Design the human fallback first

The question is never "will the AI fail?" It will. The real question is what happens in the ten seconds after it fails.

Before launch, I want to see the manual path. If the model is down, wrong, or hallucinating, how does the work still get done? Who catches it? A use case without a fallback is not automated. It is a single point of failure wearing a nice interface.

If you cannot describe how the process runs without the AI, you are not ready to run it with the AI.

This one rule filters out more bad projects than any compliance checklist. And it forces teams to understand their own process, which is usually where the real value hides.

Monitor what matters, in production

Governance is not a gate you pass once. Models drift. Inputs change. A prompt that worked in April quietly degrades by July. If you only check quality at launch, you are governing a snapshot of a system that no longer exists.

Keep it lightweight but real:

The kill switch matters more than people admit. Teams take bigger, faster bets when they know they can stop cleanly. Confidence to move comes from the ability to reverse.

Write it down on one page

If your AI policy is forty pages, nobody has read it, including the people who wrote it. Mine fits on one: the tiers, the owner rule, the fallback requirement, the monitoring minimums, and who signs off on high-risk. That is the whole thing.

A one-page policy people actually follow beats a forty-page policy people route around. Every time.

Governance is a speed feature

Reframe the whole conversation. The point of governance is not to prevent AI. It is to let a large organization say yes quickly and often, because the guardrails make yes safe.

When ownership is clear, risk is tiered, fallback is designed, and monitoring is live, approval stops being a debate. It becomes a checklist you can clear in a day. That is the outcome C-level should be asking for: not the safest possible AI, but the fastest safe AI.

Build governance that says yes. The rest is just paperwork protecting you from a decision you were too slow to make.


Cédric Bignet is an AI & ERP Change Management expert at Novartis and founder of AInspire. He writes about change management, AI adoption and enterprise transformation.

Connect on LinkedIn → More articles →