The same pattern emerges in many of the conversations I have with prospects about AI strategy and governance. They view AI strategy and AI governance as two parallel tracks. Strategy lives with the executive team, usually the CIO, and is focused on productivity gains. Governance (if it exists) usually involves InfoSec, Legal, or Compliance and is focused on securing AI and ensuring it is compliant. The strategy track is moving fast, while use cases are outpacing the governance track, which is moving more slowly. 

Both teams are working hard and making progress, but the result will be compromised because the structure itself is wrong.

AI governance is not a sibling of AI strategy—it is an integral element of AI strategy. When you separate the two, you get discoordination and actively undermine the strategy you are trying to execute.

Why this split is common

The tendency to split AI strategy and governance stems from how we historically think about technology risk. “Governance” (provided by Security/Legal/Compliance) has long been the control function that sat downstream of decisions made by others. “Strategy” (the province of the CXO Suite has been about deciding what to build, and IT made strategic decisions on how to build it. The model worked reasonably well because traditional IT systems were largely predictable with predictable failure modes.

But AI breaks that model because it is probabilistic not deterministic, thus far less predictable. The decisions that determine whether an AI capability succeeds or fails are not separable from the controls that keep it safe. 

Where you source training data, how you handle model drift, what human-in-the-loop checks you build, which use cases you say no to, how you explain decisions to customers, what you monitor and log… These are strategy and governance decisions that should be made simultaneously by the same people on the same artifacts. Not doing so denigrates both strategy and governance.

What should AI strategy look like?

A good AI strategy has five components. Most organizations don’t have all five, and the gaps are usually governance related.

• Vision and intent. A clear, business-grounded point of view on how AI will change how the organization operates or competes. Not “We will use AI.” Not “We will be AI-first.” The vision must be specific enough that you can test a use case against it. Like: “AI will compress our cycle time, let us serve a customer segment we previously could not reach, and help us absorb margin compression without losing service quality.” One of our more successful AI-embracing clients uses the S.M.A.R.T. goals framework to ensure their vision is well defined.  

• Use case portfolio. A ranked, resourced set of AI-enabled systems/applications that are aligned with the vision. Each use case should have a hypothesis, an owner, an ROI target, and a risk classification. The portfolio should have funded bets and clear go/no-go criteria. 

• Operating model. How AI gets built, bought, and run inside the organization. This includes funding models, talent strategy, partner mix, and build/buy criteria. AI has a seat on the org chart, with clear responsibility for which models can be used, and relationships with AI enablement partners (e.g., model providers, key AI-enabled SaaS, consulting/development/governance partners).  

• Execution rhythm. How will the business manage its AI initiatives? What is the cadence at which strategy is reviewed, use case intake occurs, and value/ROI is measured? How will we monitor AI systems to identify harmful behavior before it causes irreparable harm? With AI capability doubling on a timeline measured in months, your strategy cannot be adjusted annually,it must be validated and tuned continually.  

• Risk tolerance and governance. What is the organization willing or not willing to risk, and what mechanisms will it use to stay inside those lines? This is the AI strategy component that is most often deferred or missing. Subjugating this to a separate document owned by a separate team is a structural mistake.

The first four components describe what the organization aims to achieve with AI. The fifth describes the conditions necessary for it to do so. Without the fifth, the first four are aspirational.

Governance enables each component

Governance is key to realizing the other four components of AI strategy:

• Vision and intent – A vision that ignores what the organization is allowed to do is a vision in name only. The most ambitious AI use cases in many industries, such as automated underwriting, AI-assisted clinical decisions, hiring screens, credit decisions, or AI impacting minors or critical infrastructure, are use cases the EU AI Act classifies as high-risk under Annex III. A vision that includes “we will use AI to transform our customer experience” without determining if any of those use cases will be high-risk under the Act is incomplete.
  
  The vision is not constrained by governance. It is informed by it. This is where the NIST AI Risk Management Framework earns its keep. The MAP function exists to characterize the context in which an AI system will operate, including its purpose, the people affected, and the legal and ethical environment. MAP is a governance activity and a strategy activity. It allows you to determine if the risks (regulatory, contractual, technological, etc.) associated with a prospective AI use case outweigh the benefit you expect to achieve, before you invest time, resources, and money.  

• Use case portfolio – The portfolio is where the strategy/governance split does the most visible damage. What if: The strategy team identifies twenty high-value use cases. The governance team, brought in late, vetoes seven of them outright and adds compliance overhead to six more, doubling the cost and killing time-to-value. The strategy team sees the governance team as a roadblock, and the governance team is frustrated because this could have been avoided if they had been engaged earlier.  Both are right, and the outcome is bad.
  
  The fix is to make risk tiering part of use case selection, not a downstream filter. ISO 42001 Annex A includes controls for AI system impact assessments precisely so that this evaluation happens at the front of the process, when alternatives are still cheap. When a governance practitioner sits at the use case prioritization table, two things change. Higher-risk use cases get evaluated with the cost of risk management and compliance built into the business case from day one. And use cases that are reputationally or ethically not permissible are surfaced before funding is committed.
  
  A practical example: A client wanted to deploy AI to screen inbound resumes. The strategy team ranked it as their top initiative based on ROI. Sitting in the portfolio review, we walked through the obligations: bias testing and documentation under the EU AI Act if any candidates are EU-based, NYC Local Law 144 disclosure requirements if any positions are in New York City, the active Workday class action lawsuit as a signal of the legal environment, and the ABA-equivalent professional standards that apply to legal hiring specifically. The use case did not get killed. It got reshaped, with explicit scope, oversight, and documentation requirements priced in, and an explicit decision not to deploy in two jurisdictions where the regulatory risk outweighed the upside. That is a governance-enabling strategy, not a constraint. 

• Operating model – Here governance acts as scaffolding. Who has the authority to approve a new model? Who owns the relationship with a model provider when contract terms change? Who decides the risk for an AI use case? How do we respond when an AI system misbehaves? These are not optional questions. AI risk management frameworks and regulations all require an accountability framework defining these responsibilities.  It’s both logical and strategic; you can’t run a portfolio of AI bets across multiple business units without clear decision rights. Governance is just the discipline that forces you to establish your “AI Org Chart” so that you don’t discover, in the middle of a significant incident, that your Incident Response Plan doesn’t cover AI incidents.  

• Execution rhythm – This is where the integration of governance into strategy is least appreciated. The strategy team thinks of rhythm as quarterly business reviews of AI use cases. The governance team views rhythm as quarterly risk reviews, auditing operational AI to ensure it operates within established metrics, and control testing. These are the same cadence, and they should be the same meeting. The NIST AI Risk Management Framework treats the four functions—GOVERN, MAP, MEASURE, MANAGE—as continuous and iterative, not sequential. Risk management is explicitly a lifecycle activity.
  
  Similarly, ISO 42001 Clauses 9 and 10 build the management review and continual improvement cycle into that standard. The EU AI Act, in Articles 9, 17, and 72, requires the risk management process and the post-market monitoring system to be continuous and iterative across the lifetime of a high-risk system. In practice, this means the governance cycle is the strategy cycle. The same review that asks, “Strategy, is this use case delivering business value?” should also ask, “Governance, Is this use case still operating inside our risk tolerance?” Because the answer to the second question often changes the answer to the first. An AI system that was approved six months ago may now be at risk because of changes in context (e.g., the model provider changes its terms of service, a new state law comes into effect, monitoring shows it is drifting, or the threat landscape changes). 

• Risk tolerance and governance – This is the component most often marginalized as a separate element. Your risk appetite establishes what you will and will not do with AI, what data you will and will not feed it, and what oversight/monitoring you require at each risk classification. So, it is a critical strategy input. When management fails to define its risk appetite and how that is determined, each use case becomes a debate. Should we let this team use ChatGPT? Should we allow customer data in this RAG pipeline? Should we let this agent execute writes against our CRM? It is important to formally document how you assess AI use case risk (e.g., using a methodology such as an OWASP 4Q Threat Model). This provides a consistent and repeatable risk based process to make good  AI use case decisions.    

Three external drivers to integrate AI governance and strategy 

Up to now I’ve been outlining internal reasons to recognize AI governance as part of AI strategy. But there are also significant external pressures:

• Regulatory pressures – The EU AI Act entered into force on 1 August 2024. EU AI High Risk requirements come into effect in December 2027. Given the complexity of implementing these requirements, it is advisable to put a plan in place now. State laws in the US are moving in parallel. Colorado, NYC Local Law 144, Illinois, Texas, and California are all in force or imminently will be. The regulatory environment will not be simpler in twelve months than it is today. 

• Clients are asking – AI-specific clauses in master service agreements, AI use disclosure requirements in customer questionnaires, and ISO 42001 alignment requests in vendor due diligence packs are becoming more commonplace. Sophisticated clients now treat AI governance the way they used to treat ISO 27001 or SOC 2 compliance: as a basic requirement for doing business. Without a credible AI governance program, you risk losing both new and existing customers. 

• Insurers are asking – D&O, E&O, and cyber underwriters have added AI questions to renewals. Many carriers are introducing AI-specific exclusions or sub-limits. Having a strong governance program will positively impact premiums and your ability to be covered for AI incidents.

If you read this far, I’m flattered. 

How to ace the AI strategy and governance challenge? Align your AI program with the NIST AI Risk Management Framework or ISO 42001.

Both naturally integrate governance and strategy, because they recognize that AI risk management is not a control layer that sits on top of the AI program. It is the AI program, viewed from a different and informative perspective.

Organizations that adopt these frameworks build faster, not slower. They make fewer missteps. They have better conversations with customers, auditors, and boards. And when a regulator shows up, an insurer asks the hard question, or a major client wants evidence that you are managing AI risk effectively, they have the answers to the test.