For many organisations, AI adoption has happened faster than governance. Business units have embraced generative AI to accelerate content creation, automate reporting, support procurement processes, analyse data and improve employee productivity. However, these deployments have largely happened independently, with varying levels of oversight, different risk tolerances and inconsistent governance controls.
While security teams are expected to monitor and manage AI-related risks, they can lack visibility into how AI is being used across the organisation, what data is being shared with AI platforms, and who ultimately owns the business decisions being influenced by AI-generated outputs.
AI governance is not solely a cyber security issue. It is a cross-functional operational challenge that requires involvement from legal, procurement, HR, data owners and business leadership.
The challenge of fragmented AI adoption
Unlike traditional technology deployments, AI adoption often begins at the individual or departmental level.
Marketing teams use AI to create content. HR teams use it to draft policies and job descriptions. Procurement teams use it to evaluate suppliers and prepare tenders. Finance teams use it to analyse reports and generate summaries.
Each team may be solving legitimate business problems, but few organisations have a complete picture of where AI is being used, what information is being shared, or how AI-generated outputs influence business decisions.
For security teams, this creates a visibility problem. Traditional security controls can identify approved applications and monitor network activity, but they cannot always determine how employees are interacting with AI tools, what data is being submitted, or whether AI-generated content is subsequently used in business-critical decisions.
Without broader organisational accountability, security teams become responsible for managing risks they do not fully control.
Data ownership is becoming a governance issue
Questions surrounding data ownership and intellectual property are becoming increasingly complex as AI adoption grows.
Most large language models have been trained on vast quantities of publicly available internet content. Content creators, publishers and media organisations continue to challenge whether copyrighted material should be used to train AI systems without explicit permission or compensation.
These disputes raise broader questions for organisations adopting AI technologies. Businesses must consider not only how their own intellectual property may be exposed through AI tools, but also whether AI-generated outputs could create future copyright disputes if the underlying training data is successfully challenged in courts.
This is not a security problem alone. Data owners, legal teams and business leaders all have a stake in determining how organisational data is used, shared and protected within AI ecosystems.
Legal teams are increasingly concerned about accountability
The legal implications of AI-generated content are also becoming more visible. In 2025, Deloitte Australia agreed to partially refund the Australian government after a report produced with the assistance of generative AI contained fabricated references and incorrect citations. The report reportedly included references to non-existent academic papers and a fabricated court quotation, raising questions about validation processes and professional accountability.
While the incident attracted attention because of the financial cost and the household names involved, the broader concern for legal departments is accountability.
If an AI-generated report contains factual errors, who is responsible? If a business decision is based on incorrect AI-generated information, where does liability sit? If AI-generated content creates reputational damage or regulatory exposure, which function owns the risk?
Legal teams are increasingly recognising that AI governance is not simply about technology controls. It is about establishing clear accountability for decisions made using AI-generated outputs.
Procurement faces growing challenges around AI claims
Procurement teams are facing a different problem. As suppliers increasingly promote AI capabilities within products and services, distinguishing genuine capability from marketing claims has become more difficult.
The rise of “AI washing”, where organisations exaggerate or misrepresent the role of AI in their offerings, creates challenges during supplier evaluation and tender processes. Procurement leaders must now assess not only whether suppliers use AI, but also how those capabilities are governed, validated and monitored.
At the same time, suppliers themselves are increasingly using AI to generate bid responses and tender submissions. While this may accelerate proposal creation, it also introduces questions about the accuracy of claims, the provenance of information and the ability to verify supplier capabilities.
Operational leaders own the business outcomes
Ultimately, AI is being adopted to influence business outcomes. Operational leaders are using AI to support decision making, streamline processes and improve service delivery. As adoption expands, the operational consequences of AI failures become more significant.
An inaccurate report, flawed recommendation or poorly governed automation process may not create a cyber incident, but it can still result in financial losses, regulatory scrutiny, reputational damage or operational disruption.
Business leaders therefore cannot delegate AI governance entirely to security teams. The people responsible for business outcomes must also be accountable for how AI is deployed within their functions.
Security teams remain critical, but cannot own governance alone
Security teams continue to play a central role in AI governance, they provide visibility into technology usage, establish data protection controls, assess third-party risks and help identify unsafe AI practices. However, expecting security teams to own AI governance in isolation is neither practical nor sustainable.
The reality is that AI introduces legal, commercial, operational and ethical considerations that extend well beyond cyber security.
Security leaders are increasingly finding themselves responsible for monitoring AI usage across the organisation while lacking direct authority over many of the business processes driving adoption. Establishing visibility into all AI use cases remains challenging, particularly when employees can access AI tools independently and deploy them in ways that are difficult to track.
The answer is not to place more responsibility on security teams. It is to establish shared accountability across the organisation.
Governance must become a business-wide responsibility
The most mature organisations are beginning to treat AI governance as a business-wide discipline rather than a technology programme.
Security teams provide oversight of technical risks. Legal teams address regulatory and liability concerns. Procurement evaluates supplier claims and contractual obligations. Data owners govern information usage. Operational leaders remain accountable for business outcomes.
AI adoption is accelerating across every business function. Governance structures must evolve at the same pace.
The organisations best positioned to manage AI risk will not be those with the most restrictive security controls. They will be those that establish clear ownership, shared accountability and cross-functional governance before AI adoption outpaces their ability to manage it.
