Governing Data to Govern AI

rity—and, increasingly, HR), along with a culture of “freedom within a framework” to avoid shadow AI workarounds.

Finally, the session looked ahead: AI governance is still young—“AI governance barely got out of kindergarten”—and metrics, controls, and risks will evolve quickly as autonomous agents and “agent swarms” become more common. The takeaway: governing data is not separate from governing AI; it is the foundation for making AI dependable, scalable, and worth deploying.

Key Takeaways:

• AI governance vs. data governance: data governance defines trusted data (meaning, quality, access, lineage); AI governance defines trusted AI (use, risk controls, testing, monitoring, accountability). Data governance enables AI governance—especially for LLMs and agents.
• Data quality failures don’t just create bad dashboards; they can drive high-stakes AI decisions that are harder to “untrain” or unwind once deployed.
• Manual governance breaks at enterprise scale; organizations need automated visibility (what exists, where it flows, what’s trusted) that updates as fast as AI changes.
• AI governance should enable speed, not block it—otherwise teams will route around controls and create “shadow AI.”
• Effective governance is cross-functional: business domain owners, data/IT teams, and legal/compliance/security (often with HR in the loop as automation reshapes work).
• Success metrics will evolve with maturity—from counting use cases to measuring visibility, traceability, and control as agents become more autonomous.

Detailed Sections

1) When “garbage in, garbage out” becomes a balance-sheet problem

In traditional analytics, bad data often reveals itself with a jolt of common sense: a report looks “off,” a metric spikes unnaturally, a stakeholder raises a hand in a Monday-morning meeting. The AI shift changes both the pace and the blast radius. Models can ingest flawed inputs quietly—missing values, stale tables, misinterpreted definitions—and produce answers with an unnerving confidence that feels actionable. As Richie Cotton put it, “garbage in, garbage out,” but with AI the “out” can look persuasive enough to bypass ordinary skepticism.

The most memorable example came from an oil-and-gas context. An LLM, provided with prompts and “all the context” its operators believed was necessary, generated an insight used for a “pretty critical business driven decision”: where to drill. The result, Somesh Saxena said, was blunt: “It cost the company millions of dollars drilling for oil where no oil existed.” The failure was not framed as an exotic model defect. It was a basic data problem—wrong, missing, or outdated inputs that led to incorrect calculations, then to an expensive operational commitment.

AI makes these problems harder to diagnose for two reasons. First, the “naked eye” test is less available. Unlike a dashboard with obvious anomalies, LLM outputs don’t always carry visible error bars. Second, governance and traceability become central because it can be “much harder to untrain an LLM” and step backward through layers of dependencies to identify which dataset, transformation, or definition caused the error.

What’s notable is that the group did not treat this as an argument against AI adoption. It was a case for disciplined prerequisites: data observability, lineage, documented intent, and explicit accountability. If you want the speed of AI decisions, you need the slower, unglamorous work of data controls—otherwise, the session suggested, the first major “AI win” can quickly become the first high-profile AI failure.

2) Governing at AI speed: visibility, context, and continuous feedback loops

The panel’s core technical argument was that enterprise governance must shift from periodic, manual curation to always-on visibility and automated control. Sarah Levy drew a line between small-scale success and enterprise disappointment. Smaller companies can keep semantics and pipelines “very tightly” managed because scale is contained; the trouble begins “when you go to hire,” when systems, teams, and data surfaces multiply. That is one reason the oft-cited statistic—most AI proofs of concept never scale—was framed as a governance failure in itself: the enterprise cannot reliably move from demos to durable operations.

What changes in the AI era is the velocity of creation. “Data gets created at the speed of AI,” Levy argued, so it must be “mapped and visualized and governed at the speed of AI.” In practice, that means building a continuously updated view of reality: what data assets exist across warehouses, lakehouses, BI tools, quality systems, and security layers; how they connect; and how they’re used. This is also the start of a practical “context layer” for AI: a governed, searchable map of trusted sources and allowed uses that a model, RAG pipeline, or agent can draw from.

The panel also stressed institutional knowledge—what’s trusted, what’s relevant, what belongs to a domain, and what must be excluded. In one example, a company with multiple platforms wanted to deploy AI for customer success. Most of the mapped environment was irrelevant—or actively risky—to expose, including dev environments and experiments. Governance, then, becomes the work of encoding rules that restrict context to what is fit for purpose, rather than indiscriminately feeding “everything” into prompts or retrieval.

The most practical design pattern discussed was continuous feedback. Rather than expecting perfect curation upfront, teams should “close feedback loops” based on AI interactions, identify context gaps, and iteratively improve what the AI can safely see and do. This turns governance from a one-time checklist into an operating loop: observe usage, adjust rules, improve data quality, and repeat.

3) The operating model: ownership, councils, and “freedom within a framework”

Governance fails as often from organizational ambiguity as from technical limitations. The panel returned to a familiar friction point: “who owns your data.” Business leaders may assume IT “owns” the data because it sits in an IT system; IT may insist it is merely a gatekeeper, while the business owns meaning and definitions. AI intensifies this conflict because it puts data into motion—synthesizing, recommending, and increasingly acting—across many systems and teams.

Somesh Saxena outlined a “three legged stool” for governance: business domain owners (who understand what the data means), the data/IT team (who builds and operates the platform and models), and legal/compliance/security (who define policy, permissions, and oversight). Stijn Christiaens widened the lens: in large enterprises, security and privacy can be distinct centers of gravity, and HR increasingly belongs in the room because AI automation “might need to be revisited” across job scopes and processes.

The mechanism the speakers repeatedly circled back to was a cross-functional council—visible enough to matter, connected enough to stay relevant, and practical enough to avoid being “10 people with a pizza.” A council that only writes policy is easy to ignore; a council that helps teams ship safely is harder to bypass. That distinction matters because governance that overreaches can backfire. If controls are too restrictive, either adoption stalls or teams route around it—what Saxena described as “shadow AI” akin to earlier eras of “shadow IT.”

The cultural prescription was consistent: governance should enable speed within boundaries. Levy was especially direct about the futility of policing behavior without instrumentation: “You cannot govern analysts. They’ll find their workaround.” The solution is not to demand perfect compliance; it is to create frameworks that are easy to follow, backed by tooling that provides visibility into what is actually happening. In other words, governance must be designed for human incentives: people will do what it takes to deliver on time. The job is to make the safe path the fast path—and to detect and correct deviations without turning AI into another bureaucratic bottleneck.

4) Measuring success now—and preparing for autonomous agents next

AI governance is still a moving target, and the panel argued that metrics must evolve with it. Early programs often start with simplistic counts—how many use cases exist, how many have been assessed—because organizations need proof of momentum. Christiaens cautioned that these are “temporary metrics.” As AI systems become more agentic and more distributed, governance measurements must shift toward the properties that keep complex systems safe: visibility, traceability, and control.

Visibility means knowing what AI is in play—not only the sanctioned models and applications, but the “shadowy AI” emerging from third-party tools and informal experimentation. Traceability means being able to follow the chain: which agent or application called which other agent; what data sources were accessed; what transformations occurred; and where decisions were made. Control means defining guardrails and measuring whether the system stays within them—an especially urgent need once autonomy increases.

The panel’s forward-looking concern was the transition from chatbots to agents. The chatbot era comes with its own failures—leaking code into public tools, recommending competitors, or producing incorrect policy guidance—but agents raise the stakes. Autonomy can make mistakes propagate faster and wider: an agent that “drops my table” is an anecdote; an agent that drops “my table in production” is a governance incident. As “agent swarms” arrive, the panel suggested, the system of record for what AI exists and what it is allowed to do becomes non-negotiable.

Even in the present, the speakers emphasized trust as a key outcome. Saxena described the goal as “shorten[ing] the trust gap”—moving teams from asking “is the data right?” to asking “what is the data telling me?” That shift is subtle but decisive: it’s the difference between AI as a novelty and AI as an operational tool. For organizations trying to get beyond stalled pilots and into repeatable value, the discussion points to a practical next step: define ownership, build the council, inventory and map data/AI usage, set context and access rules, and then measure improvement through higher visibility, stronger traceability, and fewer governance incidents over time.