6 min read
#Governance#AI

The Three-Legged Stool of AI Governance

A black and white photo of a stool

AI Summary

Effective AI governance isn't a compliance checkbox — it's a three-legged stool of guardrails, platform administration, and business case validation, and most organisations are missing at least one leg. The post argues that each element depends on the others: guardrails without platform visibility are incomplete, and ungoverned AI investments are producing activity with little measurable return. If you're a technology leader trying to explain AI governance to a board — or wondering why your AI investments aren't delivering — this is a sharp, practical framework worth your time.

The Three-Legged Stool of AI Governance

Most organisations are treating AI governance as a compliance problem. A policy to write. A framework to adopt. A box to tick before the regulators arrive.

That framing is wrong. And it's costing them.

AI governance is a structural problem. And like any structure, it fails when one leg is missing.

The image of a three-legged stool is instructive precisely because it's simple. Remove one leg and the stool doesn't wobble. It falls. There's no partial credit for having two out of three.

The same is true of enterprise AI governance. And right now, most organisations are building stools with one leg — or at most two — and wondering why nothing holds.

The first leg: Guardrails

This is the leg most organisations start with. Acceptable use policies. Data classification rules. Content filters. Prompt monitoring. Restrictions on which data can flow to which model.

Guardrails are the technical and policy boundary layer. They define what AI is permitted to do — and more importantly, what it is not.

Done well, guardrails operate in two directions. They protect the organisation from the AI — preventing data exfiltration, regulatory violations, and reputational harm. And they protect users from themselves — reducing the risk that an employee, under time pressure, makes a decision with AI assistance that they'd never sanction in a formal process.

Done poorly, guardrails become security theatre. A policy document that nobody reads. A filter that catches obvious violations and misses nuanced ones. A governance layer that exists to satisfy auditors rather than manage risk.

According to Gartner, 71% of compliance leaders say they lack visibility into their company's AI use cases. You cannot build effective guardrails around systems you cannot see. Which means guardrail design must begin with a simple question: do we actually know what AI is running in our environment?

Most organisations don't. Shadow AI — tools adopted without IT visibility, vendor capabilities embedded quietly in existing software, LLMs accessed through personal accounts on corporate devices — is already inside the perimeter. Guardrails built without an inventory of AI use are guardrails built on fiction.

The second leg: Platform administration and licensing

This is the leg that gets underinvested. And it is more consequential than most technology leaders realise.

Platform administration is not just about software asset management. It's about knowing who has access to what AI capability, under what licence terms, with what data residency commitments, subject to what model training policies, and with what organisational accountability attached to each deployment.

Every AI platform in your environment carries a commercial relationship, a data agreement, and a risk profile. Managing those is not a procurement function. It is a governance function.

Effective AI governance tools offer built-in mappings to NIST AI RMF, EU AI Act classifications, and state-specific regulations — but the tooling is only as good as the administrative rigour behind it. A Copilot licence granted to 5,000 employees without identity governance attached is not a managed capability. It's an exposure.

The licencing dimension matters in a second, less obvious way. AI platform vendors are not static. Their model training policies change. Their data retention commitments evolve. Their ownership structures shift. The organisation that licensed a particular capability eighteen months ago may be operating under materially different terms today — and may not know it.

Platform administration, done properly, is a continuous process. Not a procurement event.

The third leg: Business case validation and value

This is the leg that most organisations skip entirely. And its absence explains why AI investments are generating activity without generating returns.

Only 28% of AI use cases in infrastructure and operations fully succeed and meet ROI expectations, while 20% fail outright, according to a Gartner survey published in April 2026. That is not a technology failure rate. It is a governance failure rate.

The business case is not a slide deck prepared to secure budget approval and then forgotten. The business case is the governing document of an AI initiative. It defines what problem is being solved, what value will be created, how that value will be measured, who is accountable for delivery, and what the exit criteria are if the investment isn't performing.

Over 80% of respondents in a McKinsey study reported no meaningful impact on enterprise-wide EBIT from generative AI deployments, even as executives continued to increase spending. The gap between investment and impact is not mysterious. It is structural. Organisations are approving AI initiatives without the governance rigour they would apply to any other capital allocation decision.

Would you approve a £2 million capital project with no defined success metrics, no accountability owner, and no review cadence? Of course not. But that is exactly how most AI initiatives are being run.

Business case validation is not a finance function applied once at the start. It is an ongoing governance obligation. It asks, periodically and rigorously: is this AI investment still solving the problem it was built to solve? Is the value being realised? Has the risk profile changed? Is the business case still valid?

If the answer is no, the obligation is to stop — or to restructure — not to continue spending because the initiative has momentum.

Why the stool falls

The common failure mode is sequential investment: build guardrails first, sort out platform administration later, never quite get to business case validation because by then the initiative is running and nobody wants to question it.

The result is an AI estate that is partially governed, poorly measured, and increasingly expensive to justify.

Each leg depends on the other two. Guardrails without platform visibility are incomplete. Platform administration without value measurement funds capability for its own sake. Business case validation without guardrails creates pressure to bypass controls in pursuit of ROI.

The three legs are not separate workstreams. They are a single governance structure that must be built together, maintained together, and reported on together.

What this means for technology executives

The EU AI Act entered full enforcement in August 2026. Regulatory scrutiny is no longer theoretical. Boards are being asked AI governance questions they cannot yet answer. 34% of chief executives now identify AI as their top strategic theme — but strategic importance and governance maturity are not the same thing.

A technology executive who presents an AI strategy without all three legs of the governance stool is presenting half a picture. The board deserves the full one.

Not because compliance demands it. Because every significant failure in enterprise AI — data breach, regulatory penalty, wasted investment, eroded trust — will trace back to a governance gap.

And governance gaps, like compromises, have a cost that rarely shows up at the moment of the decision. It shows up later. In the incident report. In the audit finding. In the board conversation nobody wanted to have.

Build the stool properly.

All three legs. At the same time.

Related reading:

Sources:

📷 Photo by ZENG YILI on Unsplash

Comments

Leave a comment