Four strategic shifts to supercharge value creation with your AI governance program
Add cybersecurity to the growing list of reasons why every company that uses AI needs strong AI governance: IBM’s July 2025 Cost of a Data Breach Report found that 63% of breached organizations either had no AI governance program or had only a developing program in place.
“Ungoverned systems are more likely to be breached—and more costly when they are,” warns the report. But as AI, cybersecurity, data and privacy risks increasingly intertwine, it can become more challenging to govern them effectively.
IBM is no stranger to the complexities of governance. The General Data Protection Regulation (GDPR), entering into force in 2016, spurred us to begin reimagining what governance might look like.
“GDPR was a disrupting, compelling event with an absolute deadline,” says Lee Cox, Vice President for Integrated Governance and Market Readiness. “We had to solve for GDPR with a finite set of resources and a huge number of unknowns. But what we learned then prepared us to make far better-informed decisions about how we oversee compliance and responsibility today.”
Evolving from an internal compliance function to a comprehensive Integrated Governance Program (IGP) hasn’t always been straightforward. However, at IBM, we’ve continued to prioritize innovation and learned valuable lessons as we’ve scaled our governance approach to encompass AI, data and privacy. Here, we share four insights from our experience that can help transform your governance program from an obligation to an opportunity.
Generally speaking, AI principles have converged around the world, but AI policy is diverging fast. There is little agreement on how AI principles should be implemented, and countries and regions are taking different approaches to codifying these principles through regulation. Governance programs need to be adaptable by design to withstand new headwinds while staying true to your organization’s unique values and objectives.
“New challenges are constantly arising,” says Cox. “Your governance program might be in great shape today, but it will need to evolve over time. Don’t just think about where it needs to be next quarter. Think about where it needs to be in a year or two.”
You also need to monitor evolving and emerging technologies. Nobody has a crystal ball to know exactly what’s coming next. However, risk and compliance leaders should stay attuned to industry developments to anticipate the governance challenges that the next emerging technology might bring. Building flexibility into your governance framework empowers you to quickly adjust to technological and regulatory changes.
Adapting IGP to meet the idiosyncrasies of emerging technologies and regulations pushed us “to really, truly live in an agile fashion,” says Neera Mathur. The Distinguished Engineer and CTO for Trusted Data & Privacy Engineering Strategy and Solutions also states that “Agility means being able to pivot: to make a decision, fail fast and revert to a different solution. And we made many of those throughout the IGP journey.”
Building your program modularly empowers you to achieve your short-term objectives while progressing toward your long-term vision—with space to pivot when it’s necessary. “Whether it’s scaling in three dimensions or adding more domains, if you’re not building modularity into the fabric of your program’s architecture, then all you’re doing is adding incremental layers and extending silos,” warns Cox.
Industry newsletter
The latest AI trends, brought to you by experts
Get curated insights on the most important—and intriguing—AI news. Subscribe to our weekly Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Fostering trust is a critical function of any enterprise AI governance program: not only client trust but also brand trust and integrity. But you can’t foster trust on the outside without first building trust within. Cocreating your governance program with various stakeholder teams creates a foundation of internal trust that can accelerate progress and resonate externally. Developing close partnerships across the enterprise is key.
At IBM, IGP was developed as a joint effort between the Office of Privacy and Responsible Technology, the Chief Data Office, the Legal Regulatory team and the IBM Responsible Technology Board.
From the program’s earliest days, “we sat together in joint design sessions having discussions around what works and what doesn’t work, around what the possibilities were, and what visions we could in fact build upon,” recalls Mathur.
“We became a unified governance program in a short amount of time because we didn’t work in silos. It didn’t start off all rosy. But we learned to trust each other, to work with each other and learned from each other.”
Uniting stakeholder teams under a single mission supported by shared objectives can also accelerate leadership buy-in. “If I could wave a magic wand and do it differently, the biggest change for me would be building an absolutely understandable business case [for senior and executive leadership] earlier on,” says Cox. “With more unification sooner, I think we could be even further along.”
The concept of governance carries much baggage. Your users might assume it involves cumbersome paperwork, lost time, and complex requirements. But governance can be a seamless and minimally disruptive experience if you focus on two key aspects: innovation and automation.
“My highest priority [with IGP] is reducing compliance fatigue,” says Mathur. “Data owners have day jobs. They don’t have time to read all these hundreds of regulations. And just having standards listed out isn’t going to work. They need technology to enable their understanding of how to meet those regulations.”
IBM is infusing AI into IGP to reduce the manual effort required of both our users and our governance and compliance officers. For example, proactive notifications that identify and flag potential compliance issues early save time and frustration. And we’re not shying away from what Cox calls “impossible challenges” that can fundamentally change the governance experience, like do-it-for-me capabilities enabled by automation and agentic AI.
“Ultimately, I don’t want a user to just be notified about a potential issue. I want IGP to act as a risk advisor that provides recommendations and then acts on the user’s informed decisions.” Agentic risk advisor capabilities are coming to IGP later this year.
Scalability is key to AI governance as an accelerator. Governance impacts many different personas across the enterprise. Some, like risk and compliance officers, are obvious. Others, like designers and sellers, are not.
Building a governance program that is an enabler and not an impediment means to scale to more personas and understanding how governance can be an accelerator for their work.
As IBM developed the system that underpins IGP, “we always made sure we were listening to the client—and in this case, the client was IBM,” explains Mathur. For example, the IBM AI Model & Data Catalog is integrated with IGP, saving developers and data scientists time with ready access to models and datasets that are precleared for potential reuse.
When it comes to user experience, don’t settle for good enough. Capitalize on the close partnerships that you’ve developed across the enterprise to get insights about personas and use cases. Ask yourself: How do we simplify the process even more? Where can we make it more lightweight? What would make governance feel less like an impediment and more like an accelerator?
Avoiding regulatory action is—and should be—a central focus of any AI governance program. From fines to reputational damage, incurring regulatory sanctions is bad business. But your AI governance program can do more than just deflect potential costs. It can also be a source of untapped value for your organization’s portfolio.
At IBM, we’re deploying our own technology internally as “Client Zero,” creating an enterprise-wide proving ground to refine our tools before we offer them to our clients. Our Integrated Governance Program is built on IBM technology, including IBM® watsonx.governance®, making it a living lab for our products.
“Ultimately, our clients benefit from this whole concept,” explains Cox. “By our lived experience using our technology, we have internal cost savings. We’re sharing our feedback with the product teams, adding value to the portfolio. We’re making it easier to address the market opportunity. That’s a recipe for success.”
Mathur agrees. “We started working with the product teams to enhance the product set based on the lessons we were learning about adopting our products by deploying them across our company. Today, we’re collaborating with the watsonx.governance team to collaborate on new capabilities for their portfolio, guided by our living lab experience.”
Not every AI governance program can be a living lab like IGP. However, every program can and should add value—and there are many avenues to explore when quantifying the value of responsible AI. Find one that fits your unique program and use it to draw a clear through line from AI governance to your organization’s bottom line.
Innovation and responsibility are not mutually exclusive. In fact, a strong AI governance program can accelerate your path from pilot to profit and empower you to deploy with confidence. At IBM, our experience building the Integrated Governance Program has given us a blueprint for bringing AI to market with speed and trust. The obligation of governance is real—but so is the opportunity.
Resources
Govern generative AI models from anywhere and deploy on the cloud or on premises with IBM watsonx.governance.
See how AI governance can help increase your employees’ confidence in AI, accelerate adoption and innovation, and improve customer trust.
Prepare for the EU AI Act and establish a responsible AI governance approach with the help of IBM Consulting.