New research from Reading Room has found that security and compliance concerns are consistently cited as the top blockers and causes of slowdown within AI and wider digital transformation programmes. These stats are not surprising considering tightening regulation including the EU AI Act, which is entering enforcement, meaning that many boards are now demanding demonstrable AI governance. As a result, anxiety around getting AI governance right is building within organisations around the globe. However, it doesn’t need to be as complicated as it initially appears.
Many organisations are treating AI governance as an entirely new challenge, yet in reality, many of the principles already exist within established governance frameworks such as those relating to data security, information management and risk management. When you think about it this way, AI governance doesn’t have to feel as threatening and insurmountable as it currently does to many.
Finding the familiar in the new
It’s understandable that AI governance feels daunting. Generative AI in particular has arrived with rapid speed, accompanied by a wave of regulatory pressure and a consistent stream of media attention and headlines about hallucinations, data leakage, and potential algorithm bias. Against this backdrop, many organisations are treating AI governance as an entirely new discipline that requires new structures, expertise, and investment.
However, I’d argue that it’s not all that different from what organisations have been governing for years. The foundational principles of AI governance are not new. For most mature organisations they’re very much embedded in frameworks that they already operate. For example, data protection and information governance determine how sensitive data is collected, stored, and used. These principles apply just as readily to AI training datasets and the information shared with LLMs. Risk management frameworks already provide structured processes for identifying, assessing, and mitigating operational and reputational risk – elements also required when adopting an AI system. Strict cybersecurity controls that organisations have had to enforce over the past few years as hackers get increasingly sophisticated apply directly to AI models, APIs, and the data pipelines that feed them.
When you consider all of this, AI governance doesn’t have to feel so overwhelming. For most organisations, it’s a matter of extending and adapting what already works, rather than building something completely from scratch.
Governance as the backbone of any digital project
But it’s not just about what we’re governing, it’s how we’re doing it. The most successful AI projects involve security, compliance and governance teams from the very beginning and then consistently throughout – not just before release or in the procurement stage. It’s common for AI projects to be conceived and launched by excited members of tech, product or business teams that want to experiment with how the technology can streamline their workloads and improve ways of working. Often, by the time security, compliance or legal teams get involved and review, significant investment has already been made and it can be costly and disruptive to redesign a model or data pipeline at this later stage. This often means that it’s not done thoroughly and the result can be that AI systems with risks are deployed – something that could have been easily avoided by involving the right people earlier on.
It’s worth challenging here the assumption that rigorous governance means heavy-handed governance. Traditional governance models often rely on large upfront approvals built on assumptions rather than evidence, often centring on a single, high-stake sign-off before work begins. A more effective approach is to break AI programmes into smaller phases, allowing organisations to validate ideas, assess risks, and learn incrementally as the project develops. This iterative model strengthens governance as decisions are grounded in real evidence rather than what an organisation expects to happen.
Organisations shouldn’t treat governance as an obstacle to progress, but instead, a mechanism for better decision-making. Effective oversight is less about the number of reviews involved and more about clarity of accountability: knowing who’s responsible for what and at which point in the process. Business and technology leaders need to view governance colleagues as essential teammates who help projects succeed rather than gatekeepers who slow things down. In an environment where a single AI-related incident can attract regulatory scrutiny and significant reputational damage, effective governance isn’t just a nice to have.
The risk of shadow AI
It would be remiss to have the governance conversation without highlighting the risks of shadow AI. A recent study by UpGuard found that more than 80% of the workforce use unapproved AI tools at work. Employees using unapproved tools add another layer of risk to manage, yet the best way to reduce shadow AI isn’t through restriction. Most organisations will find it very difficult to police AI use completely unless they totally lock it down, and even then, what’s to stop employees just using their personal device to access and use these tools?
Instead of totally limiting use, organisations should provide clear policies, approved tools and practical guidance that make responsible AI use the easiest option. Organisations can start simple with their policies – for example, not allowing employees to use free models or personal accounts, or requiring anything work related to be put through an organisation-approved AI. Employees should understand what information can and can’t be shared with AI tools. Personal, confidential, client or commercially sensitive information should only be entered into approved AI services where appropriate safeguards are in place. Staff should also be educated on how different AI providers handle submitted data, as data retention, processing and model training practices vary between services. Many of these considerations are extensions of existing data protection, information security and data handling policies rather than entirely new governance challenges.
Moving from anxiety to action
AI governance is a genuine challenge, but it’s not a brand new or unworkable one. Organisations that already have strong governance frameworks for data security, information management and risk management already have the foundations there. Now it’s about using what’s relevant from these existing frameworks and tweaking and applying them in AI specific contexts.
Crucially, organisations should ensure they are involving governance teams and AI experts right from the start of a project and throughout, not just as a stamp of approval at the end. Ultimately, those that will navigate AI governance most successfully are those that treat it as an extension of the thoughtful, structured approach to risk that good organisations have always taken.
About Reading Room
Reading Room is an independent digital agency that designs, builds and continuously improves complex digital platforms for organisations with high-stakes digital needs.
Founded in 1996, Reading Room combines deep technical expertise with strategy, UX, data and long-term support to help clients modernise, scale and improve the digital products and platforms their audiences rely on.
The agency works with organisations across the public, health, travel, property, membership and commercial sectors, with experience supporting clients where performance, security, accessibility and trust really matter.
With teams across the UK and internationally, Reading Room provides the strategic thinking, engineering capability and ongoing partnership needed to deliver robust, secure and high-performing digital services that continue to evolve over time.
