Logo
FrontierNews.ai

Why Companies Are Scrambling to Prove They Can Actually Govern AI

The pressure on corporate boards to demonstrate structured AI governance has intensified dramatically in 2026, driven by evolving regulations, investor expectations, and litigation risks. Only 8% of over 3,000 US companies reviewed disclosed board-level AI oversight, and just 9% acknowledged having AI policies, according to recent research cited by legal firm Freshfields. Yet regulators, investors, and proxy advisors are making AI governance a defining theme this year, leaving many organizations scrambling to catch up.

The shift reflects a fundamental change in how the business world views artificial intelligence. AI has moved from being treated as a novel technology to adopt quickly into a strategic asset that requires formal governance structures, risk assessments, and accountability mechanisms. This transition is happening faster than many companies anticipated, creating what experts describe as a critical gap between current practices and emerging expectations.

What's Driving the Sudden Demand for AI Governance?

Three converging forces are pushing AI governance to the top of corporate agendas. First, regulatory frameworks are multiplying globally. The European Union's AI Act remains the most prominent, but the US now has over 450 enacted and pending state laws regulating AI use, with comprehensive governance laws like Colorado's AI Act applying across sectors. Second, agentic AI systems, which can plan and act autonomously without human intervention, have raised the stakes considerably. These systems require new accountability structures and traceability mechanisms that traditional governance models don't address. Third, institutional investors and proxy advisors have made AI governance a voting priority, signaling that boards must articulate their AI strategy clearly or face shareholder pressure.

The practical consequence is that companies can no longer treat AI governance as a compliance checkbox. Regulators expect organizations to understand their AI use cases, conduct risk assessments, implement safeguards, and monitor outcomes, even when deploying third-party AI tools rather than developing them in-house.

How Are Organizations Building AI Governance Frameworks?

To help organizations move beyond fragmented, ad hoc controls, the CMMI Institute launched the AI Maturity Model (CMMI AIM) in July 2026. The framework provides a structured approach for governance, risk, compliance, and security teams to assess and improve their AI governance capabilities over time. The model extends existing performance improvement practices with AI-specific guidance and includes assessment and certification pathways, training courses, and appraisals for organizations seeking formal validation of their progress.

The CMMI AIM framework applies AI-related guidance across 31 practice areas and introduces eight key domains that organizations should address:

  • Data Management: Ensuring data lineage, quality, and proper handling across AI systems
  • Development Practices: Establishing consistent processes for building and deploying AI solutions
  • People and Workforce: Preparing teams with the skills and knowledge needed for AI adoption
  • Safety: Addressing the safe use of AI systems and preventing unintended harms
  • Security: Securing AI platforms, tools, and infrastructure against threats
  • Service Delivery: Ensuring AI systems support business operations reliably
  • Supplier Management: Managing risks in partner ecosystems and third-party AI tools
  • Virtual Collaboration: Supporting distributed teams working on AI systems

The model was developed by a working group of more than 25 industry experts and tested by organizations including IBM Consulting, Infosys, and Government Technical Services Corporation. This collaborative approach reflects a broader industry recognition that AI governance requires cross-functional expertise and shared best practices.

What Specific Risks Are Regulators and Investors Focused On?

The regulatory landscape reveals where organizations face the highest scrutiny. High-risk AI applications, particularly those making consequential decisions about people in areas like employment, housing, healthcare, finance, insurance, education, and legal services, face heightened oversight. Additionally, child safety and consumer protection have become active enforcement priorities, with multiple states enacting laws regulating AI chatbots and requiring disclosures about AI identity, self-harm prevention, and safeguards for minors.

Litigation trends underscore the urgency. Nearly half of US in-house counsel reported increased AI-related dispute exposure at both federal (46%) and state (42%) levels, and 41% identified AI-enabled products and deployments as likely triggers of class action litigation in 2026. These disputes span product liability claims, employment discrimination, healthcare compliance, and consumer protection violations.

"For almost every organisation, AI is a priority, but far fewer show that they are managing it with real discipline, let alone consistent performance innovation. Closing that gap is where the real return on AI investment is unlocked," said Ron Lear, Vice President of Global CMMI Strategies.

Ron Lear, Vice President of Global CMMI Strategies, CMMI Institute

Why Is Board-Level Oversight Becoming Non-Negotiable?

Regulators and investors expect management and supervisory boards to have the competence to scrutinize AI strategy and hold their organizations accountable, even though regulations like the EU AI Act don't prescribe a specific governance model. This expectation is intensifying as proxy advisors and institutional investors make AI governance a defining theme of shareholder voting. Glass Lewis, a major proxy advisor, stated plainly in March 2026 that AI governance and related disclosures would likely be top of mind for issuers and investors.

The message to boards is clear: this is not a future problem. It is a current expectation that applies globally, whether companies are navigating the EU AI Act in Europe, state-level laws in the US, or investor and regulatory expectations in the UK. Companies that get ahead of this challenge will build trust with investors and regulators, while those that delay will find themselves playing catch-up in an increasingly unforgiving environment.

"Europe is at an inflection point with AI, building AI factories, supporting startups and investing towards enabling the European economy. CMMI AIM provides a practical framework to help organisations operationalise sustainable innovation through AI, planning, implementing and continuously measuring maturity towards maximizing return on investment and ensuring stakeholder trust," said Chris Dimitriadis, Chief Global Strategy Officer at ISACA.

Chris Dimitriadis, Chief Global Strategy Officer, ISACA

What Should Organizations Do Right Now?

The most important first step is understanding your AI use cases and the risks they pose. Not all AI carries the same level of risk; an internal chatbot helping employees locate policies presents very different legal and operational risks than an AI system screening job applicants or making insurance decisions. Organizations should conduct risk assessments tailored to each use case, implement safeguards appropriate to the level of risk, and establish monitoring processes to track outcomes over time.

Beyond risk assessment, organizations need to build internal accountability structures. This means assigning clear responsibility for AI governance, establishing evidence-based processes that can be audited and improved, and ensuring that governance keeps pace with the rapid evolution of AI capabilities. The CMMI AIM framework and similar tools provide structured pathways for organizations to measure their maturity and identify gaps.

Finally, organizations should recognize that existing legal frameworks already apply to AI use, even if AI is not mentioned in the statute. Employment discrimination laws, healthcare privacy regulations, consumer protection statutes, and professional licensing requirements all govern how AI can be used in their respective domains. Compliance with these existing frameworks is not optional, and regulators are actively using them to enforce AI governance standards.

The trajectory is clear: AI governance is no longer a nice-to-have or a future consideration. It is a present-day business imperative that affects how investors, regulators, and the market assess the quality of corporate governance. Organizations that treat it as such will navigate the evolving regulatory landscape more successfully and build the trust needed to realize the benefits of AI innovation defensibly.