AI governance Stiliyana Simeonova · Epsilon Labs

Why AI governance fails before it starts

Most organisations approach AI governance as a compliance exercise. The ones that get it right treat it as a design constraint from day one — and the gap between those two approaches is where most of the risk lives.

The compliance trap

When a board asks for an AI governance framework, the default response is to assign it to the legal or compliance team. A policy document gets written. A register of AI use cases is created. Someone is named as responsible. The box is ticked.

The problem is that by the time this process begins, the organisation has usually already made most of the consequential decisions. The models have been selected. The vendors have been contracted. The data pipelines are running. Governance arrives after the architecture, not before it — and at that point it can only constrain or audit, not shape.

What design-first governance looks like

Organisations that govern AI well tend to share a common pattern: they treat governance questions as architecture questions. Before any AI initiative gets past the discovery phase, a small set of non-negotiable questions get answered.

What data will this model be trained on or have access to? Who bears accountability if the model produces a harmful or incorrect output? What does meaningful human oversight look like in practice — not in policy, but in the actual workflow? What happens when the model fails, and how will that failure be detected?

These are not compliance questions. They are design questions. And they can only be answered usefully before the system is built, not after.

The role of the security function

Security leaders are often late arrivals to AI governance conversations, brought in to assess risk after the initiative has already been scoped and funded. This is the wrong sequencing. The security function has a natural role as the honest broker in AI governance — not because AI is primarily a security problem, but because security professionals are trained to reason about failure modes, adversarial conditions, and the gap between intended and actual behaviour.

The most useful contribution a security leader can make to an AI initiative is not a risk assessment of the finished product. It is a set of questions asked early enough to change the design.

A practical starting point

If you are trying to build an AI governance approach that does not arrive too late to matter, the most useful first step is not a framework document. It is a short, mandatory checkpoint in the project lifecycle — a gate that every AI initiative must pass through before moving from discovery to build.

That checkpoint should cover data provenance and access, accountability and escalation paths, human oversight mechanisms, and failure detection. It should be owned by someone with enough standing to stop a project, not just flag a concern. And it should happen before the commercial decision, not after it.

Governance that arrives after commitment is damage limitation. Governance that arrives before commitment is strategy.

Stiliyana Simeonova is the founder of Epsilon Labs, a senior technology advisory practice based in the UK. Epsilon Labs works with scale-ups, media organisations, and NGOs on technology strategy, security leadership, and AI governance.

Get in touch