Insights

Global AI Governance Is Stalling. Your Org Can’t Wait.

The UN AI for Good summit in Geneva drew robot dogs, Tesla demos, and a lineup of Silicon Valley optimists. It also surfaced a question that nobody on the main stage could fully answer: can global AI governance frameworks actually keep pace with the technology they’re supposed to regulate?

AI governance frameworks shown as misaligned regulatory pathways moving at uneven speeds, symbolizing global policy lag

According to Wired’s coverage of the event, the summit wrestled with exactly that tension — live coding sessions and product showcases running alongside urgent, unresolved debates about whether international governance structures can move fast enough to matter. The honest answer, based on everything we’ve seen at the policy level over the past two years, is probably not — at least not on a timeline that helps you right now.

That’s not cynicism. It’s a realistic read of where things stand, and it has direct implications for how mid-market IT teams should be thinking about AI governance inside their own organizations.

Why Waiting on Global AI Governance Is a Losing Strategy

Here’s the dynamic playing out at the international level: technology deployment is moving in months, governance frameworks are moving in years, and the gap between them keeps widening. The EU AI Act is the furthest along of any major regulatory regime, and even it is still in phased implementation with significant provisions not yet in force. US federal frameworks like the NIST AI RMF are voluntary guidance, not enforceable requirements. International coordination at the UN level is further out still.

For a 150-person company with employees using AI tools across sales, marketing, finance, and operations, none of that timeline helps you today. The tools are already deployed. The risk is already present. The question of who owns oversight — and what they’re actually supposed to do — isn’t waiting for Geneva to figure it out.

This is the governance gap that actually matters for most IT managers: not the abstract question of whether nation-states can coordinate on AI policy, but the immediate question of whether you know what AI tools are running inside your organization and what happens when one of them fails or leaks data.

What AI Governance for IT Teams Looks Like in Practice

Global summits tend to focus on frontier AI — large language models, autonomous systems, AI in critical infrastructure. That’s appropriate at the international scale. But the AI governance challenge for most mid-market organizations is considerably more mundane, and more tractable.

The practical version of AI governance for IT teams starts with visibility. Before you can assess risk or enforce policy, you need to know what’s actually in use. Shadow AI — tools adopted by employees without IT review or approval — is the most common gap. It’s not usually malicious; it’s just the natural result of capable, resourceful employees reaching for whatever gets the job done. The governance failure isn’t that they used the tool. It’s that no one logged it, assessed the vendor’s data handling practices, or documented what data the tool touches.

From there, governance is largely a documentation and accountability problem. Which tools are approved, under what conditions, with what data classification restrictions? Who owns the decision to add a new AI vendor? What’s the process when something goes wrong — a model produces seriously wrong output, a vendor announces a data breach, a tool is discontinued without notice?

None of this requires a dedicated compliance team or an enterprise GRC platform. It requires a process, a place to record things, and someone whose job it is to keep the record current.

The “Do This Week” Takeaway on AI Tool Inventory

If you take one thing from the current state of AI governance — globally chaotic, locally manageable — make it this: stand up an AI tool register before the end of the week.

An AI tool register is exactly what it sounds like: a structured list of every AI tool in use across the organization, who approved it, what data it touches, and what the vendor’s data processing terms actually say. It doesn’t have to be sophisticated. A spreadsheet works to start. The point is that you have a single place that captures your AI tool inventory, because you can’t govern what you haven’t named.

Walk each department — sales, marketing, finance, HR, engineering — and ask two questions: what AI tools are you using, and are they officially approved? The answers will likely surface unapproved AI tools you didn’t know about. That’s not a crisis; it’s the whole point of the exercise. Once you know what’s there, you can assess vendor risk, apply appropriate data handling policies, and make informed decisions about what stays and what gets replaced.

The register also gives you a baseline for tracking changes over time, which matters as the regulatory environment catches up. When the EU AI Act’s provisions start applying to your supply chain or your customers’ supply chains, you’ll want to already know which of your AI vendors fall into which risk tiers.

If you want a head start on structuring that register, download the free AI tool register template — it’s built around the same framework we use with mid-market clients and maps directly to the vendor risk fields that matter for AI risk assessment.

The Governance Work That Doesn’t Wait for Summits

The UN summit is a useful signal: even the most well-resourced international institutions are struggling to govern AI at speed. That’s not a reason to wait for them. It’s a reason to get your own house in order while the regulatory window is still relatively open.

The organizations that will be in the best position when enforcement timelines firm up are the ones that started building governance infrastructure now — not because they had a compliance mandate, but because they understood that managing AI tool risk is part of managing operational risk. The tools your employees are using today are making decisions, handling data, and generating outputs that affect your customers and your business. That’s worth tracking, regardless of what happens in Geneva.

Sources