Tag: AI Owner

  • You’ve Been Made Responsible for AI. Now What?

    You’ve Been Made Responsible for AI. Now What?

    At some point, in a meeting or an email, it landed on you:

    “Can you own the AI side of things?”

    Or maybe you volunteered.

    In any case, nobody has really defined the role. But now you’re the person accountable for AI in a business – and you may not be sure what that means, or what you’ve signed up for.

    This is a guide to what being accountable for AI actually involves, what you’re on the hook for, and what you’re not.

    First: you weren’t given a technical job

    The instinct is to think you now need to understand AI. You don’t.

    Being accountable for AI isn’t about knowing how the models work, any more than being responsible for the company car means you can rebuild the engine.

    It’s about knowing what’s being used, by whom, for what – and making sure someone can answer for it.

    It’s a governance job, not an engineering one.

    It rewards the things you already do: asking questions, keeping track, noticing when something doesn’t add up.

    You were probably handed this precisely because you’re the sort of person who does those things.

    What you’re actually accountable for

    Accountability sounds vast and vague. In practice it’s four concrete things.

    • Knowing what AI is in use – Not every technical detail – just what tools are being used for work, and roughly what they’re used for. You can’t answer for what you can’t see.
    • Knowing what AI touches – Which tools handle sensitive things – customer data, financials, decisions about people. That’s where the highest risk concentrates, and it’s what you’d be asked about first.
    • Making sure each use has an owner – Not you, personally, for all of them. Each AI use needs someone close to it who can answer for it. Your job is that the map exists, not that your name is on every line.
    • Being able to show it – If a client, an auditor, or your boss asks “how do we know our AI use is under control?” – you can point to something real.

    Notice what’s not on the list: you don’t have to prevent every mistake, understand every algorithm, or personally police every tool.

    What you’re not on the hook for

    If the role was handed to you as “you’re now to blame when AI goes wrong,” then that’s not accountability, that’s a set-up, and it’s worth having a firm discussing with anyone who implies you are responsible for an AI mishaps.

    In a functional work environment:

    • You’re not personally liable for every AI mistake – Accountability for governance means making sure the system is sound – not taking the fall when someone, despite reasonable care, gets something wrong. A tool giving a bad answer isn’t your personal failure if you built a sensible process around it.
    • You’re not expected to be the expert – “I don’t know, but I know who does, and I’ll find out” is a complete and correct answer. Accountability is about the process being sound, not about you personally knowing everything.
    • You’re not doing it alone – The job isn’t to do all the governance yourself. It’s to make sure it’s happening – that uses have owners, that risks are seen, that there’s a record.

    You need authority, not just responsibility

    Everything above only holds if you can actually do the job.

    Responsibility without authority isn’t accountability, and if that is the situation you find yourself in, then you’re being set up to fail.

    If you’ve been made accountable for AI, you need four things. If you don’t have them, ask for them.

    • The power to say no – You can veto an AI use that isn’t safe or appropriate, without having to win an argument with whoever wants it. A decision that can be overruled by whoever is loudest isn’t a decision.
    • The right to conduct reviews – You can see how tools are actually being used, and what data is going into them. You can’t be accountable for what you’re not allowed to inspect.
    • A budget line – You can require the paid, secure tier rather than the free one that trains on your client data. If the answer is “we can’t afford it,” then the correct answer is “then we can’t do this project.”
    • A direct line up. When you flag a risk, you go straight to whoever can act on it – and they should back you until it’s properly reviewed.

    If you have those four, you can do the job, and you are genuinely not carrying personal liability for a good-faith mistake.

    If you don’t have all four, then it’s worth having a direct conversation with whoever handed you the role – before something goes wrong, not after.

    So where do you start?

    With visibility.

    You can’t be accountable for what you can’t see, so the first real move is simply finding out what AI is actually being used in your business.

    Ask your team, plainly and without threat – most AI use is invisible not because it’s hidden, but because nobody ever asked.

    From there it’s steady, process-based work:

    • Give each use an owner
    • Note what touches sensitive data
    • Keep a simple record.

    Every governance framework and obligation you’ll ever face is built on that same foundation.

    Start there and you’re ahead of most.

    So why would you want this job?

    If you’ve read up to this point and you’re wondering why you would want this role in the first place, here are some of the payoffs when you get handed the AI file:

    You become the person who unlocks AI, not the one who blocks it.

    Without an owner, businesses default to one of two bad options: reckless use, or a blanket ban. Both cost you.

    The first is a data breach waiting to happen. The second means watching competitors get faster while your team quietly uses AI on their phones anyway.

    With an owner, there’s a third option. People can actually use these tools – safely, openly, with permission. Your colleagues will feel the difference. It’s the difference between being the person everyone works around and the person everyone comes to.

    You end up with a map of the business that almost nobody else has.

    To do this job properly, you have to find out what every team actually does, what data matters, and where the risks concentrate. Very few people in any organisation have that picture.

    This is why good operations and compliance people become indispensable – they’re  the only ones who can see the whole board. You become the go-to person in your organisation for AI.

    You’re early in something that’s about to matter a great deal.

    AI governance is being invented right now. In a few years there will be an established playbook, a standard qualification, and a routine way of doing it.

    Today there isn’t. Which means the people doing it now are the ones who will be consulted, trusted, and promoted into it later. It’s rare to be handed a role that is quietly about to become more important than it currently looks.

    Whoever owns AI decides whether governance becomes a bureaucracy that everyone works around, or a system that genuinely helps people do better work.

    It’s impactful work and it matters right now

    Most work is invisible. Nothing went wrong, so nobody noticed. This is different. You’ll have a register, a set of decisions, a record. Something concrete you can show a client, an auditor, a board, or a future employer.

    Take this on now and you help write the rules. Take it on in five years and you’ll be enforcing someone else’s.

    The opportunity is real

    From some chatter I’ve heard, not everyone who has been put in charge of AI necessarily wanted the responsibility or the extra work.

    But think of it like this: of all the things that could have landed on your desk, this one comes with a rare combination of benefits.

    • It’s genuinely useful
    • It’s genuinely early
    • And almost nobody knows about it yet.

    That’s an opportunity.

    Make the most of it.

     

  • How should you deal with Shadow AI?

    How should you deal with Shadow AI?

    Shadow AI: it’s more than ChatGPT

    Shadow AI is broadly defined as employees using AI tools or features without management knowledge, oversight, or approval.

    Asking ChatGPT questions in a browser tab is an obvious example, but there are lots of ways Shadow AI use is probably already occurring in your business.

    Level 1 – the obvious. Staff using ChatGPT, Claude, or Gemini through personal accounts. Emails, summaries, spreadsheets.

    Level 2 – the switched-on. AI features inside tools you already pay for. The summarise button in your inbox. The notetaker in your calls. The “ask AI” box that appeared in your CRM after an update.

    Level 3 – the invisible. AI built into software that never announced it. Your data passes through it in the background – nothing to switch on or off, no magic wand icon. You may not even realise you’re using AI.

    Your best people are likely reaching for these tools to do good work under pressure. It’s about efficiency, the desire to beat KPIs, or win back free time.

    If one person on the team starts using AI to increase their productivity, pretty soon everybody else feels like they have to too.

    In this way shadow AI is not so much a discipline problem.

    It’s a governance problem.

    Put simply, AI governance is the framework of rules, practices, and ethical guidelines used to ensure an AI tool or system is developed and deployed responsibly. It acts as guardrails – often known in compliance terminology as controls – that help to manage risks.

    By establishing clear accountability and oversight throughout the AI’s lifecycle, governance ensures the technology operates transparently, safely, and in alignment with human and company values.

    So what are the risks of Shadow AI?

    Unapproved and ungoverned AI use can expose your business to a range of potential issues, including:

    Data leakage and privacy exposure.
    Employees often paste sensitive company info – customer details, financial statements, source code, or internal contracts – into public AI tools.

    Compliance and legal violations. Using unvetted AI tools without signed Data Processing Agreements (DPAs) can put businesses in breach of data privacy regulations, exposing them to fines, penalties, and reputational damage.

    Errors and “hallucinations”. AI tools can produce fabricated or factually incorrect information. Without careful review, these errors can damage client trust.

    Intellectual property loss. Proprietary designs, business strategies, or unique formulas submitted to free external AI platforms can lose their confidential status.

    Cybersecurity and insurance risks. Browser extensions and unvetted AI plugins can expose your network to malware or unauthorised integrations. Many cyber insurance providers now require strict AI policies and oversight, the absence of which can lead to denied claims in the event of an incident.

    Why it’s happening now

    If creating a detailed spreadsheet takes weeks, and Claude can do it in ten seconds, which option would you choose?

    Smart people will do what smart people always do – find efficient ways to increase their output.

    So it makes sense that people are using AI. Menlo Security’s 2025 research found a 68% surge in shadow generative AI use across enterprise between 2024 and 2025.

    The problem is that most businesses have no rules for AI at all – no guidance on what’s acceptable or who to ask – and workers are often unaware of the risks associated with pasting company information into AI tools.

    During my research I’ve noticed some smaller companies tend to have an attitude of “we don’t need governance, that only applies to big companies”.

    But smaller businesses are often more exposed to these risks, not less.

    Big companies have IT teams and always-on telemetry tools specifically designed to notice unauthorised AI use. A 15-person medical practice doesn’t have these tools – and even the most sophisticated tools won’t catch somebody entering client details into ChatGPT on their personal phone.

    The fix isn’t a crackdown. It’s a culture.

    AI arrived so fast companies haven’t had time to implement policies, or even fully identify the risks. Microsoft’s Work Trend Index found the majority of knowledge workers are already using it – and most are bringing their own tools to work.

    So how can you build a culture of openness, awareness, and accountability around responsible AI use?

    Give each AI use case an owner

    Not to have someone to blame – the opposite.

    Blame is what you reach for after something breaks and nobody was watching. Accountability is what stops it breaking in the first place.

    An owner is a guardian, not a fall guy: one named person who keeps an eye on one AI use case. They are the person who has the responsibility to manage an AI use case, and – this is key – the authority and backing of the company to control how it is used.

    1. Define the AI use case

    The responsibility: clearly state exactly what the tool is used for. “Reception uses ChatGPT to draft replies to customer enquiries.”

    The authority: the owner requires the formal power to veto unapproved use cases. If an employee tries to use ChatGPT to draft a legal contract, the owner has the authority to stop them immediately.

    2. Know what data goes in

    The responsibility: maintain total visibility over what information is entered into the AI, ensuring sensitive client, financial, or health data is strictly protected.

    The authority: the owner has the authority to inspect how the team uses the tool, and to require management to fund secure, paid business tiers so data is not leaked to public models.

    3. Answer “who decided this?”

    The responsibility: be the named person who stands behind the tool when a client, auditor, or the business owner asks questions. Keeping an immutable paper trail of all key decisions regarding what is and isn’t permitted.

    The authority: the owner must be backed by senior management as the sole decision-maker for that tool. Because management officially gave them the green light, the owner cannot be scapegoated if an unpreventable technical glitch occurs.

    4. Flag changes

    The responsibility: monitor the tool’s usage and issue an immediate pause-and-review order if scope-creep occurs, or if the AI tool begins touching more sensitive data.

    The authority: the owner must have a direct line to executive management. When they flag a risk or a change in usage, the business owner needs to have their back until a formal review is conducted.

    Choosing the right owner – and making sure they can actually do the job without being overruled – is its own question. We’ve written about that separately: [link to ownership post].

    Shadow AI detection tools versus just asking

    There is a class of software tools that detect shadow AI by monitoring your team’s computer usage to various degrees of sophistication and detail – from simply identifying that your team is using an AI tool – for instance we can see they connected with ChatGPT’s internet address, but we don’t know what they’re entering – to invasive systems that log every single keystroke on your team’s devices.

    These tools have a place, but they also have limits.

    Even if you spent thousands of dollars on enterprise-grade network monitoring and laptop tracking, it becomes irrelevant the moment an employee pulls out their personal mobile phone.

    If a staff member is working from home and they turn on their personal laptop on their personal 5G data plan, your corporate IT department is completely blind.

    Worse, when you rely heavily on technical surveillance and spy software, you implicitly signal to your staff: “We don’t trust you, we are watching you.”

    That destroys morale and creates a culture of distrust. It challenges people to find clever workarounds.

    Cultivating a culture of open communication creates a far safer business.

    When employees feel safe to say, “Hey, I tried using this AI tool today to help me summarise this long client PDF, is that okay?” – you can actually identify and manage the risk.

    For most businesses, asking beats detecting.

    Don’t ban AI – manage it

    Shadow AI isn’t proof your team is reckless. It’s proof they’re working better, faster than the business caught up.

    Treat it as a crime and it goes underground.

    Treat it as a signal and it shows you where your useful tools – and your real risks – sit.

    The should never be to ban AI. That wouldn’t work anyway – the floodgates are open.

    It’s to move from “I think we’re probably okay” to “I can show we’re okay, and here’s why.”

    Visible, owned, on the record.

    Further reading