Challenges in Creating an Artificial Intelligence Governance Program

Artificial intelligence has become the driving force behind a new generation of applications, products, and services. This progress brings the need to organize its use through governance practices that ensure the quality of the entire technological lifecycle. Moreover, the emergence of regulations such as the EU AI Act turns what used to be a best practice into a mandatory requirement, raising the bar at both the business and compliance levels.

The first challenge in creating an AI Governance program is to assign clear responsibilities. Large corporations already have dedicated roles such as AI Governance Lead, but in smaller organizations these functions often fall on GRC, Security, Privacy, and Legal teams. What truly matters is that there is a person or team responsible for monitoring and coordinating all requirements, ensuring consistency in implementation.

Another key challenge is balancing innovation with compliance. The speed at which AI solutions are developed creates gaps that can become critical if principles of “AI by Design”, inspired by the GDPR’s privacy by design, are not applied. Innovating without integrating controls from the outset may seem cheaper in the short term, but it results in higher risks and costs later, when the organization tries to adapt to regulations.

The most visible risks of AI arise from the development and training of models. A flawed design can lead to discriminatory biases, opaque decisions, or outputs that fail to respect ethical principles. Added to this are security risks, such as vulnerabilities in training data, and privacy concerns (when personal data is mishandled). Managing these risks requires technical safeguards as well as regular impact assessments.

On the regulatory front, the EU AI Act establishes risk categories and imposes stricter obligations for high-risk systems, such as those related to healthcare, employment, or critical infrastructure. This approach is complemented by other frameworks such as the GDPR, which governs privacy, and international standards like NIST RMF 600-1 and ISO/IEC 42001:2023, which provide reference models for safe and responsible AI management.

Finally, no AI Governance program is complete without a strong organizational culture. AI literacy is essential: all employees, not just technical staff, must understand how AI is used. This collective awareness enables responsible use, risk reduction, and trust and transparency in leveraging AI opportunities.

By Uriel Bekerman, Director of GRC at Enveedo.