Stop Putting AI Governance Under IT. Here’s Where It Actually Belongs.

Why the most important new function in your enterprise keeps getting filed in the wrong drawer.

There is a job title spreading through org charts faster than almost any role in a decade. Chief AI Officer. AI Governance Lead. Head of Responsible AI. The hiring wave is real, and it is accelerating into August, when the high-risk obligations of the EU AI Act become applicable and every board suddenly wants a name in the box marked ‘who owns this.’ The instinct is healthy. The placement, almost everywhere, is wrong.

In most enterprises the answer to ‘where does AI governance sit’ has already been decided by reflex rather than by design. It sits under IT. It reports to the CIO. It lives one desk away from the team shipping the models. That feels efficient. It is the single most common structural mistake I see, and it quietly guarantees that the function will fail at the one thing it exists to do.

The Reflex That Feels Right and Ages Badly

The logic is seductive. AI is technology. IT runs technology. Therefore AI governance belongs to IT. Each step sounds obvious, and the whole chain is wrong, because it confuses the subject of governance with the authority to govern it. AI is not primarily a technology problem any more than aviation safety is primarily an engineering problem. It is a decision problem with technical content — and the decisions it governs reach into hiring, credit, pricing, clinical advice, fraud, and the company’s public reputation, none of which IT owns.

I have watched the same pattern play out at organisation after organisation. EA learned this lesson a decade ago: a function buried inside the very thing it is meant to hold accountable cannot hold it accountable. We argued then that enterprise architecture should not report into IT delivery. The argument for AI governance is the same argument, only sharper, because the stakes are no longer internal efficiency — they are regulatory exposure and public trust.

Three Reasons IT Is the Wrong Home

First, the conflict of interest is structural, not personal. When governance reports to the function that is measured on shipping AI, every ‘no’ becomes a negotiation against the deadline that pays the same boss’s bonus. Good people lose that negotiation quietly, week after week, until the controls exist on paper and nowhere else.

Second, the mandate is too narrow. The harms that AI governance must prevent originate in the business lines — a biased screening model in HR, an opaque pricing engine in commercial, a hallucinating advisory bot in the contact centre. An IT-owned function has no standing to walk into those rooms and stop the work. It governs the plumbing while the flooding happens upstairs.

Third, the board cannot see through it. Under the AI Act, DORA, and the incoming accountability expectations, the board is the backstop. If governance is a sub-team three layers down in IT, the signal that reaches the board has been filtered through the very people whose delivery it constrains. By the time a real problem is visible at board level, it is already an incident, not a finding.

The Chief AI Officer Trap

The fashionable correction is to hire a Chief AI Officer and declare the problem solved. Sometimes that is right. Often it is theatre. A CAIO with a title but no decision rights, no independent reporting line, and no reach beyond the AI lab is just the IT-ownership problem wearing a more expensive suit. The consensus emerging across 2026 is quietly damning: structure is not capability. A committee can meet monthly and govern nothing. A C-level title can sit on the org chart and stop nothing.

The question that matters is not ‘do we have a person’ or ‘do we have a committee.’ It is whether whoever owns AI governance has the authority to say no, the independence to mean it, the visibility to be heard by the board, and the reach to cover every place AI actually touches the business. Those are not job titles. They are tests. So let me give you the tests.

AGP-R — The AI Governance Placement Rubric

Wherever you are tempted to put AI governance — under the CIO, the CRO, a new CAIO, a cross-functional council, the General Counsel — score that candidate home against four tests, each from 1 to 5. The rubric does not tell you which box to tick. It tells you whether the box you are about to tick can actually hold the weight.

Test 1 — Decision-Rights Authority. Can this home say no to a launch and make the no stick, without escalating to someone who outranks it on the same delivery chain? If the only way to halt a risky model is to ask the person shipping it, the authority is fictional. Score how real the ‘no’ is.

Test 2 — Independence from Delivery Pressure. Is the function structurally separate from the team whose AI it governs, with a budget and a performance review that do not depend on shipping velocity? Governance that shares a P&L with delivery will always, eventually, be governed by the P&L.

Test 3 — Board Line-of-Sight. Does this home report to the board — or to a board committee — without its findings being filtered through the function it oversees? The board is the legal backstop. If it only learns of AI risk after IT has decided what is worth mentioning, the backstop is already gone.

Test 4 — Operating-Model Reach. Does the mandate span every function deploying AI — HR, finance, commercial, clinical, operations — or only the technology estate? AI risk is created in the business lines. A home that cannot enter those rooms governs the smallest part of the problem.

Reading the Score

A candidate home scoring 18 to 20 across the four tests can carry AI governance. Between 13 and 17, it can carry it only with explicit reinforcement — a direct board line added, a delivery-independent budget ring-fenced. Below 13, you are not placing a function; you are creating an alibi. And note what the rubric exposes: ‘under IT, reporting to the CIO’ almost always fails Test 1, Test 2, and Test 3 simultaneously. It scores well only on the test that matters least — proximity to the technology.

The homes that tend to score highest are the uncomfortable ones: AI governance chaired by Risk or the General Counsel with a direct board committee line, a delivery-independent budget, and an explicit mandate over every business function — with IT as a crucial partner, not the owner. Uncomfortable, because it takes a growing, visible capability out of the CIO’s empire. Correct, for exactly the same reason.

The Real Question for the Boardroom

Placing a function is an act of enterprise architecture, not an act of HR. It is a decision about authority, independence, visibility, and reach — the same four properties that decide whether any control plane in the organisation works or merely exists. Get the placement wrong and no amount of policy, tooling, or talent will rescue it; the structure will defeat the people every time. Get it right and even a small team becomes the thing that keeps the board out of the headlines.

So before you finalise the org chart for August, ask the question the rubric forces: not ‘who is our AI person,’ but ‘does the place we are about to put them have the authority to do the job.’ If you are not sure, score it on the four axes before the first incident scores it for you. That placement call — made objectively, by someone with no stake in which empire wins — is exactly the kind of structural decision a fractional enterprise architect is brought in to make. The org chart you draw this summer will decide whether AI governance is a capability or a costume long after the title is filled.

Hawk Nest Newsletter is written by Paulo Falcao. For twenty-five years, helping organisations turn complex technology challenges into measurable business outcomes — payments systems, enterprise architecture, AI, technology. The intersection of strategy and architecture, converted into reliable, revenue-generating reality. AGP-R joins the IP portfolio next to SIRM, AVAEM, SHAD, ACAM, SAVED, GAIA-D, AGCR-D, AASI, SSV, ATOM, PVC, PACT-D, and RCS-D.