Artificial intelligence is rapidly creating opportunities and profound new challenges for businesses.
AI platforms can act with increasing independence, sorting through unstructured data to take action with a degree of autonomy. The technology has put significant new capabilities in the hands of individual employees, allowing them to generate code, analysis, and content at remarkable speed.
But these tools also raise new risks, from potentially “hallucinating” falsehoods to reflecting societal biases to taking costly, unauthorised actions. In a recent survey by the liquidity solutions company Kyriba, more than three-quarters of finance leaders identified privacy and security as major concerns with AI implementations.
Companies are responding to this fast-changing risk equation by implementing AI governance models for monitoring and oversight of their AI systems. These management frameworks can help companies track and monitor their AI technology use and mitigate associated risks.
“I think governance is no longer optional because we have put a tool in every employee’s hands, and it has also become a competitive necessity,” said Mohammad Danish Eqbal, ACMA, CGMA, a senior adviser on strategy, transformation, and AI, and former CEO for financial services company Liberty Life Assurance Uganda.
“We need to understand that these processes and tools are experimental in nature, they are not yet fully mature.”
FM interviewed Eqbal and other leaders in finance and technology about the need for AI governance models, the current options that are available, and how companies can decide on a path forward.
“How do we make sure we’re overseeing the risk of this tool?” asked Ryan Hittner, a New York-based audit and assurance principal for Deloitte. The goal, he said, is “dealing with those risks by way of controls and processes and standards โ implementing safeguards and standardisation”.
Governance models are part of how boards can fulfil their “fiduciary duty to oversee AI as a transformative force reshaping business models”, said Clara Durodiรฉ, an AI-focused leadership and risk adviser.
“AI introduces latent risks embedded in data, often invisible until they manifest, making proactive frameworks essential for financial services and beyond,” she added.
Durodiรฉ described CFOs as “translators” in the AI revolution, helping to implement governance models, modelling risks, and embedding financial discipline in a fast-moving field.
What is AI governance?
The goal of an AI governance model is to give companies a complete picture of how their employees are using the technology, what risks that may bring, and how the company can respond.
Broadly, governance includes:
- Accountability and structure: Defining who will oversee the company’s approach to AI and explaining their responsibilities.
- Oversight: Creating a complete depiction of the business’s AI use, including inventories of AI models in use, and assessing the risks of each use.
- Controls: Mitigating risks with technological solutions, such as shutoff mechanisms that can stop problematic AI behaviour, as well as processes and policies.
- Monitoring: Implementing human and technological monitoring systems to track the behaviour of AI models at the company.
Above all, a governance model “has to be able to give you insights into what kind of decisions you are making around AI”, Eqbal said. “Whatever gets measured gets improved.” AI governance must connect to existing risk management structures such as enterprise risk management, providing clear escalation paths for AI-related decisions and enabling audit trails sufficient for regulatory examination.
Common AI governance models
Three governance models are most commonly used, sometimes in combination.
The industry passport
ISO/IEC 42001 is a standard and certification that companies use to show their level of AI maturity. The certification recognises a company’s AI-use policies and strategies, and the company’s technical capacity to monitor and manage its AI systems. A certification for 42001 can signal an organisation’s AI maturity to other businesses and investors.
“ISO/IEC 42001 is a clear certification,” Eqbal said. “It signals you are really serious about AI to your investors.”
Durodiรฉ said the certification could be “ideal for supply-chain-heavy industries like finance vendors seeking audit-proof credentials”, though she noted it’s more bureaucratic than other options.
The government regulation
The EU Artificial Intelligence Act, adopted in 2024 and currently being phased into effect, is the world’s first binding, broad, and government-mandated AI regulation. The act classifies AI uses into four tiers: unacceptable risk, high risk, limited risk, and minimal risk. Those tiers come with various requirements for controls, documentation, and oversight.
“The EU AI Act has a risk-based approach,” Hittner said.
Violations can come with heavy fines of up to 7% of global revenue, Durodiรฉ said, noting: “It forces ‘consequence-aware’ deployment, but it’s rigid for non-EU scaling.”
The flexible framework
In the US, the National Institute of Standards and Technology (NIST) finalised the AI Risk Management Framework (AI RMF) in 2024.
Hittner described it as similar to the ISO standard, offering a holistic and higher-level approach to AI, while Eqbal called it an “operational playbook”. The framework is voluntary and is intended to guide internal decision-making rather than serve as a certification or regulatory mandate.
The RMF describes four pillars โ the AI RMF Core โ for managing AI: govern with policies and structures; map the risks and controls; measure the effectiveness of controls; and manage resources and actions.
“Voluntary and US-centric but adaptable worldwide, it maps risks across the AI life cycle from design to deployment,” Durodiรฉ said. The NIST approach is favoured by tech firms in California’s Silicon Valley, she added, because it doesn’t have prescriptive rules and favours iterative development.
Summing up these options, she added: “In essence, choose ISO for ‘passport to trade’, NIST for ‘risk agility’, and EU Act for ‘legal survival’ โ all amplifying [the] board imperative to quantify AI’s profitability edge.”
Companies also may turn to the broader COSO Enterprise Risk Management Framework to implement and operate AI controls. COSO in 2021 published a white paper on the application of its framework to AI risk, noting: “By identifying signals to correct course early, organisations can increase positive outcomes, reduce negative surprises, and improve resilience to risk.”
The 2021 COSO guidance outlined ways to manage AI risk across the framework’s core components:
- Governance and culture.
- Strategy and objective-setting.
- Performance.
- Review and revision.
- Information, communication, and reporting.
Implementing AI governance, step by step
Whichever model a business chooses, AI governance implementation best practice involves four steps.
Establish the AI governance structure
Early in the AI implementation process, companies must decide who will be responsible for strategy, risk assessment, and other governance components.
In some cases, companies may appoint a chief AI officer, or a similar position, to spearhead AI governance.
“The chief AI officer works exceedingly well for certain types of organisations,” Felipe Thomaz, Ph.D., associate professor of marketing at the University of Oxford’s Saรฏd Business School, said. “You need somebody with equal power to manage the politics in the C-suite.”
The leader of the AI effort should be a “champion of change”, he said, who can promote AI and governance with a degree of independence. The role also comes “with an understanding that AI eventually diffuses through the company and the role ceases to be”, he said.
Companies also must set an overall structure for governance (see the sidebar, “Balancing Freedom and Structure”). The most common approaches include:
- Centralised decision–making, in which one body authorises and oversees all AI uses, and the company generally uses a limited set of tools. This is the most conservative approach, offering the most control over AI, and often is a starting point.
The centralised approach is often adopted by companies facing high regulatory risk; smaller organisations with fewer than 500 employees; or those facing a single, dominant type of AI-related risk.
- Decentralised or federated decision–making, granting individuals significant leeway to deploy AI technology. This approach allows for more experimentation and potentially faster innovation.
“Distributed ownership means teams own AI ethics locally, with product leads handling bias checks,” Durodiรฉ said. “It’s suited for agile cultures, large or decentralised firms like global banks, or innovation priorities.”
- A hybrid, “hub–and–spoke” model, in which a central office sets standards and values at a high level, while individual business units propose and manage uses of AI, with a goal of allowing adaptable but supervised AI uses.
“The hub is where the standards and policies are vested, while the spokes are enabling your business and your use cases,” Eqbal said. “That will lead to democratisation of AI and its execution.”
“Start centralised to build the constitution of your AI usage โ the non-negotiable guardrails. Then move to hub-and-spoke once foundations are established, allowing business units to own execution while [the] central hub maintains governance standards,” Eqbal advised.
No matter which structure a company chooses, Hittner suggested that governance efforts should involve a multidisciplinary group, representing legal, IT, finance, and others.
“It’s powerful to have a lot of those leaders from the whole organisation sitting in a room talking about both the strategy and risks around AI and the governance around AI,” Hittner said.
Eqbal said that in his previous organisation, the strongest results in AI came when technical experts engaged with business teams from the beginning. “We have to build across a system of reviews to make sure that we are learning and increasing the effectiveness and efficiency of these models,” he said. “Over a period of time, you’ll see that this becomes a part of the organisational culture.”
Map systems and risks
All governance models share a focus, Thomaz said, on mapping an organisation’s AI technology deployment.
“Have you mapped your systems?” he asked. “Do you have an inventory of what’s happening?”
That inventory should show what specific AI models are in use, how, and where. Governance also means identifying and categorising the risks each of those uses presents.
“A key part of governance is understanding the risk for a certain tool, technology, or a specific application of it,” Hittner said. “Using it for generating meeting minutes is a certain risk score. Handling financial transactions, we start to go up a bit.”
A key question in risk assessment is whether the AI instance is contributing to important directions, Tin Lau, FCMA, CGMA, chief risk and compliance officer at Mirae Asset Securities, said. “The closer and more influential a model is to a key decision, the more you should understand and the more scrutiny the model should come under,” he said.
Thomaz added that risks may be sorted based on the degree of agency the AI has, its potential to drift from its assigned mission and task, the variability of its output, and the complexity of its operations and oversight.
Respond to and monitor risks
AI risk management controls range from process design to implementing technological solutions.
One common goal is to keep a “human in the loop” โ ensuring a person is checking and redirecting the AI model’s work at the appropriate frequency.
Thomaz gave the example of an AI model contributing to human resources decisions. What would happen, he asked, if an AI agent decided that terminating employees was the most efficient way to achieve the company’s goals?
“A human would understand what trade-offs we would accept,” he said.
Other policy controls include:
- Lists of authorised AI models that employees may use.
- Requirements for AI technology vendors.
- Protocols for testing models for fairness and bias.
- Deployment of “red teams” to test the AI’s security.
Lau highlighted controls around data provenance and management as particularly important.
“It starts with the quality of the ingredients, it starts with the quality of data,” he said. “You have to understand the data, you have to understand where the data comes from.”
Controls and monitoring in the AI realm also rely heavily on technology and automation. Shutoff mechanisms can intervene, for example, if an agent is spending money too fast or crossing another threshold, Thomaz said. “Guardrail” programs also can ensure that AI-generated content is appropriate, accurate, and compliant, according to McKinsey & Co.
‘Budget’ for complexity
As companies aim to balance structure and flexibility, Thomaz suggested that they consider their “complexity budget”.
“You have a total amount of complexity that you can manage and handle, and you should be exceedingly careful not to overspend,” he said.
For example, consider a company that wants to use large numbers of AI agents to make impactful decisions, such as allocating money. The system will move at a speed, scale, and complexity that can’t be overseen in real time by humans.
The company will need to deploy stop mechanisms and other technological layers to track and manage the system โ requiring more resources and more expertise.
“There’s a dangerous game around this rising complexity of AI operations and then trying to use yet more complex AI systems as the management layer,” Thomaz said. A governance model โ with its focus on tracking uses and measuring risks โ can help to keep complexity in check.
Eqbal suggested another way to see governance models. They also can validate companies’ heavy financial investments in new technology. “I do not regard AI governance as just a technical checklist,” he said. “AI governance is a kind of capital allocation assurance.”
CFOs in particular, he said, face three age-old questions: First, value realisation: Is the company driving profit-and-loss impact with its AI investment? Second, risk exposure: What risks is it raising? And third, accountability: Who is accountable for those risks?
“AI implementation failures are leadership โ not technical,” he said.
Durodiรฉ has similarly described CFOs as playing a crucial role with AI implementation: “They don’t code models,” she said, “but ensure every byte pays dividends.”
Balancing freedom and structure
A core question in governance is how tightly companies should manage AI use.
They hope to capitalise on the disruption and change that comes with a fast-moving technology โ while guarding against its unpredictable side effects.
“Too strict a control stops innovation. Too lax a control leads to negative outcomes,” said Felipe Thomaz, Ph.D., associate professor of marketing at the University of Oxford’s Saรฏd Business School. “I need to have boundaries, but too many boundaries and I don’t compete.”
Thomaz has developed a specialty in AI and has worked closely with organisations as they implement it.
Some management teams “have very precise, cautious approaches in how they go about the deployment of that technology with their operations”.
He gave the example of an oil-and-gas company where he recently spent time. Working in an industry with little margin for error, Thomaz said, the organisation allows AI experimentation only within constrained areas. The experimentation and constraint are “well done and consistent with company strategy and requirements [plus] controls. It’s not ‘slow’ โ it’s appropriate and likely correct,” he said.
But in other organisations, “they’re just doing full-on, insane experimentation, no constraints, everything goes. You just kind of hold your head and wonder what’s going to happen,” he said.
Tin Lau, FCMA, CGMA, has aimed for a middle ground. Lau is the chief risk and compliance officer at Mirae Asset Securities. The firm is piloting AI for trading purposes, including monitoring and interpreting public sources of information, such as legislation and regulations.
Mirae hasn’t embraced a formal framework of AI governance but has focused on maintaining information security and providing guidance to employees.
“You can try and gateway the access, but it’s running a defensive strategy rather than an offensive one. Encourage people to use it in the right way and give them the knowledge and the understanding,” Lau said.
Clara Durodiรฉ, an AI-focused leadership and risk adviser, said that companies may rely on existing governance models โ such as for general IT governance โ while they’re in the early stages of AI adoption, but she urged companies to adopt more formal and AI-specific options as soon as they start building pilots and when ready to go live.
“Don’t wait for a ‘black swan’ event, like a biased loan algorithm fine,” she said.
Andrew Kenney is a freelance writer based in the US. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
LEARNING RESOURCE
COSO Enterprise Risk Management โ Integrating With Strategy and Performance
The most widely recognised and applied risk management framework in the world, Enterprise Risk Management โ Integrating With Strategy and Performance addresses the evolution of enterprise risk management and the need for organisations to improve their approach to managing risk to meet the demands of an evolving business environment.
PUBLICATION
AUDIO RESOURCES
Finance experts provide insights on AI governance and risk.
- Listen to Mohammad Danish Eqbal, ACMA, CGMA
- Listen to Tin Lau, FCMA, CGMA
MEMBER RESOURCES
Articles
โPreparing People, Not Systems, Is the Real AI Advantageโ, FM magazine, 6 February 2026
โAI Vulnerabilities Emerge as Fastest-Growing Cyber Riskโ, FM magazine, 13 January 2026
โFinance and Cyber Resilienceโ, FM magazine, 17 December 2025
โAI and Cloud Convergence Is Key, but Scaling Lagsโ, FM magazine, 13 November 2025
โTransformation-Focused Companies Are Outpacing Others in AIโ, FM magazine, 10 November 2025
Report
AI in the Public Sector: Application and Future Trends, AICPA and CIMA, 5 November 2025