Here’s a question I like to ask people who tell me governance isn’t needed yet. Why does your credit card have that little metal chip in it?
Most people have never stopped to wonder. The chip showed up on American cards because of one very bad holiday season at one very large retailer. So let me tell you that story, because I think it explains most of what you need to know about where AI Governance is headed.
In late 2013, right in the middle of the Christmas rush, attackers slipped point-of-sale malware onto Target’s network and walked off with around 40 million payment card numbers. (Forty million. Days before the holidays. You can picture the headlines.) Once you add up the settlements and the security overhaul, the cleanup ran into the hundreds of millions, and profit took a real beating.
The money hurt. However, the part that made boardrooms sit up straight was the firings. Both the CEO, Gregg Steinhafel, and the CIO, Beth Jacob, lost their jobs over the fallout in the months that followed. This was one of the first times a breach cost the people at the very top their jobs, and all of the sudden cybersecurity was a conversation in the board room.
When your job, and hundreds of millions of dollars, is at risk, your attention gets much more focused.
Because of what it did to the conversation. Before Target, cybersecurity at most companies got treated like a smoke detector nobody really wanted to pay for. It was an IT line item, got funded grudgingly, was not a board or even executive level discussion topic, and nobody at that level ever lost a job over it.
After Target, cyber risk became a board problem, a career problem, and a brand problem all at once. The industry followed, and we got standards, audits, and breach-disclosure rules, the whole enchilada. Oh, and that little chip on your credit card.
Not even close. The technical world got its scare way back in 1988, when the Morris Worm spread across the early internet, knocked thousands of machines offline, and forced universities to literally unplug. That was a genuine moment.
However, it was a moment for engineers and researchers, not for CEOs. For the average business, security stayed a Nice-to-Have for another twenty-five years. In other words, the alarm went off in 1988, and most of corporate America hit snooze until 2013. That was the cybersecurity inflection point.
Because I think AI governance is sitting almost exactly where cybersecurity sat before Target, and I’d rather you see it coming than get the 2013 treatment. It might not be your company that is the AI Governance inflection point, but it might be.
We sell this stuff. Salient is an IBM Gold partner and we sell and implement watsonx.governance for a living, so of course I have a bias here, and you should keep the sales hat in mind as you read.
That said, the pattern was true long before I had a horse in the race, and the numbers I’m about to throw at you aren’t mine. They come from a stack of recent surveys, and they tell a pretty consistent story.
The argument over whether to adopt AI is basically over. Gallagher found that 63% of organizations have fully operationalized AI, up from 45% just a year earlier, and the large majority think it’s helping the business. So, the technology is in the building.
Governance, however, is still out in the parking lot. Grant Thornton surveyed close to a thousand leaders and found that 78% aren’t fully confident they could pass an independent AI governance audit in 90 days. AICPA and CIMA put adequate regulatory preparedness at roughly a quarter of organizations.
Deloitte found that about a third of companies don’t have AI on the board agenda at all, and that two-thirds of boards admit limited-to-no knowledge of the very technology they’re betting the company on.
The agentic wave makes the math worse, because something like three-quarters of companies plan to deploy AI agents within two years while only about one in five has a mature way to govern them.
My take is that we’re at the “post-Morris, pre-Target” stage. The alarm has gone off and everybody in the room can hear it. (The Chief AI Officer title jumped from 26% to 76% of organizations in a single year, so it’s not as if leadership is asleep at the wheel.)
However, the thing that flipped cybersecurity from aspiration to mandate, that one public catastrophe with somebody’s name on the pink slip, hasn’t hit AI yet. We’re still in the snooze window.
The question worth thinking about is whether your company would rather build its governance before its Target Moment or after it. And, more importantly, could you afford to have a Target like incident with AI?
With cyber, the pain came first and the rules came second. First came the breach, then came regulation. With AI, the order is potentially flipped on its head. The rules are here already, but we haven’t had the catastrophe yet.
The EU AI Act begins enforcing most of its provisions in August of 2026, with the heavier high-risk obligations now pushed out to late 2027 under the recent Digital Omnibus revisions. Meanwhile, by one count, 78% of enterprises say they aren’t ready for those obligations.
In other words, this time the forcing function might just be a date on the calendar rather than a famous disaster. (Does a regulatory deadline scare an executive the way a fired peer does? Fair question, and I honestly don’t know. But a deadline has one nice property a disaster doesn’t. You can see it coming.)
Nobody buys one for the compliment on how well it blends in with your decor. You buy it so the worst night of your life comes out merely bad instead of catastrophic. AI governance is that kind of purchase.
It’s deeply unglamorous right up until the moment it’s the only thing standing between you and the headline.
So, if you’re running AI in production and you’d rather install the detector before the fire, here are a few questions you may want to get straight first. (These are just the ones on my mind lately. There are plenty more, and your shop will have its own wrinkles.)
What watsonx.governance does, in plain terms, is hand you those three things and then some.
It builds one inventory of your AI assets and sniffs out the shadow ones. It maps your models and agents against a large regulatory library (the EU AI Act among them) and gathers the audit evidence as you go, so “prove it” stops being a fire drill every time someone asks.
And it carries governance into the agentic world, with onboarding, evaluation, and live monitoring for agents, not just models.
IBM landed in the Leaders quadrant of the Gartner Magic Quadrant for AI Governance Platforms this year, for whatever weight you put on analyst rankings, and it’s one of the few options that covers lifecycle governance, risk, and compliance under one roof instead of making you bolt three products together.
That’s the pitch. I’ll leave it there.
Oh wait, I lied. There is also watson Orhcestrate which introduces an operational control plane for your live agents, but I’ll save that for a blog with a different focus.
The companies that treated security as a Must-Have before 2013 spent the panic year fairly calmly. The ones that treated it as a Nice-to-Have spent that year explaining themselves to a congressional committee.
AI is handing every one of us the same fork in the road, except this time somebody was kind enough to print the deadline on the invitation.
So what do you have running in production right now with no smoke detector anywhere near it?
That’s the question I’d be asking around the office this week.
In a future post I want to get into what a phased governance rollout actually looks like for a mid-sized shop (we’ve been doing a fair amount of this lately, and there’s a real playbook to it), so look for that one down the road. If you’d like to talk it through before then, well, you know where to find us.