Saikalyan Akunuri
← Back to writing
March 4, 2026

63% of Organisations Deploying AI Have No Governance. I Spent a Week Finding Out Why.

I spent a week reading Google, Microsoft, and IBM's Responsible AI reports. I got lost. Not because I am not technical. Because these documents are not written for people like me.

63% of Organisations Deploying AI Have No Governance. I Spent a Week Finding Out Why.

I spent this week reading Google, Microsoft, and IBM's Responsible AI reports.

I got lost.

Not because I am not technical. I spent 30 years building and managing software systems. I understand distributed architecture, compliance requirements, and organisational governance.

I got lost because these documents are not written for me. They are not written for the developer shipping AI features next sprint. They are not written for the engineering lead trying to explain AI risk to a non-technical board. They are written by policy teams for policy teams, regulators, and enterprise procurement checklists.

And then I found this number buried in IBM's own research.

63% of organisations deploying AI have no governance initiatives at all.

The documents I could barely get through are the gold standard for the 37% who do have governance. The other 63% are not reading them. They are too busy shipping.

Combined, Google, Microsoft, and IBM employ thousands of people working on AI governance full time. They have red teams, model cards, ISO certifications, transparency reports, and regulatory affairs departments spanning multiple continents.

It is genuinely impressive work.

But it is being built for the 37%. The ones with the resources, the headcount, and the regulatory pressure to invest in governance infrastructure.

The other 63% are the startups. The mid-size companies. The team of 15 engineers who got told last quarter to start shipping AI features. They are deploying the same high risk AI systems the EU AI Act is designed to regulate. They have none of the infrastructure Google spent a decade building.

There is one more thing worth understanding about those certifications.

ISO 42001 certifies that an organisation has sound governance processes in place. It does not certify that any specific AI product is safe. When Google or Microsoft gets certified it means their management processes and oversight structures passed an external audit. It says nothing about whether the developer at a startup building on their APIs has any governance in place at all.

Microsoft's own documentation states it plainly. You are responsible for engaging an assessor to evaluate the controls and processes within your own organisation.

The platform is certified. What you build on it is your problem.

The certification stops at the API boundary. Everything beyond that boundary is ungoverned unless you govern it yourself.

Nobody is writing the governance playbook for that 63%.

That is the gap I am trying to fill. One post at a time. In plain language. From the engineering trenches.

Thanks for reading.

I write about the intersection of engineering and ethics. If you found this useful, consider sharing it or reaching out.

Contact meAll writing