Who Owns AI Governance? How Tech, Legal/Compliance, and IT Can Share Responsibility

Dennis Benneballe Arnold-GradeDennis Benneballe Arnold-Grade
Written by
Dennis Benneballe Arnold-Grade
and
-
July 3, 2026

Loved this article? Share it with your network:

Picture this: It’s August 2, 2026, and the AI Act's transparency requirements have taken effect.

Legal is sitting in a meeting with Tech and IT to plan the implementation of controls to ensure labelling of AI content, among other things. Governance of those controls is discussed, and the obvious questions come up.

"Do we have an AI policy? Who owns it? Who owns AI governance?

Everyone looks at Legal.

Legal looks back at Tech and IT.

And then comes the sentence no one wants to hear:

“I thought it was you.”

Legal – or Legal/Compliance, depending on how your organization is structured – often becomes the natural starting point for AI governance.

After all, AI governance involves regulation, risk, documentation, and accountability. But AI also touches products, data flows, security controls, suppliers, and technical implementation.

That means that Legal may be central to AI governance – but it cannot own it alone.

The real question is not whether Tech, Legal/Compliance, or IT should own governance alone. The question is how they can share the responsibility in a way that works in practice.

In this article, I will give you what I believe is the most practical answer.

Business as usual: Start with the processes you already have

Although many view AI as a new technology, governance is nothing new.

That is why the same mindset should be applied to AI as before the major AI breakthrough in 2022.

Business as usual, you might say.

Governance in the AI domain requires various elements that (perhaps) already exist in your organization.

Typically, you will already have a governance structure in place, complete with policies, procedures, controls, and documentation.

This structure and its underlying principles are technology-neutral.

Therefore, you should use them as a guide in the same way when it comes to AI systems.

In practice, this means that you do not necessarily need to create a separate AI governance setup from scratch. Start by looking at the governance processes you already have – and assess how they should apply to AI.

Vendor management: Who approves AI systems?

The approval, procurement, and implementation of AI systems fall under supplier management.

This process is often owned by Legal/Compliance, with advice and support from IT. Together, they handle internal requests to use new AI systems, assess the relevant risks, and ensure the necessary approvals are in place.

Depending on the organization, this process may involve reporting to senior stakeholders, such as the CTO.

In practice, this means that AI systems should go through the same approval routes as other critical vendors or tools – with the necessary AI-specific risk questions added to the process.

Risk management: Who assesses and controls the risks?

When AI systems use personal data or internal business data, the same guidelines should apply as for any other processing of such data.

In other words, AI systems should be governed as part of the organization’s overall information security framework.

This includes risk management, such as:

  • risk assessments
  • measures to mitigate identified risks
  • controls to monitor whether those measures are effective
  • checks to ensure that the measures are followed in practice
  • documentation of compliance and effectiveness.  

These sub-disciplines are often shared between Tech, Compliance, and IT. They require insight into operational and business needs, as well as IT security and existing governance in this area.

Risk management may include supplier risks, supply chain risks, IT contingency risks under the CRA, business continuity risks, personal data risks under the GDPR, societal risks under NIS2, information risks, and others.

In practice, this means that the assessment should not stop once an AI system has been approved. The identified risks, controls, and mitigation measures should be followed up on and documented throughout the system’s lifecycle.

Product requirements: Who translates requirements into practice?

Tech is responsible for product security and determines how the product should be designed.

In practice, this means that Tech translates the requirements identified by Legal/Compliance into specific compliance measures.

Legal/Compliance monitors whether those measures are effective and support legal compliance, while IT may review the security aspects.

A simple model for shared responsibility

Of course, the responsibilities will vary from organization to organization. But based on my own experience, a practical starting point could look like this:

Overview of ownership in AI governance

The point is not to create a fixed template for every organization, but to make sure that ownership is clear and collaboration is built into the process.

How to avoid silos: 3 practical steps to get started

AI governance should not live a life of its own, disconnected from the organization’s existing governance structure.

But the answer is not to place the full responsibility with one department either. And it’s not to divide AI governance so rigidly that it becomes a set of small satellites with limited collaboration between them.

Instead, AI governance should be embedded into existing structures and responsibilities. To get started, organizations can focus on three practical steps:

  1. Create an overview of the AI systems the organization already uses or plans to use
  2. Clarify who is responsible for approval, risk assessment, controls, documentation, and follow-up
  3. Set up regular collaboration between Tech, Legal/Compliance, and IT, so AI governance becomes part of the existing governance structure.  

As a minimum, Tech, Legal/Compliance, and IT need to meet in the AI intersection. Together, they should design, measure, improve, and put AI governance into practice.