member log in
Go Back
3 mins
AI agents
AI risk management

Your AI risk appetite is too narrow

hero image for blog post

By Michael Domanic, Section Head of AI

AI governance is one of the topics I get asked about most. Usually some version of: how do we move faster without creating exposure we can't recover from? How do we keep Legal and InfoSec from grinding everything to a halt? How do we know when we're being appropriately cautious vs. when we're using "governance" as a polite word for "we're afraid to move"?

Here's what I've seen work across the dozens of companies I've watched navigate this. Your risk appetite is probably too narrow.

That might sound reckless. It isn't. Let me explain.

The question every governance conversation collapses into

Every conversation about AI risk ultimately becomes one question: is there more risk in doing, or more risk in not doing?

Most companies dramatically under-index on the risk of standing still. If your competitors are cutting cycle time by 40%, if their sales teams are running discovery at twice the volume, if their engineers are shipping code at unprecedented speed, those are real risks. They just don't show up in a risk register. They show up two years later, when your competitors are operating at a scale and speed you can no longer match.

The moment you decide to take AI transformation seriously is the same moment you've decided to increase the surface area of risk in your organization. There's no version of this where you go fast and feel safe. The question is whether you'd rather take on more risk and move, or take on less risk and fall behind.

Hard borders are real. Respect them.

Before I go any further, I want to be specific about something, because the "widen your risk appetite" message gets misread by people who want permission to skip the hard parts.

Every organization has hard borders: regulatory obligations, data privacy commitments, industry-specific compliance frameworks, and customer contracts that spell out exactly what you can and can't do with their data. These borders are not negotiable, and good AI governance doesn't try to negotiate them.

A financial services company has different borders than a SaaS company. A healthcare provider has different borders than a marketing agency. A company that processes EU citizen data has different borders than one that doesn't. 

The work isn't to push past your borders. The work is to figure out exactly where they sit, with precision, and then do as much AI transformation as you possibly can right up to them. 

That's a meaningfully different posture than what most companies take. The default is to add buffer. The regulator says X, so we'll do half of X to feel safe. That might make your GC feel safe, but that's also leaving value on the table that competitors with more intentionality will absolutely capture, even within the same regulatory environment.

Good governance respects the hard borders and avoids the invention of soft ones.

What real governance looks like

The governance model I keep coming back to has seven pieces. None of them are exotic. Most companies have some version of these already. The difference is in how they're implemented.

Own it at the top. AI governance needs an executive owner with real authority. Not a steering committee, not a working group. One person whose calendar and political capital is on the line. Without clear accountability, governance becomes everyone's job and therefore nobody's job.

Build a cross-functional council. Legal, InfoSec, IT, and the business need a standing forum to review new tools, use cases, and risk exposure together. The point here is to make decisions quickly with the right people in the room. The worst governance failure I see is the six-week review cycle that kills momentum on every new initiative. 

Enterprise-grade tooling only. Your organization should require SSO, role-based access, contractual data protections, no model training on your data, and SOC2 and ISO 27001 at minimum. This is the cost of entry, and it's where you save yourself from the legal exposure that actually matters.

Know your data. Explicit, written guidance on what can and can't go into an LLM. This is the single most underrated governance requirement. Most companies have policies that say "be careful" and nothing else. Be specific. This category of data goes here, not there. This client information is treated this way. Regulated data, never. The clearer the guidance, the safer your people.

Tier your risk model. Internal productivity tools should move fast. Anything customer-facing or system-integrated gets a harder look. The AI agent blast radius framework I wrote about a few weeks ago applies directly here. High blast radius, low reversibility decisions need human oversight. Low blast radius, high reversibility decisions should be automated freely.

Formal intake for new tools. Shadow AI is real. Every new tool needs a documented use case, a data exposure assessment, and approval before anyone touches it. Make this fast: 48 hours, not six weeks. Otherwise your people will route around you and you'll end up with less visibility than if you'd never set up the process at all.

Train your people. Your governance can’t just live in a policy doc - your people have to understand what it looks like day-to-day, in their real jobs. Roll out training and update it frequently. We're in a period of perpetual reinvention and your governance policies and approach to new tools should be ever-evolving.  

The trap most companies fall into

Here's where this usually goes wrong. Companies will often build a governance model that looks airtight: review boards, intake forms, approval workflows, training modules. The instinct seems defensible. AI feels new, the legal landscape is unsettled, and waiting a year or two to see how other companies absorb the impact looks like the responsible move. So governance gets built around waiting periods. But in reality it's a slow-motion failure, because every layer of control adds friction, and friction kills the experimentation that produces transformation.

The governance model you need is the one that lets your organization operate as close to your hard borders as possible without crossing them. 

The proof point of good governance isn't a clean risk register. It's whether your organization is moving faster than it was a year ago, within the borders that matter. If your governance is making it harder for your people to use AI in places where they legitimately should be using it, it isn't working. Even if it looks like it's working on paper.

See you next week,

Michael
Your fellow Head of AI

Greg Shove
Michael Domanic

Download Now

More from our Blog

hero image for blog post
3 mins
Michael Domanic

Your AI risk appetite is too narrow

A simple framework for managing the risk of deploying AI agents to the enterprise

AI agents
AI risk management
Read the article
hero image for blog post
June 12, 2026
Michael Domanic
June 12, 2026

Your AI manifesto needs an update

Why every organization needs to establish the why, how, and "what we expect" around generative AI - again and again.

AI strategy
AI deployment
Read the article
hero image for blog post
June 6, 2026
2 mins
June 6, 2026

How to manage AI token costs

Everyone is freaking out about token costs. Here's why yours going up might be a good sign.

AI tokens
AI budget
Read the article

Download Now
Open laptop on a blue fabric surface displaying a user dashboard with welcome message and options for a 60-day plan, team fluency, and section insights.

Section HQ

For any

(and every)

leader responsible for AI success

From org-wide impact to department-level use cases, Section HQ gives every leader the insights they need to drive progress.