Vinod Bijlani is an AI practice leader at Hewlett Packard Enterprise.gettyEvery enterprise I speak with has the same story. AI initiatives in flight, promising pilots in the works, ambitions to deploy at scale and somewhere in the middle of it all, a growing recognition that the organization does not yet have the governance infrastructure to manage what it is building. I have spent the last year studying how the world's most AI-mature organizations—particularly in financial services, where the regulatory and reputational consequences of getting it wrong are highest—have gone about defining and operationalizing their AI governance strategies. What I found was not a story about compliance. It was a story I had seen before, in a different context.It looked exactly like what happened with data governance a decade ago, and the parallels are too instructive to ignore.AI Governance Is Having Its Data Governance MomentIn the early 2010s, enterprises were sitting on vast lakes of customer data, transaction records and operational signals. The promise was enormous. The reality was chaos: duplicate records, inconsistent definitions, no clear ownership and regulators beginning to circle. The organizations that paused to build data governance frameworks before scaling their data programs were the ones that eventually monetized that data with confidence. AI is at exactly that inflection point. And the first crisis, just like in the data era, is visibility. In the data world, nobody knew where all the data lived, who owned it or whether two systems using the term "customer" meant the same thing. AI has the same sprawl problem, only faster and with higher stakes. According to McKinsey's 2025 State of AI report, 88% of organizations are now using AI in at least one business function, yet only 1% consider their AI strategies mature. Models are being deployed by individual teams, vendors are embedding AI into SaaS tools without announcement and agentic systems are autonomously accessing data and executing actions that nobody has formally approved.The answer, just as it was with data, starts with knowing what you have. An AI inventory often called an AI Card is the governance equivalent of the data catalog: a continuously refreshed record of every model, agent and pipeline in production, with its risk tier, data classification, owner, compliance tags and deployment scope attached. You cannot govern what you cannot see. This has always been true for data. It is true for AI.What The Leading Organizations BuiltThe enterprises I studied are heavily regulated institutions where the cost of ungoverned AI is concrete, and it shows up in regulatory action, customer harm or very public reversals.Commonwealth Bank of Australia (CBA) became the first Australian bank to publish a comprehensive report on how it ideates, develops, deploys and manages AI at an organizational level. CBA's AI Governance model is anchored in six principles—fairness, transparency, privacy and data protection, reliability and security, environmental and social and accountability—embedded directly into its Code of Conduct and operationalized. CBA established a dedicated AI governance forum and had engaged over 27,600 employees in AI literacy training. The governance was not bolted on after deployment. It was the deployment condition.​JPMorgan Chase established an Explainable AI Center of Excellence, a firm-wide model risk governance function and a C-suite AI governance council that mandates transparency, human-in-the-loop oversight and regulatory alignment before any model reaches production. With over 450 agentic AI use cases deployed and its internal LLM suite in daily use by more than 230,000 employees, JPMorgan earned the No. 1 global AI maturity ranking in the 2025 Evident AI Index.The Three Layers Of A Functioning AI Governance StrategyAcross these organizations, the same architectural pattern emerged, one that mirrors how mature data governance programs are structured and maps directly to Gartner's AI TRiSM framework for AI trust risk and security management.Layer 1 - Discovery And Inventory: AI Governance begins with the AI inventory. Every model, agent and pipeline—including shadow AI deployed without central oversight—needs to be discovered, classified by risk tier, assigned an owner and tagged against applicable regulatory frameworks. This is not a one-time audit. It is a living, continuously refreshed record. The diagnostic question is simple: can you list every AI system running in your organization right now? If the answer is uncertain, that is where AI Governance starts.Layer 2 - Runtime Policy Enforcement: Data governance matured when organizations moved from reactive data quality fixes to proactive controls built into pipelines. AI governance is undergoing the same shift. Enforcement needs to operate at the point of all AI interactions, detecting prompt injection, scanning outputs for sensitive data before delivery, sandboxing agentic systems to enforce least-privilege access and generating tamper-proof audit trails in real time. Gartner projects that enterprises embedding runtime AI governance controls will reduce regulatory compliance costs by 20%, the same efficiency logic that made automated data quality controls a standard investment a decade ago.Layer 3 - Compliance, Audit And Policy Lifecycle: Mature data governance programs produce continuous lineage and evidence trails that satisfy auditors without heroic manual effort. AI Governance needs the same capability—automated evidence collection mapped to frameworks like the NIST AI Risk Management Framework, the EU AI Act and ISO 42001, paired with dashboards that surface AI risk posture, policy drift and incident trends continuously. This is what converts AI governance from a periodic review into an operating discipline, the same transition data governance made when it moved from compliance project to core infrastructure.The Window To Build Proactively Is NarrowingData governance took most enterprises a decade to get right, and those that started late paid the price in fines, remediation costs and lost competitive ground. The trajectory for AI governance is compressing. Gartner forecasts that fragmented AI regulation will grow fourfold, covering 75% of the world's economies and driving over $1 billion in total compliance spend by 2030. The organizations building AI governance now as infrastructure, not as a compliance reaction, will not be caught rebuilding their foundations when that regulatory wave arrives.​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?