gettyAI adoption is accelerating across organizations, and leaders are under growing pressure to balance innovation with responsible oversight. As employees and teams experiment with AI tools in more parts of the business, unchecked or unauthorized use can create risks related to security, compliance, accuracy, bias and data exposure.Rogue AI risks often emerge when tools, models or workflows are introduced without clear visibility, ownership or approval. Below, members of Forbes Technology Council share governance measures leaders can put in place to guide responsible AI use, reduce risk and help teams innovate within clear boundaries.Treat AI Agents As Governed Digital IdentitiesLeaders should establish a runtime identity for AI agents by treating each as a governed identity with least-privilege access, continuous verification and real-time policy enforcement. This ensures every action is authenticated, authorized and auditable, preventing rogue behavior as automated decisions are made on an ongoing basis. - Peter Barker, Ping IdentityCreate A Central Registry Of Approved AI Use CasesBefore scaling AI, life sciences organizations need a living registry of approved uses—centrally governed, risk-profiled and documented—before any AI touches regulated workflow. The FDA’s first AI-specific warning letter made clear: GxP obligations don’t pause for AI tools. A registry makes compliance enforceable. Human oversight requirements make it defensible. You can’t govern what you don’t know you have. - Michael King, IQVIAForbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?Establish Full Visibility Into Enterprise AI ActivityThe adage “you can’t control what you can’t see” holds true for enterprise AI. Visibility is the critical first step: which AI applications, models or agents are being used; what they are doing; and what actions are permitted. Only with this baseline can organizations establish effective governance and acceptable use policies. Without visibility, meaningful control is impossible. - Rick Caccia, WitnessAIEmbed Governance Guardrails In AI Systems From Day OneOrganizations looking to limit rogue AI must take a governance-native approach. This means embedding guardrails like explainability, human override, compliance and safety constraints across every layer of your product from day one. Leadership needs to see this as a design principle, not a “one-and-done” policy email. From associate PM to CPO, everyone must own it. Build it in, don’t bolt it on. - Abha Dogra, IBS SoftwareRequire Human Oversight For High-Stakes AI DecisionsImplement a centralized AI registry that forces visibility on “shadow” tools, ensuring every model has an assigned human owner. And have a human-in-the-loop mandate. No AI decision should be final without human validation for high-stakes tasks. Accountability rests with the person, not the algorithm. - Sai Vishnu Bhyravajosyula, AtlassianUse A Standard Framework To Assess AI Risk And RewardRogue AI risk grows when governance runs on gut feel and hyperbole. Today’s leaders need a standardized risk-benefit framework that scores every use case against the same criteria. With a framework in place, organizations can swap fear for evidence, turn red flags into guardrails, and give their teams a defensible basis to prioritize and scale AI with confidence. - Omar Khawaja, DatabricksApply Zero-Trust Controls To AI-Generated CodeEnforce preexecution governance on software supply chain assets, including code introduced by AI agents. Rather than relying on origin or scans, evaluate what code is capable of doing before it runs and block behavior that violates policy. This ensures zero trust is enforced for code and limits rogue AI risk at the point of execution. - Ken Ammon, CodeHunterValidate Customer-Facing AI Workflows End To EndMost teams monitor AI outputs in isolation. Few step back to see where full workflows break across the business. The risk is highest in customer-facing AI, where failures are immediate and visible. A wrong answer, a dead end, a silent failure—each system logs success while the customer walks away. Leaders must validate end-to-end CX journeys before issues scale or customers feel them. - Sushil Kumar, CyaraMonitor And Control AI SpendingBake fiscal responsibility into the controls layer that governs AI operations. Every business leader should implement proactive controls to monitor and limit token usage, as the scalable nature of LLMs can lead to exponential cost spikes if left unchecked. By setting automated alerts, usage quotas and granular tracking, organizations can prevent “bill shock.” - Evan Huston, SaatvaShift To Continuous Security Testing For AI SystemsLeaders should require continuous security validation for AI systems, not periodic review. In AI-enabled businesses, change happens too fast for quarterly audits to keep up. Governance should mandate ongoing testing so teams can catch both technical flaws and the subtler ways AI can be manipulated through normal-looking inputs. - Ido Geffen, Novee SecurityTreat AI Deployments As Formal Change Management EventsTreat AI agent provisioning as a change management event. Employees are making consequential deployment decisions before breakfast without recognizing what they’re doing. A lightweight gate—manager sign-off, a risk check—ensures the decision is named, logged and owned. Governance doesn’t need a new committee. It needs structure around the decisions people are already making. - Beth MillerGive Subject Matter Experts Ownership Of AI OutcomesAn autopilot isn’t blamed for a collision; the liability stays with the owner. The same logic applies to AI agents. Every decision an agent makes should be owned by the subject matter experts in that area who defined its guardrails and understood its risks. This is the major cultural shift I see happening right now: moving from “AI as a tool” to “SME-led accountability.” - Sandeep Pal, Salesforce Inc.Build Automated Kill Switches And Circuit BreakersLeaders should focus less on who approves AI going in and more on building kill switches that work after deployment. Every AI system needs tripwires that halt it when outputs cross certain thresholds. The real danger is when outputs quietly become inputs to systems nobody anticipated. Mandate blast radius boundaries and wire in circuit breakers that work at machine speed, not dashboard speed. - Rivindu Perera, Onit Inc.Expand Insider Risk Models To Include AI AgentsThe AI governance move leaders cannot delay is expanding the insider risk model beyond humans. AI agents already operate with access, authority and speed. If they are not classified as nonhuman insiders, rogue AI risk will sit outside the very framework meant to contain it. - Mohan Koo, DTEX SystemsUse Enterprise Risk Registers To Govern AI AdoptionEnterprise AI adoption is chaotic. In addition to the scale and velocity challenge, there are structural risks such as foundational model dependency, vendor and integration spread, data oversight gaps, and identity risk. As such, executives have to think cohesively and implement an enterprise AI risk register to support management and governance, creating measurable benchmarks and enabling proactive oversight. - Anuj Goel, CywareTie AI Agent Access To Intent And ScopeOrganizations should enforce identity-based governance that ties AI agent access to explicit intent. Instead of static permissions, continuously validate what an agent is designed to do and restrict actions that fall outside that scope. This limits overreach, reduces drift and creates a clear control plane for autonomous systems. - Itamar Apelblat, Token SecurityIntroduce AI Through Defined Use Cases And Controlled AccessIntroduce AI deliberately and on your own terms. If you don’t create a clear path, it will find its own way in through individuals experimenting. Governance starts with defined use cases, controlled access and the ability to trace changes and outputs. - Leon Lauritsen, ArasMake AI Usage Transparent And Fully DocumentedA straightforward and effective safeguard is to ensure AI usage is transparent. Teams should document where AI is used, the data it accesses and who is responsible for outcomes. Unapproved AI often arises when employees introduce tools into critical workflows without review, accountability or shared standards. - Shreyas Nair, Wordsworth AIBuild Organizationwide AI Literacy And Risk AwarenessCreate an enterprise AI literacy baseline. Rogue risk often starts with weak judgment or inexperience. When employees understand how AI works, where it fails and when to escalate, they recognize misuse earlier, question outputs more effectively and apply better discernment before risk spreads. - Greg Brown, IllumiaRequire AI Red Teaming Before Production DeploymentRequire AI red teaming before production, scored against the NIST AI Risk Management Framework and the OWASP LLM Top 10. Registries, owners and kill switches show up here repeatedly. Almost nobody names the security test that should gate deployment. We mandate pen tests for new apps. Why ship agents without evaluation against prompt injection and data extraction? Inventory shows what exists. Red teaming shows what’s safe. - Dan Sorensen, Nexus Security Advisors