Greg Pavlik, Executive Vice President, AI and Data Management Services, Oracle Cloud Infrastructure.gettyWe’re still at the beginning of the enterprise AI era, but one thing is already clear: This technology works. The real bottleneck I’m seeing with customers is how to build AI governance for control at scale. I’ve seen customer teams take a model from prototype to production in weeks, then spend months lining up approvals, permissions and audit logs. The thrill of invention gives way to the hard work of governance. This is often the moment when an organization finds out if it has an AI strategy.As an organization adopts agentic workflows, this is becoming especially true. The model provides an answer, but that answer is rooted in the fact that an agent can call tools, trigger processes and act on a user’s behalf. Governance, therefore, can’t be decoupled from the workflow. It must happen alongside the workflow itself.When organizations view it this way, governance isn’t some vague compliance function. It’s the operating model for identity, data access, tool permissions, policies, human approvals, exception handling and audit logs.That requires a control plane that applies and enforces these rules within the AI workflow as an agent makes decisions about the data, tools, actions and human escalation paths.Imagine a supply chain agent that checks inventory levels regularly, spots potential shortfalls, keeps a list of alternative suppliers and makes purchases when needed. That’s pretty powerful, but it’s not enough on its own. The organization’s governance framework dictates which supplier data the agent can access, which suppliers it can use, how much it can spend, what evidence should be recorded and when a human procurement staffer needs to sign off. These elements spell out the difference between simple task automation and an AI workflow an organization can actually trust.Most organizations are not starting from zero. Many have defined AI strategies and guidelines, but fewer have turned them into operational systems for AI system approval, deployment and monitoring. Thomson Reuters recently found that while 71% of organizations have AI ethics policies in place, only 41% have operationalized them.When AI governance policies aren’t embedded into workflows, organizations default to a reactive posture. Decisions are reviewed after the fact, edge cases are escalated and emerging risks are handled manually as they arise.This approach becomes difficult to defend when agents are not only producing content but also acting across multiple enterprise systems. Once AI systems can act on their own, “we’ll review it later” isn’t a governance strategy.What the organization needs is a consistent control plane that decides in real time what risks a workflow poses, the data permissions an agent has, the tools it can use, when humans need to approve an action and what information must be recorded for an audit. When an AI workflow runs afoul of a policy, the control plane can step in, stop the action, preserve the evidence and route it for review. The control plane transforms a manual process into an always-on governance capability.AI systems become harder to audit and more difficult to scale across business units. Governance then stops being an enabler and becomes a ceiling on how far an AI strategy can realistically go. It may even be what separates real deployments from “AI theater,” where the progress looks real until it’s under operational scrutiny. We’ve all seen plenty of impressive software demos in our day. The more difficult test is whether the same results can be repeated, audited and controlled across an organization.Why Governing AI Breaks Down At ScaleMany organizations still govern AI through centralized policies, manual controls and periodic audits. This may work for isolated pilots or narrow agentic tasks, but it breaks down as AI workflows scale across geographies and use cases.In large, regulated enterprises, the strain often becomes visible during multi-region AI rollouts. An agentic workflow may be validated and approved in one environment, only to face new review cycles elsewhere because data residency rules, access controls and local compliance requirements are interpreted differently.What’s frustrating is that nothing is technically broken. The AI works. The challenge is how governance is implemented. But it's fragmented across local processes instead of providing an overarching control layer.Meanwhile, investors and regulators are no longer evaluating AI on capability alone. Among S&P 500 companies, AI governance disclosure rose from 12% in 2023 to 72% in 2025, signaling that governance has become a material factor in corporate oversight.Simply put, AI demands leaders to rethink governance. It’s not just a safeguard. It’s part of the infrastructure.Operationally, that shift begins at the data layer. This is where data access, residency, lineage and policy enforcement move from principles to controls your organization can enforce. A modern enterprise data foundation makes it possible to apply policies and access controls consistently across environments. As agent fleets become more common, governance must also address the subagents, tools, prompts, permissions and actions that make up a complete workflow.Then there’s governance’s role in operational resilience. As organizations depend more on external AI providers, they need clear processes for what happens if a model changes, the provider’s policies shift or performance suffers.This is where hyperscale infrastructure is critical. It’s where many governance requirements become operational: identity management, observability, regional deployment rules, security and service-level agreements. Even the best AI models have limited enterprise value without the proper commitments for uptime, regional availability, resiliency and control.Finally, as deployments move across borders, particularly in sovereign cloud environments, governance can become a patchwork of region-specific rule books applied to the same systems. The real goal should be a single governance architecture that enforces local policy differences consistently.In practice, that often means multiple governance systems running in parallel, with the same model subject to different thresholds for risk, access and compliance depending on where it’s deployed.Ultimately, the organizations that succeed with AI will not be those that simply deploy it the fastest. They will be the ones that can deploy and govern AI at scale without losing control.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
How To Scale AI Governance At The Pace Of AI
When AI governance policies aren’t embedded into workflows, organizations default to a reactive posture.








