Skip to content
Close
Contact us&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<img alt="Arrow 29" height="8" style="height: auto; max-width: 100%; width: 26px;" src="https://5214256.fs1.hubspotusercontent-na1.net/hubfs/5214256/Arrow%2029.png" width="26" loading="lazy">
Contact us&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<img alt="Arrow 29" height="8" style="height: auto; max-width: 100%; width: 26px;" src="https://5214256.fs1.hubspotusercontent-na1.net/hubfs/5214256/Arrow%2029.png" width="26" loading="lazy">
customer_journey_impl_icon
Business Consulting
Understand what is driving your business before you change anything.
customer_journey_impl_icon
Sales Readiness Audit
Identify gaps with our CONNECT framework and get clear priorities on what to fix first.
Group 29-1
Data Strategy
See your data clearly. Trust it. Use it to make better decisions.
customer_journey_icon
Customer Journey Design
Map and optimise your customer journey to drive retention and customer success.
hubspot_skill_icon
HubSpot Services
HubSpot implementation, onboarding, setup, and migration to get you up and running quickly.
hubspot_skill_icon
HubSpot skill
Equip your teams to use HubSpot with confidence, every day.
go_to_market_icon
Tech Stack Optimisation
Review, optimise, and manage your tech stack to support scalable growth.
go_to_market_icon
Go-to-market Strategy
Unite marketing, sales, and service around one revenue system.
View our latest blog
What is New in AI Governance?

What is New in AI Governance?

Get inspired
customer_journey_icon
Software
We help software companies scale with HubSpot.
customer_journey_icon
Media & Events
Empowering media & events firms to engage and scale.
Group 29-1
Professional Services
Scaling professional service firms with clarity, alignment and growth.
go_to_market_icon
Technology
Scaling information technology firms with HubSpot.
hubspot_skill_icon
Finance
Clarity for regulated firms.
View our latest blog
What is New in AI Governance?

What is New in AI Governance?

Get inspired
About AutomateNow
We help CEOs create clarity across people, processes, and technology.
Our Story
AutomateNow grew from a belief that people and systems must scale together.
Meet the team
A leadership team blending growth strategy and HubSpot expertise.
Our mission and values
Clarity first. Growth next. Aligning people, processes, and AI for scale.
Case studies
See growth systems in action: 25+ real-world case studies.
Blog
Latest insights and growth tactics to maximize ROI and customer value.
Events
Learn, connect, and turn your systems into revenue at our live events.
Podcast
Human approach is the only one that sells. Listen to real stories.
View our latest blog
What is New in AI Governance?

What is New in AI Governance?

Get inspired
Bart Kowalczyk29 June 2026 12:16:00 BST5 min read

What is New in AI Governance?

What is New in AI Governance?
7:20

In our latest webinar,  Sam Easton tackled one of the trickiest questions facing businesses right now: as AI tools become embedded into everyday workflows, who's actually accountable when things go wrong?

Sam opened with a line that set the tone for the whole session:

"You can outsource your thinking, but you cannot outsource your understanding."

It's a simple idea with big implications. Businesses are increasingly letting AI write emails, score leads, and make automated decisions, but outsourcing the thinking doesn't outsource the responsibility. If AI gets it wrong, the business that deployed it is still on the hook.

 

WATCH WEBINAR: AI GOVERNANCE, WHAT IS NEW? WHAT HAS CHANGED, AND WHAT TO DO NOW: 
AI Governance What's New?

 

Two Trends Worth Watching: 

Toxen Maxxing:

A Silicon Valley trend that measures AI usage rather than AI outcome. Meta's internal token consumption leaderboard is a good example of this playing out, it was pulled down within days because it told employees about activity, not value.

That matters because a widely cited industry report found only 24% of professionals report a great deal of trust in AI generated output, while 30% report little or no trust at all. Put those two things together, and you get businesses measuring teams on volume of AI use while not actually trusting what the AI produces, which is a governance problem in a single sentence.

Agentic AI As A Service:

Rather than just subscribing to software, businesses are now subscribing to outcomes, AI agents built and deployed on their behalf, with Microsoft's Copilot Studio as a familiar example. The real risk here sits with "vertical" agents: tools deeply embedded in specific workflows like customer communications, rather than simple horizontal tools like chatbots.

Microsoft's own responsible AI standards flag a useful test for this: can the agent send an email, update a record, or suppress a contact without anyone signing off? If yes, that's a sensitive use trigger, not just something to be aware of.

"Using more AI doesn't mean you understand more, it can mean the exact opposite."

 

The Regulatory Backdrop: 

Under UK GDPR, Article 22 gives individuals rights around solely automated decisions that have significant effects, legal or otherwise. AI lead scoring or automated email suppression can fall into this category if it meaningfully affects someone. The Information Commissioner's Office isn't expecting perfection here, but it is expecting accountability to be demonstrable, not just described.

The EU AI Act adds another layer. It's already partially enforced, some prohibited practices are enforceable now, and transparency obligations are active even where deadlines for high risk systems have been extended. Importantly, UK businesses are in scope if their AI system, model, or output is placed on the EU market or used in the EU, regardless of where the company itself is registered.

AI Governance 2

 

Shadow AI: The RISK hiding in plain sight: 

Shadow AI refers to the tools your team might already be using without your organisation having any visibility of it. Without a clear AI use policy, businesses tend to land in one of two camps: staff avoid AI altogether out of caution, or they use it too freely in ways that breach the organisation's risk appetite. This isn't really an IT problem, it's an organisational systems and processes problem, and a clear, socialised policy on which tools are permitted isn't a nice-to-have, it's a foundational governance action, particularly relevant if staff are using personal AI accounts for work without that being explicitly addressed.

 

AI Governance 1

 

Vendor due diligence matters too. Microsoft has adapted the banking principle of "know your customer" into "KY3C," know your cloud, know your customer, know your content. Checking your HubSpot data protection agreement or OpenAI terms isn't a legal formality, it's an action.

 

A five-step framework, made practical: 

At the heart of good AI governance is a simple five-step framework:

  • Inventory: you can't govern what you can't see. Most organisations have significantly more AI use cases than they initially think, and shadow AI accounts for most of the surprise. This step also means checking whether your underlying data (contacts, company records, deal history) is fit for purpose for AI to use reliably.
  • Risk Assessment: not every AI use case carries the same risk. A simple grid of likelihood versus impact helps prioritise where attention is needed most, and any process making decisions about individuals with legal or significant effect needs a human review step under Article 22.
  • Controls and Safeguards: a human in the loop is the most practical safeguard most small businesses have, and it requires no technical infrastructure, just a defined process. For agents specifically, two extra checks matter: watching for vendor model changes (an agent can behave differently after a silent update, even though nothing visibly changed) and basic adversarial testing, asking what's the worst an agent could do if given a confusing instruction.
  • Decision Log: often the most undervalued step. The Ofqual A-level grading case during COVID is a clear example of what happens without one, an algorithm disadvantaged students from lower income backgrounds, and when challenged, regulators found it close to impossible to understand how decisions had been made because the reasoning wasn't documented.
  • Roadmap: days 1 to 30 focus on visibility, getting all use cases understood. Month two is about prioritisation, focusing controls where risk is highest. Month three is about documentation and getting the wider team aligned.

"Speed without control just creates compounding risk. Controls are not a brake on AI adoption, they're just what makes the adoption sustainable over time."

 

Governance works best as a Team Support: 

This isn't something one person should be left to figure out alone. Governance done collaboratively, with everyone who touches an AI tool in the room, tends to produce far better outcomes than one person working through it in isolation. It's also not a one-off exercise, both the EU AI Act and ICO guidance expect ongoing monitoring rather than a single tick-box exercise.

Building in a regular review cadence, monthly, quarterly, or every six months depending on risk level, keeps governance aligned as tools and outputs quietly evolve over time.

 

The Big Picture: 

AI isn't a transformation tool, it's an amplifier. Strong data, clear processes, and good governance mean AI compounds your strengths. Weak foundations, unclear processes, or poor governance mean AI compounds the dysfunction instead.

The real question isn't whether you're using AI, it's whether AI use in your organisation is making things meaningfully better, or simply accelerating what's already going wrong.

 

<div>Get Access&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<img alt="Arrow 29" height="8" style="height: auto; max-width: 100%; width: 26px;" src="https://5214256.fs1.hubspotusercontent-na1.net/hubfs/5214256/Arrow%2029.png" width="26" loading="lazy"></div>

avatar
Bart Kowalczyk
Founder & CEO, AutomateNow - helping B2B organisations align sales, marketing, and processes to drive sustainable growth