Most AI policies look impressive in a PDF and do almost nothing on a Tuesday morning when someone is about to deploy a model. That gap, between the document and the decision, is where governance quietly collapses.

The polished policy problem

A recent Nemko analysis of why AI governance efforts fall short makes an uncomfortable point: the issue is not awareness or intent, it is execution. Organisations have the principles, the policies, even the EU AI Act on the horizon, yet many still struggle to translate these efforts into real control over how AI systems behave.

• Boards approve frameworks they will never see applied.

• Legal writes policy. Engineering writes code. The two rarely meet.

• Risk registers exist. Workflows do not reference them.

If your governance document cannot be traced to a specific step in a specific workflow, it is decoration.

Gap one: nobody actually owns it

The Nemko piece flags something I see in almost every client engagement: responsibilities are distributed across legal, compliance, engineering and product, but decision-making authority is unclear. Everyone is consulted. Nobody is accountable.

What this looks like on the ground:

• A model goes live because no one had the authority to say no.

• A bias concern gets raised in three meetings and resolved in none.

• When something breaks, the post-mortem blames "the process".

A simple RACI model fixes a surprising amount of this. Who is Responsible for writing the policy. Who is Accountable for approving the deployment. Who must be Consulted before a change. Who must be Informed after. Not glamorous. It works.

Gap two: treating every use case the same

The second failure is applying one control regime to everything. A chatbot that suggests meeting times does not need the same scrutiny as a model that triages loan applications. Yet many organisations do exactly that, which slows the low-risk work and under-governs the high-risk work at the same time.

A workable sort:

• Low risk: document the use case, light review, ship it.

• Medium risk: human-in-the-loop, periodic audit, clear rollback.

• High risk: full validation, explainability requirements, named accountable owner.

Risk tiers are not about paperwork. They are about matching the weight of oversight to the weight of the decision.

Map every policy line to a workflow step

Here is the test I use with leadership teams. Take your AI policy. Pick any line. Ask three questions:

• Which workflow does this apply to?

• Which step in that workflow?

• Who owns that step when something goes wrong?

If you can answer all three, you have governance. If you cannot, you have theatre. The policy is doing the emotional work of looking responsible without the operational work of being responsible.

This is also why ethics bolted on at the end rarely survives contact with a deadline. Fairness, accountability and transparency have to live inside the build process, not in a committee that meets once a quarter.

A quieter point about automation

Governance often fails at the execution layer because the execution layer is buried under administrative noise. Teams meant to oversee AI are drowning in calendar invites, approval chains and inbox triage. When the people responsible for judgement have no time to judge, oversight becomes rubber-stamping.

Some of that admin is a legitimate candidate for delegation to well-scoped AI agents, precisely so humans can spend their attention on the decisions that matter. That is the argument I will be making in more detail at a session on getting AI agents to do your admin on 20 May 2026, walking through the 28-agent setup we run inside Bykov-Brett Enterprises. Worth a look if your governance people are too busy to govern.

A few questions worth taking to your next leadership meeting

• Pick the three highest-risk AI use cases in your organisation. Can you name the individual accountable for each, not the committee?

• When did your AI policy last change a decision that would otherwise have gone the other way? If you cannot think of an example, the policy is not operating.

• Are your governance people close enough to the build to catch issues early, or are they reviewing decisions that have already shipped?

Governance is not the document. It is what happens in the five minutes before someone presses deploy. If no one owns those five minutes, nothing else you have written matters.