AI governance is becoming a job title before it has become an operating model.
I’ve been watching the job boards lately, and there are probably more AI Governance Lead roles being advertised than AI and ML engineering roles. To me this seems counter-intuitive when everyone is racing to build their own AI capability, but more tellingly, it’s signalling what organisations actually think they’re solving for.
What you find when you read the role descriptions is that the AI Governance Lead is being asked to hold almost everything: data strategy, model risk, algorithm assurance, ethics, regulatory compliance, stakeholder engagement, privacy, security, vendor management, and the design of how all of those should fit together. On paper, the breadth signals ambition. In practice, it signals that the organisation hasn’t yet decided where any of those accountabilities are actually going to sit.
At that point it isn’t a role; it’s the organisation’s unresolved accountability problem with a job title on top.
The Default Hire Comes From The Wrong Discipline
Look at who they actually want for these roles, someone from data governance, DAMA-DMBOK certified, fluent in data lineage, classification, quality and lifecycle. The lineage feels obvious: AI uses data, so a data person can govern AI. But data governance is a technical discipline. It doesn’t carry the risk management vocabulary or the regulatory training that actual governance work requires.
The mismatch shows up when you look at how AI is actually being regulated. AI is mostly being regulated through privacy law, not bespoke AI law. Even where bespoke AI regulation exists, the EU AI Act being the obvious example, it defers to GDPR for personal data questions. The discipline that already knows that vocabulary, those obligations, and how to translate them into operational controls is the privacy function, not the data governance function. Yet most AI Governance Lead hires still default to the data lineage because it feels like the natural connection.
The Capability Gap Is In The Existing Functions, Not In A Missing Role
Most organisations are not starting from zero. They already have teams that know how to translate regulation into controls, test whether a practice is defensible, assess vendor claims, manage incidents, explain risk to boards, and operate under competing obligations. AI doesn’t make those disciplines obsolete. It makes their coordination more important.
The real capability gap is usually not the absence of one AI governance expert. It is uneven AI literacy across the governance functions that already exist, and uneven governance literacy across the technology and data teams driving AI adoption. Privacy, legal, risk, compliance, security and audit need enough AI domain understanding to know how models are built, how automated decisions are shaped, where vendor claims need testing, and where technical abstractions hide accountability questions; technology and data teams need enough governance literacy to stop treating privacy, accountability and regulatory defensibility as late-stage approvals.
This is different work from designing a role. It is the slower, less visible work of making the existing governance system competent in the new area. The objective isn’t to create one hybrid unicorn at the top of an AI org chart. It is to lift the capability of the system that already exists, so the operating model can actually carry the new risk.
Map The Capability Gap Before Hiring The Role
Boards should be wary when AI governance is presented mainly as a role design exercise.
A new title creates the appearance of progress without answering how accountability is shared, how competing obligations get resolved, or how decisions actually move across legal, privacy, risk, security, data, technology and the business. Those are the questions a credible AI governance operating model has to answer, and a single role at the top inherits them rather than resolving them.
The boards that get this right ask harder questions than “who owns AI governance.” They ask what the current operating model isn’t already providing that the dedicated role is supposed to fill, whether the “need” for the role is masking a deeper problem with how decisions get made, and whether the existing system can carry AI governance at all. If it can’t, the better question is why are we rolling out AI in the first place.
This isn’t an argument against dedicated AI roles. Organisations do need AI and domain risk expertise but both have to sit inside a credible operating model, not substitute for one.
Leading AI governance isn’t the same as doing it alone. The practice stays multidisciplinary; the question is whether a single coordinator can convene the disciplines well enough to integrate them.
When the answer is that AI governance does need someone to lead it, the question for boards isn’t who’s available in the market, it’s who already has the regulatory foundation, the risk vocabulary, and the practice of translating obligations into operational decisions. Data governance managers matter as inputs, informed stakeholders and as enablers, but they don’t bring that regulatory and risk training. Boards have to decide which existing function does, especially given how AI is actually being regulated; it’s privacy.