Forum Discussion

MarcusHall's avatar
MarcusHall
Copper Contributor
Mar 28, 2026

Organisational vs model-level AI governance — where's the real gap?

Most AI governance conversations I'm seeing focus on model-level controls, like bias testing and prompt

injection defence. These matter enormously for individual AI systems.

 

But I'd argue the bigger gap is one level up: the organisational governance layer. Having the policies,

accountability structures, risk frameworks, and oversight mechanisms to govern AI use at enterprise scale. Who is accountable for

AI-related decisions? Where is sensitive data being processed? What AI tools are actually being used across the business?

 

Forrester research indicates 60% of organisations still lack a formal AI governance framework. Meanwhile, the EU AI Act reaches

full compliance obligations in August 2026, and ISO/IEC 42001 is gaining traction as the certifiable benchmark for AI management

systems.

 

Microsoft is building strong technical solutions for the model-level challenge, Purview for data governance, Entra Agent ID, Defender for threat protection, Compliance Manager for regulatory mapping. But in my experience, organisations that jump straight to configuring technical controls without first understanding their organisational maturity end up with tools deployed but governance gaps unchanged.

 

Are we solving the right problem first?

1 Reply

  • Prathista Ilango's avatar
    Prathista Ilango
    Icon for Microsoft rankMicrosoft
    Mar 31, 2026

    Hello MarcusHall,

    Good question. I don’t think this is about choosing between organizational governance or model‑level controls - both are essential and work best together.

    Model‑level protections like bias testing, prompt injection defense, and content filtering are critical for building and operating trustworthy AI systems. At the same time, many organizations are still maturing the organizational governance layer that sets the context for those controls - clear ownership, visibility into AI use, data sensitivity, and risk‑based approvals.

    When that foundation is in place, technical controls can be applied more consistently and at scale.

    With regulations and standards increasingly emphasizing organizational accountability, it reinforces this balance. Strong technical controls work best when guided by clear governance, accountability, and operating models. Both layers need to evolve together.

    Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.