PerspectivasInsights
Applied AIApplied AI

AI governance is not optional.

Almost every AI project opens by asking for the same thing: a demo that impresses the boardroom. Almost none asks first for the one thing that separates that demo from a capability the business can sustain: the rules under which the model is allowed to operate.

Luis Rodriguez Lum · Abdiel Rumaldo 8 min
Key takeaways
  • An AI pilot without governance isn't an asset: it's a liability waiting for production.
  • Governing means answering in advance what the model decides, what it only recommends, where the data comes from, and who answers when it fails.
  • The line between "recommend" and "decide" is about authority, not technology, and has to be drawn case by case.
  • Governance is designed before the model connects to anything; bolting it on afterward costs far more.

An assistant that answers fluently. A classifier that never misses in the demo. A summary that does in minutes what would take a person an afternoon. It is a seductive deliverable, and that is exactly what makes it dangerous: it mistakes a proof of concept for a genuine business capability. A pilot without governance is not an asset; it is a liability waiting for production.

The pilot first, governance later (or never)

The pattern repeats. The demo gets built fast, in a few weeks, because it is the fun part: there is a model, there is a result, there is something to show. Governance (the policies, the data boundaries, the traceability, the human oversight, the accountability) gets pushed to later, because it sounds like lawyers and brakes. And "later" has an uncomfortable property: once the pilot works, no one wants to stop it to wrap rules around it. It gets wired into a real process, it starts touching customer data, and suddenly an experiment no one formally authorized is making decisions that carry real consequences. Governance does not bolt onto a production system without pain: either you design it up front, or you pay for it afterward, and far more dearly. Rewriting the rules of a system that already moves money costs more than writing them on a blank whiteboard, and the most expensive thing you pay is not the rework, it is the trust.

What governing a model actually means

Governing AI is not a PDF of ethical principles pinned to the intranet. It is a set of concrete answers, written before the first line of integration, to questions the operation will ask sooner or later. It is not about prohibiting; it is about deciding in advance what otherwise gets decided in the heat of the moment, under pressure and with no record. For a company in the region, governing a model means being able to answer, without flinching:

  • what the model can decide on its own and what it can only recommend to a person;
  • where the data it consumes comes from, and where the data it produces goes;
  • how, months later, you reconstruct why the model answered what it answered;
  • at which points in the process someone has to look before the output takes effect;
  • what happens when it gets it wrong, and the name of the team accountable when it does.

A model without governance is not applied intelligence: it is an automated decision no one authorized, and one that, when it fails, no one can explain.

Decide or recommend: the line almost no one draws

This is the distinction that concentrates the most risk, and the one most often skipped. A model that recommends and a model that decides live in two different risk regimes, even when the code is nearly identical. The line is not technical, it is about authority: it defines how far a model's output can travel before a person signs off on it. An assistant suggesting a reply to a support agent is one thing; the same model approving a credit exception, flagging a transaction as fraud, or deciding which customer gets served first is something else entirely. Again and again, the incidents we have seen do not come from a bad model, but from one that started out recommending and ended up deciding in silence, because its suggestion went automatic and no one kept a person in the loop. Governing means drawing that line explicitly, use case by use case, and defending it when the pressure to "move faster" pushes to erase it.

Where the data comes from, and where it goes

A model is only as governable as its data. Before you connect anything, it pays to know what the model can see, what it must never see, where that data is physically processed, and who else (which provider, in which country) can read what the company sends with every query. This is not regulatory paranoia; it is knowing, before the first query, what happens to a piece of data once it leaves the company's perimeter and is no longer under its control. In LATAM this is not the fine print of a legal annex: data residency, cross-border transfers, and local protection frameworks decide whether a use case is viable at all. Sending sensitive information to a service outside the country without understanding the regulatory boundary is not innovation; it is an incident with a date yet to be set. Governance fixes that boundary up front, not when the audit arrives.

Traceability and oversight: the model is going to get it wrong

Better to start from a fact than a hope: the model is going to get it wrong. The governance question is not how to prevent every error, but what happens when one occurs. That demands two things the demo rarely ships with. The first is traceability: every output with consequences must be reconstructable: what went in, which version of the model answered, on what data, what it decided, and when, months later and in front of an outsider. Traceability is not piling up logs for their own sake; it is being able to sit an auditor, or an affected customer, in front of the exact chain that produced a decision. The second is human oversight placed where the risk is, not where it is convenient: a real control point before a model's decision touches a customer, moves money, or closes a door. And behind both, what no model provides: an owner with a name. When the answer to "who answers if it gets it wrong?" is silence, the project does not have governance; it has luck, and luck is not an architecture.

Governance is designed, not bolted on

Starting with governance looks like the opposite of moving fast, and it is exactly the reverse: it is the only thing that lets you take a pilot to production without praying. That is why, in the projects where we apply this discipline to the design of every applied-AI use case, the first deliverable is neither the model nor the demo, but the rules under which that model will be allowed to operate: what it decides, on what data, under whose watch, and on whose account. Useful AI is not built on enthusiasm; it is built on the architecture that already runs the operation, because a model is, in the end, one more component entering a living system: it either inherits the system's rules or imposes its own. It's the same discipline the RESET method demands at every phase: nothing moves forward without an explicit rule and a conscious decision. AI governance is not optional. It is the difference between a capability the company controls and one that, the day it fails, will control the company.

Volver a PerspectivasBack to Insights