Articles

Today’s Businesses Need AI Governance Policies and Procedures by Brandon Bowers

View Brandon's Profile
Posted on December 15, 2025 by Brandon Bowers

Increasing reliance on artificial intelligence (AI) has the potential to transform businesses and how they operate. On the one hand, companies of all sizes are realizing AI’s benefits in automating repetitive tasks, improving efficiency and transforming large volumes of raw data into meaningful market intelligence. However, like many technologies, AI also has a dark side that can expose organizations to numerous risks, including misuse, security breaches and even fraud. The key to a smooth transition from AI enthusiasm to safe, ethical implementation lies in a business’s ability to manage those risks through a robust AI governance program.

What is AI Governance?

AI governance refers to the policies, processes and systems businesses implement to govern the safe use of artificial intelligence technologies across their organizations. It helps companies realize the strategic value of their investment in AI without exposing them to legal, regulatory, reputational and privacy risks.

However, an effective AI governance program requires far more than documentation; it also demands ongoing education and training to ensure all employees recognize the benefits and potential perils of AI and make ethical choices regarding its use. After all, today’s businesses and customers demand that the companies they work with prioritize privacy, confidentiality, security and integrity. Failure to meet these standards can and has resulted in litigation and irreparable reputational damage.

Key Components of a Robust AI Governance Program

Assess and Understand the Regulatory Landscape

Like any professional compliance program, AI governance first requires companies to identify all the legal and regulatory requirements they must meet based on the industry in which they operate and federal and state laws. For example, while there are no current federal laws governing the specific use of AI in the U.S., all 50 states and the District of Columbia have introduced legislation to regulate specific AI-related issues, including data transparency, integrity and bias and the protection of minors. There is also an array of regulatory compliance requirements that businesses must meet, depending on the industry in which they operate. For example, companies in the health care sector must comply with HIPAA data privacy regulations, whereas banks and other financial institutions have obligations to protect and safeguard customer information under the Gramm-Leach-Bliley Act (GLBA) and Know Your Customer (KYC) standards. Based on these regulations, businesses can begin crafting a robust AI governance framework.

Inventory and Classify AI Use

Businesses must take the time to identify and create a dynamic database of all the AI-powered programs, applications and other resources they and their employees use. These include large language model (LLM) networks that automate internal functions, such as financial modeling and IT management; third-party applications used for project management, enterprise resource planning (ERP), customer relationship management (CRM) and other business functions; and even employee use of ChatGPT.

By classifying these inventories by business function, intended use, data type, and risk level, businesses will be better equipped to prioritize planning strategies and make more informed decisions.

Implement Strong Data Security and Privacy Controls

Responsible AI use requires businesses to adopt strong policies for data security, integrity, and impartiality, and to employ robust risk-mitigation safeguards, such as data encryption and strict access-control measures that restrict who can open, view and use protected information. It is often helpful for businesses to consider the worst-case scenarios AI use can create and establish guardrails to prevent them. At a minimum, AI use should be limited to company-approved applications; all others should be blocked.

Strong data security and AI governance also require ongoing real-time compliance monitoring and tracking of use and outcomes, as well as well-thought-out incident response plans.

Educate and Train Employees 

Despite all the technological promises of AI, the simple fact remains that its use currently relies on human involvement. Businesses have an obligation to help employees improve their AI fluency by establishing clear, specific rules for ethical and responsible AI use. For example, they may prohibit employees from entering confidential company or client information into public AI tools like ChatGPT that continuously learn and train themselves from human prompts. They may also require employees to thoroughly review and confirm the facts contained in AI-generated documentation before sharing it with others, given the technology’s high risk of inaccuracies.

Ongoing training also helps protect employees from falling victim to the growing number of AI-driven scams, such as deepfakes that manipulate images, videos, and recordings to convince someone that another person did or said something they did not do or say. It also trains employees to identify and respond to potential AI-related threats and create feedback loops to report any instances of unauthorized access, misinformation, bias or fraud.

As AI continues to evolve and proliferate, businesses must address the potential risks it poses to their organizations. According to the 2025 IBM and Ponemon Institute “Report on the Cost of a Data Breach,” only 13 percent of surveyed organizations reported a breach involving their AI models or applications. However, nearly all lacked proper AI access controls, and more than half (60 percent) led to broader data compromise. With those numbers expected to rise, businesses can no longer sit on the sidelines.

About the Author: Brandon Bowers is director of Managed Cyber Security Solutions with Berkowitz Pollack Brant Advisors + CPAs, where he provides businesses, professional services firms and family offices with business continuity and recovery, cybersecurity and fully outsourced help desk services. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or info@bpbcpa.com.