AI strategy, plainly
What is AI governance?
For Omaha mid-market leaders. The clean definition, what the named regulators actually require, and why most companies don't have governance even when they have a policy.
Text Rosey · Schedule a call →Definition
AI governance is the system that decides how your organization makes AI decisions — who's accountable for what, what risks get tracked, how exceptions get escalated, and how the program changes when the technology or the regulators do.
Governance is broader than an AI policy. A policy says what's allowed; governance says how the organization keeps the policy current, audits compliance, identifies new risks, and accepts accountability when something goes wrong.
At a workable mid-market scale, AI governance has five components. (1) **Named accountability** — a single executive owns AI as a governance matter, and named functional leads own the operational pieces (Legal owns the policy, IT/Security owns the approved tool list, HR owns training and attestation, the affected business units own workflow integration). (2) **Risk inventory** — the categories of AI risk you actively manage, reviewed quarterly. McKinsey 2025 found organizations now track ~4 categories on average, up from ~2 in 2022. (3) **Approval workflows** — what AI use cases need executive sign-off, what use cases need board awareness, what's delegated. (4) **Audit and incident reporting** — how you know when something has gone wrong, and how it gets escalated. (5) **Change cadence** — quarterly review minimum, with a named owner who runs it.
Why it matters for Omaha companies
Most mid-market companies don't have governance, even when they have a policy. SHRM's 2026 State of AI in HR found only 49% of organizations have AI use policies, and of those, only 25% feel the policy is "future-proof." For nonprofits the gap is wider: Virtuous 2026 found 47% of nonprofits have no formal AI governance policy at all.
At the leadership level, McKinsey 2025 found 28% of AI-using organizations report the CEO is responsible for overseeing AI governance, and only 17% report the board takes direct responsibility. That's the governance gap: tools and licenses are operational decisions, governance is leadership decisions, and most organizations are still treating AI as an operational matter.
In regulated industries, the bar is higher and explicit. NAIC's AI Model Bulletin (Nebraska IGD-H1, June 2024) requires insurers to maintain a written AIS Program — governance with named accountability, risk management, third-party oversight, testing, and consumer protection provisions. That's governance with a regulatory floor, not a nice-to-have.
Common follow-up questions
- What's the difference between an AI policy and AI governance?
- A policy is a document. Governance is the system that keeps the document alive — accountability, risk tracking, audit, change cadence. Most organizations have a policy without governance, which is why SHRM found only 25% of orgs with policies feel they are 'future-proof.'
- Who owns AI governance?
- Joint ownership at the leadership level. McKinsey 2025 found 28% of AI-using organizations report CEO ownership, 17% board ownership. The pattern that works: a single executive (CEO, COO, or CIO) is accountable; functional leads (Legal, IT/Security, HR, business units) own operational pieces. For insurers under NAIC IGD-H1, the AIS Program owner is named explicitly.
- Do we need a board committee for AI?
- Not necessarily a separate committee, but board awareness and oversight are increasingly expected. McKinsey 2025 found 17% of organizations report board direct responsibility — meaningful, but well short of the 28% that report CEO responsibility. For regulated industries, board oversight of the AIS Program is implicit in the bulletin's governance requirements.
- How often should we review the governance program?
- Quarterly minimum. AI tools change, regulators publish, and risk categories evolve. McKinsey 2025 found organizations now actively manage ~4 risk categories on average, up from ~2 in 2022. The categories you tracked last year aren't necessarily the ones you should track this year.
- Is governance overkill for a 100-person company?
- Not anymore. The threshold isn't headcount — it's whether you handle regulated data (PII, PHI, financial data, donor data, attorney-client material) or make consequential decisions about people (hiring, lending, claims, eligibility). If the answer is yes to either, governance is load-bearing regardless of company size.
Sources
- Only 49% of organizations have AI use policies — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
- Of organizations with AI policies, only 25% feel those policies are 'future-proof' — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
- 28% of AI-using organizations report the CEO is responsible for overseeing AI governance — The state of AI in 2025: Agents, innovation, and transformation, McKinsey & Company (QuantumBlack, AI by McKinsey), 2025
- Only 17% of organizations report the board takes direct responsibility for AI governance oversight — The state of AI in 2025: Agents, innovation, and transformation, McKinsey & Company (QuantumBlack, AI by McKinsey), 2025
- Organizations now actively manage about 4 categories of AI risk on average, up from about 2 in 2022 — The state of AI in 2025: Agents, innovation, and transformation, McKinsey & Company (QuantumBlack, AI by McKinsey), 2025
- 47% of nonprofits have no formal AI governance policy — The 2026 Nonprofit AI Adoption Report, Virtuous and Fundraising.AI, 2026
- Insurers must develop, implement, and maintain a written AI Systems (AIS) Program for the responsible use of AI systems making or supporting decisions related to regulated insurance practices — Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, National Association of Insurance Commissioners (NAIC), 2023
Related
→ Start here
Text Rosey to begin.
Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.
Text Rosey · Schedule a call →