Intro
In most organizations, the first AI system was deployed before anyone wrote down who was accountable for it. A team found a use, a tool fit it, and the work moved forward. The second and third followed the same way. By the time leadership asked how much AI the organization was running and under what controls, the honest answer was that no one held the full picture, because the deployments had outpaced the structure meant to govern them. The capability arrived first. The ownership arrived later, if at all.
As 2026 unfolds, the gap between deployed AI and governed AI is the problem moving to the front of the agenda for Chief AI Officers, compliance leaders, enterprise-risk teams, and internal audit functions. The volume is documented. The U.S. Government Accountability Office reported that across eleven federal agencies it reviewed, the number of reported AI use cases nearly doubled in a single year, from 571 in 2023 to 1,110 in 2024, while reported generative AI use cases rose roughly ninefold, from 32 to 282. The deployments are real and accelerating. What an AI management system supplies is the layer the deployments outran: the structure that names who owns each AI system, what controls apply to it, what documentation it produces, and who reviews it. ISO/IEC 42001, published in December 2023 as the first international AI management system standard, is one formal expression of that layer. The deeper question this piece examines is the one the standard exists to answer, which is how an organization makes its AI governable and provable rather than simply present.
The Challenge
The AI multiplied. The accountability did not.
The defining property of AI adoption in most organizations is that it happened in parallel, not in sequence. Different teams found different uses at the same time, each procuring or building independently, each solving a local problem. The result is not one AI program but many uncoordinated deployments, and the accountability for them is distributed to the point of being absent. The GAO use-case figures describe the scale of the parallelism. What the figures do not show, and what the organization usually cannot show either, is a single accountable owner for each of those use cases.
The mechanism that makes this a governance problem rather than a counting problem is that AI decisions carry consequences that land on a person. A model that screens applications, prioritizes cases, or flags transactions produces outcomes that affect rights, benefits, and money. When the deployment has no named owner, the consequence still occurs, but no one is positioned to answer for it. The accountability is the human, and when the human is unnamed, the accountability is unassigned. AI does not accept responsibility. People do. A deployment without an owner is a decision without a person behind it.
The oversight environment is consolidating around a question the organization cannot yet answer
The external pressure is no longer abstract. The federal direction made AI ownership an explicit requirement. The White House Office of Management and Budget, in Memorandum M-25-21, directed federal agencies to appoint Chief AI Officers, establish AI Governance Boards, publish enterprise AI strategies, and apply minimum risk management practices to high-impact AI, defined as AI whose output is a principal basis for decisions with legal, material, or significant effect on rights, safety, or access to government services. The policy treats the assignment of ownership and the application of controls not as good practice but as a baseline expectation.
The mechanism here is that oversight bodies are converging on a single line of questioning. The GAO documented the breadth of the landscape directly, identifying ninety-four government-wide AI-related requirements and ten executive-branch oversight groups with a role in federal AI use, and noting that agencies must develop and publicly release an AI strategy. When that many requirements and that many oversight bodies are pointed at the same activity, the question each one ultimately asks is the same: who owns this AI, what governs it, and where is the evidence. An organization whose AI grew in parallel cannot answer that question from its current structure, because the structure was never built to hold the answer.
Regulated industries face the same question from their regulators
The pattern is not confined to government. The GAO, in its May 2025 review of AI use in financial services, reported that the Securities and Exchange Commission examined the AI disclosures and governance of approximately thirty registered investment advisers in 2023, and that most of the advisers examined did not have comprehensive policies and procedures governing their AI use. The finding is the regulated-industry version of the same gap. The firms were using AI. The governance around that use was not comprehensive, and an examiner found the absence.
The mechanism is that a regulator examining AI use is, in effect, auditing an AI management system, whether or not the firm has named it that. The examiner asks for the policies, the controls, the documentation, and the review record. A firm that deployed AI without building that structure produces an examination finding, not because the AI was wrong, but because the firm cannot demonstrate it was governed. In regulated industries, the distance between using AI and being able to prove the use was controlled is the distance that turns up as a finding.
The frameworks exist. The management system is what connects them.
The standards landscape for responsible AI is not empty. The National Institute of Standards and Technology released the Artificial Intelligence Risk Management Framework, AI RMF 1.0, in January 2023, structured around four functions: Govern, Map, Measure, and Manage. The GAO published its own AI Accountability Framework in 2021, organized around four principles, governance, data, performance, and monitoring, with each practice accompanied by questions and audit procedures for auditors and third-party assessors. The frameworks describe what good AI governance looks like.
What the frameworks do not supply on their own is the operating structure that runs them across an organization's full set of AI deployments, continuously, with named owners and a reviewable record. A framework names the practices. A management system is the standing structure that assigns those practices to people, applies them to every AI system in scope, documents the application, and reviews it on a cycle. The gap most organizations face is not a shortage of frameworks. It is the absence of the management system that turns a framework from a document into an operating discipline.
The Solution
A management system is the structure that assigns ownership, controls, documentation, and review
An AI management system, in the sense ISO/IEC 42001 formalizes and the GAO and NIST frameworks describe in their own terms, is a standing organizational structure rather than a project. ISO/IEC 42001 follows the Plan-Do-Check-Act methodology common to established management system standards, which is the same continual-improvement structure organizations already recognize from information security and quality management. The point of adopting that structure for AI is that it converts scattered, individually owned deployments into a governed portfolio with four properties the parallel-adoption model lacks.
The first property is assigned ownership. Each AI system in scope has a named owner accountable for it, and the organization has a senior role accountable for the system as a whole. The federal model makes this concrete: M-25-21's Chief AI Officer is the senior owner, and the AI Governance Board is the cross-functional body that reviews risk and deployment decisions. The second property is applied controls. The risk practices a framework describes are applied to each system according to its impact, with the heavier controls reserved, as M-25-21 directs, for the high-impact systems whose outputs carry significant effect. The third property is documentation produced as the work runs, so the policies, the risk assessments, and the decisions exist as a record rather than as institutional memory. The fourth property is scheduled review, so the portfolio is examined on a cycle rather than only when an oversight body arrives.
Build the system so it is auditable, not just present
The difference between an AI management system that satisfies oversight and one that merely exists is whether it was built to be examined. The GAO's AI Accountability Framework is explicit on this point in a way that is unusually useful: its practices come with questions and audit procedures intended for auditors and third-party assessors. That framing names the design target. An auditable management system is one where, for each AI system, the owner is identifiable, the controls applied to it are documented, the risk classification is recorded with its justification, and the review history is retrievable. The auditor's questions are answerable from the record because the record was built to answer them.
This is the property that distinguishes a management system from a policy binder. A policy states what the organization intends. An auditable management system produces the evidence that the intention was operated: this AI system, owned by this person, classified at this impact level, governed by these controls, reviewed on these dates. The internal audit function examining the AI portfolio, the regulator examining a regulated firm, and the oversight body examining an agency are all asking for the same evidence, and an auditable system is the one that has it on hand rather than assembling it under deadline.
Where AI fits inside the management system that governs it
There is a recursive point worth naming, because the organizations building these systems encounter it directly. AI can assist in operating the management system that governs AI, provided the human governance is built into the workflow. AI is only practical when human governance is built into the workflow, and the AI management system is itself the governance structure that condition refers to. Inside it, AI assists by maintaining the inventory of AI systems as deployments change, surfacing systems whose risk classification may have shifted so a governance owner can examine them, flagging documentation gaps before a review finds them, and prioritizing the portfolio so the highest-impact systems reach human reviewers first.
In each placement, AI supports the scale at which a large AI portfolio has to be governed, without taking on the accountability for the governance. The Chief AI Officer still owns the program. The use-case owner still answers for the system. The governance board still accepts or rejects the risk. AI assists the oversight function with the volume; it does not become the oversight function. The accountability stays with the people the structure has named, which is the entire point of building the structure.
The Result
The pressure to formalize AI governance is observable in the federal record, and it is arriving from the volume and the oversight at the same time. The GAO's finding that reported AI use cases nearly doubled to 1,110 across eleven agencies in a single year, with generative AI rising roughly ninefold, describes an adoption curve steep enough that informal governance cannot keep pace. The same body's identification of ninety-four government-wide AI requirements and ten oversight groups describes an accountability environment dense enough that an ungoverned portfolio is exposed from many directions at once. The two findings together explain why the management system question moved from optional to pressing: the deployments grew while the number of bodies asking who owns them grew alongside.
The regulated-industry record points the same way. The GAO's report that most of the roughly thirty investment advisers the SEC examined lacked comprehensive AI governance policies is a preview of what examination finds when AI use outran the management structure. The finding is not that AI is impermissible. It is that AI use without a governing structure surfaces as a deficiency when an examiner looks, and examiners are looking.
The architectural pattern that follows is consistent across the agencies and regulated-industry teams now building these systems. Ownership is assigned, with a senior accountable role over the portfolio and named owners for each system. Controls are applied in proportion to impact, with the heaviest reserved for the highest-consequence systems. Documentation is produced as the work runs, so the record exists before it is asked for. Review is scheduled, so the portfolio is governed continuously rather than inspected occasionally. None of this requires abandoning the AI deployments an organization already runs or the frameworks it already references. It requires the standing structure that assigns those deployments to people, governs them against those frameworks, and produces the record that proves it.
Sources:
- U.S. Government Accountability Office, Artificial Intelligence: An Accountability Framework for Federal Agencies and Other Entities, GAO-21-519SP, June 30, 2021. https://www.gao.gov/products/gao-21-519sp
- U.S. Government Accountability Office, Artificial Intelligence: Generative AI Use and Management at Federal Agencies, GAO-25-107653, July 29, 2025. https://www.gao.gov/products/gao-25-107653
- U.S. Government Accountability Office, Artificial Intelligence: Federal Efforts Guided by Requirements and Advisory Groups, GAO-25-107933, September 9, 2025. https://www.gao.gov/products/gao-25-107933
- U.S. Government Accountability Office, Artificial Intelligence: Use and Oversight in Financial Services, GAO-25-107197, May 19, 2025. https://www.gao.gov/products/gao-25-107197
- Executive Office of the President, Office of Management and Budget, Memorandum M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust, April 3, 2025. https://www.whitehouse.gov/wp-content/uploads/2025/02/M-25-21-Accelerating-Federal-Use-of-AI-through-Innovation-Governance-and-Public-Trust.pdf
- National Institute of Standards and Technology, Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1, January 26, 2023. https://doi.org/10.6028/NIST.AI.100-1
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system, December 18, 2023. https://www.iso.org/standard/42001
What tends to determine whether an AI management system holds
Agencies and regulated-industry teams that have built these systems tend to find that three things determine whether the structure holds up when an oversight body actually examines it.
The first is whether ownership was genuinely assigned or only nominally named. A Chief AI Officer who has been appointed but is not connected to the individual AI deployments is satisfying the appointment without producing the accountability, in the same way the federal model's governance roles produce their effect only when they are connected to the systems they govern. The organizations where the structure holds tend to be the ones where each AI system has an owner who can be named and who answers for it, not only a senior title at the top of an org chart.
The second is whether the documentation is produced as the work runs or reconstructed when a review is scheduled. A management system whose record is assembled in the weeks before an examination tends to carry the same gaps as no system at all, because the evidence that was never captured at decision time cannot be recovered later. The systems that hold tend to be the ones where the risk classification, the control application, and the review are recorded as they happen, so the examination reviews a record rather than waiting for one to be built.
The third is whether the controls are applied in proportion to impact or applied uniformly. A management system that governs every AI use at the same intensity tends to exhaust its governance capacity on low-consequence systems and under-govern the high-consequence ones, while a system that reserves the heaviest controls for the high-impact deployments, as the federal direction structures it, tends to place its scrutiny where the consequence actually lives. The organizations that hold the balance tend to be the ones that classified their AI by impact first and governed accordingly.
These three travel together. Ownership genuinely assigned puts a person behind each system, documentation produced as the work runs makes the governance provable, and controls proportioned to impact put the scrutiny where the consequence is. An AI management system with all three is auditable. A system missing any one of them tends to surface the same gap an ungoverned portfolio would.
Key Takeaways
- AI adoption outran the structure meant to govern it. Reported federal AI use cases nearly doubled to 1,110 across eleven agencies in a single year, with generative AI rising roughly ninefold, per GAO. The deployments arrived in parallel and without assigned owners, which is the gap a formal AI management system exists to close.
- Ownership is now an explicit expectation, not a good practice. OMB's M-25-21 directs federal agencies to appoint Chief AI Officers, establish AI Governance Boards, publish AI strategies, and apply heavier risk practices to high-impact AI. The assignment of accountability is treated as a baseline requirement.
- The same question reaches regulated industries from their regulators. GAO reported that most of the roughly thirty investment advisers the SEC examined lacked comprehensive AI governance policies. A regulator examining AI use is auditing an AI management system, whether or not the firm built one by that name.
- The frameworks describe the practices. The management system runs them. NIST's AI RMF and GAO's AI Accountability Framework name what good AI governance looks like. ISO/IEC 42001 formalizes the standing structure that assigns those practices to owners, applies them across the portfolio, documents them, and reviews them on a cycle.
- Auditable means built to be examined, not just present. GAO's framework pairs its practices with audit questions and procedures, naming the design target. An auditable AI management system is one where, for each system, the owner, the controls, the risk classification, and the review history are retrievable because the structure was built to hold them.
GovSoft helps government and entities operating within regulated industries build accountable, reviewable, and auditable systems. For Chief AI Officers, compliance leaders, enterprise-risk teams, and internal audit functions standing up AI governance, that means an AI management system that assigns ownership for each deployment, applies controls in proportion to impact, produces the documentation as the work runs, and holds a review record an oversight body can examine, with AI as a governed support layer inside the governance the leadership has defined and approved, and with no upfront fees and a structure where you pay from the operational value the work produces.
If your organization is running AI deployments that grew faster than the structure meant to govern them, or carrying an AI portfolio you could not fully account for if an oversight body asked tomorrow, GovSoft is a conversation worth having.
Learn more at govsoft.us, or reach the team at hello@govsoft.us.