The Title Is Arriving. The Authority Isn't.

I told him to give me a call. We talked it through later that evening.

On the surface, a normal conversation. He needed referrals. I had some names. We went through who would be a fit, what the bank was looking for, and the standard back-and-forth. But somewhere in the middle of it, something started to bother me. I didn't put my finger on it right away.

It wasn't anything he said. It was who was saying it.

The Head of IT Compliance was the one running the search for the bank's first Head of AI Governance. He was screening candidates. He would be recommending the hire up the chain.

I almost didn't notice it. We were talking about people, not org charts. But once I saw it, I couldn't unsee it.

The bank had already decided, without deciding, where this role was going to live. Under IT compliance. Reporting to a function. Three escalation levels removed from where AI deployment decisions actually get made. The job description was probably still being drafted. The ceiling was already set. Because the search itself tells you where the role is going to land, every time.

I told him I would think about referrals. What I've actually been thinking about since is what it means that he was the one who called me.

A Pattern Dressed As A Process

This is not a story about one bank. I have had versions of this conversation with directors and PE operating partners over the past year. The companies are different. The pattern, more often than not, is the same.

Forrester is projecting that 60 percent of Fortune 100 companies will appoint a Head of AI Governance by the end of 2026. Sony, Bank of America, and UBS have already made the appointment. Forrester names all three. What none of those disclosures confirm is the reporting line or the authority structure. I'll come back to why that gap is the whole argument.

The 84 percent jump in board-level AI oversight disclosures between the 2023 and 2024 proxy seasons, per ISS-Corporate, tells you institutional attention is real and accelerating. By the 2025 proxy season, Glass Lewis research found that 54 percent of S&P 100 companies disclosed some form of board-level AI oversight. Glass Lewis incorporated AI risk oversight into its 2025 proxy voting guidelines. Once proxy advisors are watching for structure, not just disclosure, a paper role is no longer a private problem. It becomes a governance and reputational one.

And here is the number that should make every operator uncomfortable. Stanford's 2026 AI Index found that 62 percent of organizations cite security and risk as the primary barrier to scaling agentic AI. That outranks technical limitations. It outranks regulatory uncertainty. By 24 percentage points.

The role is becoming standard. The thing it's supposed to solve is the single biggest constraint on deployment.

The bottleneck on AI deployment is no longer model capability. It is not cost. It is governance.

So the role is becoming standard, proxy advisors are pricing it, and the thing it's supposed to solve is the single biggest constraint on deployment. You would think that combination would produce roles designed to actually solve it.

It isn't. And the reason starts earlier in the process than most people look.

The Risk-Function Read

AI governance is a risk function. The exposure is legal, regulatory, and reputational. Risk language. So the role belongs next to other risk functions, under the CRO, under the General Counsel, under the CISO, under IT compliance. In banks, under model risk management, which already handles a version of this for traditional models.

That case has real teeth. Documentation requirements rhyme with MRM. The audit relationships are already in place. The skillset overlaps more with compliance than with engineering. Why build something new when you can extend something that works?

Banks have the strongest version of this argument. Model Risk Management is mature, the regulatory expectations rhyme, and firms like JPMorgan and BNY have placed their AI governance work inside existing risk structures by design. For traditional models, that still holds up.

Through 2024 and into early 2025, this read was defensible across most industries. It was a reasonable way to start.

But starting correctly and staying there are different things. The role has already outgrown the logic that placed it.

The actual job has flipped. It is no longer about defending against AI risk. It is about making sure the company can deploy at all. A function whose entire structural purpose is to prevent, flag, escalate, and slow down cannot also be the function whose purpose is to clear the path. Those are different jobs. They get measured differently. They have different relationships with the people who build products.

You cannot hold both in the same reporting line. Something has to give. And right now, in most companies, what gives is the governance.

Three Doors To A Decision

Before I get to the full cascade, let me put one image on the table.

Three doors. That is how many a governance flag has to pass through before it reaches someone with actual deployment authority, in the standard compliance-function structure. IT Compliance. CRO. CEO. Sometimes legal as a detour between the second and third.

A flag that arrives ninety days after the decision isn't governance. It's documentation.

A model is about to go to production. The Head of AI Governance flags it. The flag moves up to IT Compliance. Up to the CRO. Sideways to the CEO, sometimes through legal first. By the time it lands, the deployment decision has been made, the contracts are signed, and the engineering team has moved on. The flag becomes a line item in the quarterly board report. Ninety days after the decision.

That is not governance. That is documentation of something that already happened.

Keep that image in mind, because the rest of the cascade follows from it.

The CISO Got A Decade. AI Governance Is Getting 24 Months.

The CISO in 2026, with executive committee placement, veto authority over technology procurement, and a direct line to the audit committee, did not look like that in 2003. In 2003, the CISO was a compliance reviewer under IT who got involved at the end of projects to tick boxes. It took roughly a decade, and a string of breaches starting with Target in 2013, for the role to acquire real operating authority.

That arc seems instructive. It is actually a trap.

AI governance does not have a decade. The regulatory window, with Texas TRAIGA in force, Colorado's AI rules effective February 2026, and EU AI Act enforcement active, is roughly 24 months. The litigation window, and I will come to the first wave of suits in a moment, is shorter than that. The companies that run the same slow arc they ran with the CISO are going to find every window closed before the role has any teeth.

What The Role Needs That A Compliance Line Cannot Give It

Five things, none negotiable. Veto authority on AI procurement; no tool gets purchased without sign-off. Veto authority on deployment; no model goes to production without sign-off. Kill-switch authority on running systems, meaning unilateral stop authority, not a flag-and-escalate path. A seat on the executive committee. A direct dotted reporting line to the board's risk or audit committee.

Without all five, you have a compliance role wearing a governance title. And that gap has a name in case law.

The Caremark Trap Is Already Closing

The Caremark standard, from 1996, holds that directors have a duty to ensure the company has systems in place to monitor and manage critical risks. Courts measure that duty not by policies on paper, but by whether the reporting infrastructure actually surfaces problems to the board in time to act.

A Head of AI Governance who produces a quarterly compliance binder but cannot stop a deployment is not a governance system. It is a paper trail that demonstrates the board was aware of the risk and did nothing structurally about it. I wrote about how this exposure is building in a prior issue of The Forward View.

The Adobe shareholder derivative suit, filed in April 2026, alleges that Adobe's officers and directors adopted an unlawful AI strategy that exposed the company to litigation and reputational harm. That is a board-level accountability claim. It will not be the last one.

The gap between a governance title and governance authority is exactly where plaintiffs' lawyers are going to set up camp for the next decade.

Reading The Public Examples

Sony, Bank of America, and UBS have made the appointment. Forrester names all three. But the public disclosures, when you actually look at them, tell a more complicated story than the headline.

Sony Pictures' AI Governance role sits under the Chief Privacy Officer. Bank of America has no separate Head of AI Governance at all. Its CTIO owns AI, with governance as one of four workstreams. UBS's first Chief AI Officer reports to the Group COO/CTO. A separate AI Governance Lead sits a level below.

None of these is wrong, exactly. None of them is the executive-committee-with-audit-line structure either. The model for what right looks like is still being built.

The roles I expect to compound over the next three years, the ones I have seen in private conversations and not yet in public disclosures, were set up from the CEO's office, not from a function. They report to the executive committee. The audit committee is the primary board reporting relationship, not the quarterly compliance update.

That is the difference between a role that builds authority and a role that performs the appearance of it.

The search determines where the role lands. By the time the org chart is published, the work has already been done.

Two Tracks To 2029

Push the timeline out to 2029. Two tracks, and the company you sit on the board of is already on one of them. The choice was locked in the day the search was approved.

Track one. The role was hired into compliance or risk. By 2027, the first incumbent has either left or been quietly reabsorbed into the function they came from. The title stays in the org chart. The function disappears.

Then in 2028, after a regulatory letter or an incident or both, the board pushes for a redo. A second Head of AI Governance gets hired, this time with executive committee placement and the authority that the first one was never given. The cost of the detour: two lost years, a cohort of people who burned out trying to do real governance work through a three-door escalation path, and, for some companies, a derivative suit filed in the gap between the policy that existed and the oversight that didn't.

Track two. The role was set up correctly from the start. It compounds. By 2028, the Head of AI Governance has documented veto authority on procurement and deployment, owns the board's AI oversight reporting framework, and has a direct relationship with the audit committee that doesn't run through three layers of management. By 2029, this is what the 2025-era CISO has become. It took three years instead of ten because the authority was there from day one. Not earned through failure, but granted through design.

The track is decided by who ran the search, not by who is hired.

The signal that tells you which track a company is on is not the job description. It is not the title. It is not even the org chart after the hire is made.

It is the person who ran the search.

IT compliance ran it: compliance role. CRO's office ran it: risk role. The CEO's office ran it: operating authority. That is the tell. You can read it before the candidate is named, before the announcement goes out, before the first board report is filed.

Regulators are going to get here eventually. The SEC, the OCC for banks, the FTC, the EU. They will point to specific structures as the standard. The structure they hold up will not be the one living under IT compliance. The companies on track one will be restructuring under pressure when that moment arrives. The companies on track two will be the case study.

What You Should Be Doing Right Now

If you sit on a board where this hire is being discussed, the most important intervention you can make is on the search itself, not on the eventual hire. Insist it is run from the CEO's office. Not from a function, not from compliance, not from the CISO or the CRO. If the search is already running from inside a function, that is the intervention point. Not the job description, not the candidate slate.

Then insist the charter document spells out three specific authorities: veto on AI procurement, veto on model deployment, kill-switch on running systems. Add a direct dotted line to the board's risk or audit committee, not just the quarterly executive update. Do those two things, and the role has a real chance of becoming what the market is going to require. Skip them, and you have ratified a compliance role. You will be doing this hire again in 18 months under worse conditions.

If you are a CEO designing this role, place it on the executive committee. Every function around you has a reasonable organizational claim to absorb this role: legal, compliance, IT, the CISO, the CRO. That is the gravity you have to resist. The structure has to support the role this function will need to be in 24 months, not the role you can get away with in month one.

The first incumbent may not use veto authority in their first year. That is fine. What you cannot do is give the authority later, after deployment decisions have routed around the role for 18 months. By then, the role has been culturally defined as something that can be safely ignored. You cannot grant cultural authority retroactively. You can only build it from the start, or rebuild it from a breach.

If you are a PE operating partner with portfolio exposure, when a portfolio company tells you it has hired a Head of AI Governance, ask three questions before you move on. Where does the role sit. What can it veto without escalating. How does it report to the board.

"Under the CRO." "Nothing without escalation." "Via the quarterly compliance pack." If those are the answers, you do not have a governance function. You have a compliance role with a current title, and the gap between those two is where the next 24 months of unmanaged risk are sitting. Add a re-hire to the value creation plan. Or push for restructuring now, while it is still a choice rather than a response.

For the friend who texted me Tuesday, my call back to him is going to be one question. Is the CEO running this search, or are you? Whatever the answer is, that is the conversation we should have first.

The Bottom Line

A year ago, the question was whether to create this role at all. That question is closed. Sixty percent of the Fortune 100 is moving on it. The question now is whether the role gets designed as compliance theater or as operating authority.

Most companies are getting that question wrong. Not because they don't care about governance. Because they let the wrong function run the search, and by the time the role was defined, the ceiling was already built in.

The answer is not in the job description, the candidate slate, or the org chart. It is in who picked up the phone.

The title is arriving. The authority isn't.

P.S. Pick one company whose AI governance you can ask about. A board you sit on, a portfolio company, your own employer, a client, a vendor you depend on. Find out three things this week. Who ran the search for the AI governance role, or who is running it now. Where the role sits on the org chart. What it can veto without escalating. If those three answers don't add up to a function with real operating authority on procurement, deployment, and shutdown, you have just found the unmanaged risk that the next 24 months are going to surface. It is the cheapest diligence question you will run this quarter. The answer tells you which of the two tracks the company is on.

If any of those answers exposed a gap, that gap is exactly what AssuranceOps (an AI Guru® product) was built to close. It turns AI oversight into audit-ready evidence the board can actually rely on.