Governance must be built in

A lot of companies now have the same artificial intelligence problem: five teams buy five different models, nobody knows who has access, and the bill shows up after the experiment is already in production. A new Gartner argument, published by CIO Dive on April 7, 2026, says that mess comes from treating governance like a patch instead of part of the machine. (ciodive.com) The core idea is simple. If a company would never let employees install random finance software with shared passwords and no spending limits, it should not let them wire random artificial intelligence models into customer apps the same way. (ciodive.com) That is what “built in” governance means in practice. The controls for identity, access, cost, logging, and approval sit inside the deployment path from day one instead of arriving after a security review or a budget surprise. (ciodive.com) Gartner’s Sumit Agarwal describes a central control surface for enterprise artificial intelligence. Think of it like an airport control tower that can see every model, every team, every route, and every rule from one place. (ciodive.com, gartner.com) One piece of that control surface is an artificial intelligence gateway. A gateway sits between apps and model providers, so a company can authenticate users, route traffic, monitor usage, enforce quotas, and hide sensitive application programming interface keys instead of scattering them across scripts and laptops. (learn.microsoft.com, learn.microsoft.com) That gateway model is no longer theoretical. Microsoft says Azure API Management can govern large language model deployments, agent interfaces, and remote tool servers while handling authorization, logging, quotas, and load balancing across endpoints. (learn.microsoft.com) Databricks is pushing a similar pattern. Its Artificial Intelligence Gateway is described as a centralized service for governing and monitoring generative artificial intelligence models and agents, with usage tracking and permission controls tied into Unity Catalog. (learn.microsoft.com, learn.microsoft.com) The second piece is a catalog or registry. A catalog gives a company one place to register models and agents, record versions, attach metadata, track approvals, and make sure employees can discover the sanctioned option before they build around an unsanctioned one. (ciodive.com, docs.aws.amazon.com) Amazon’s SageMaker Model Registry shows what that looks like in concrete terms. Amazon says teams can catalog production models, manage versions, attach training metrics, view lineage, and control approval status before deployment. (docs.aws.amazon.com) This sounds administrative until the money shows up. Gartner data cited by CIO Dive says companies expect to increase spending on generative artificial intelligence by nearly 40% this year, while earlier Gartner reporting projected that securing and governing generative artificial intelligence would push enterprise spending up by more than 15% by 2026. (ciodive.com, ciodive.com) The cost problem is tied directly to architecture. If each team negotiates its own subscriptions, stores its own keys, and sends traffic to its own model endpoint, finance loses visibility, security loses control, and platform teams lose any chance to compare performance across providers. (ciodive.com, learn.microsoft.com) Regulation is pushing the same direction. CIO Dive notes that artificial intelligence oversight is getting tighter, and a separate CIO Dive report says the European Union Artificial Intelligence Act can reach penalties of up to 35 million euros or 7% of global turnover for some violations. (ciodive.com, ciodive.com) That is why this story is really about platform architecture, not policy decks. Agarwal’s brief is telling enterprise teams to treat governance as plumbing: build the gateway, build the catalog, connect identity and spending controls, and make the approved path the easiest path. (ciodive.com, gartner.com) Companies that do that get one practical advantage before they get any philosophical one. When a new model, agent framework, or provider arrives, they can plug it into a controlled system instead of starting another shadow information technology stack from scratch. (learn.microsoft.com, learn.microsoft.com)