AI governance becomes engineering

AI governance is moving out of slide decks and into code, logs, access rules, and test plans that companies can show an auditor. (grantthornton.com) Grant Thornton said on April 13 that 78% of senior leaders lack strong confidence they could pass an independent AI governance audit within 90 days. In the same 2026 survey, organizations with fully integrated AI were nearly four times as likely to report revenue growth as firms still piloting it, 58% versus 15%. (grantthornton.com) The shift is showing up in specific controls. Grant Thornton’s latest guidance calls for governance that is “clear, organized and tested,” while a new case study from Foiwe describes teams building data lineage, prompt and model logs, role-based access, retention rules, and pre-deployment checks into the product itself. (grantthornton.com) (foiwe.com) Data lineage is a record of where training and input data came from, how it changed, and which model touched it. Prompt and model logging creates a replay trail for what users asked, which model version answered, and what filters or approvals ran before the output reached a customer. (foiwe.com) (ico.org.uk) That engineering turn lines up with the rules now taking effect in Europe. The European Commission says obligations for providers of general-purpose AI models under the European Union AI Act started applying on August 2, 2025, and those duties include documentation, model evaluation, incident reporting, and cybersecurity for the highest-risk general models. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) The Digital Services Act is pushing in the same direction for platforms that moderate or rank content at scale. European Union transparency reporting rules under the law began applying on July 1, 2025, using harmonized templates meant to make moderation practices easier to compare across services. (digital-strategy.ec.europa.eu) (eur-lex.europa.eu) In the United States, the pattern is less about one AI statute than about existing oversight being translated into operating controls. The National Institute of Standards and Technology’s AI Risk Management Framework organizes the work into govern, map, measure, and manage, and the Federal Trade Commission’s current AI compliance plan emphasizes transparency, accountability, protection of nonpublic data, and controls for hallucinations and plagiarism risks. (nist.gov) (ftc.gov 1) (ftc.gov 2) Privacy regulators are also asking for less theory and more evidence. The United Kingdom’s Information Commissioner’s Office says AI systems need a documented and embedded privacy management framework, and its AI guidance ties accountability to concrete choices about data minimization, retention, explainability, and human oversight. (ico.org.uk 1) (ico.org.uk 2) The practical result is that “governance” now looks a lot like ordinary software operations. If a company can show who had access to which model, what data trained it, which prompts were sent, how long records are kept, and what failed in testing before launch, it has something sturdier than a policy memo. (grantthornton.com) (foiwe.com)