The AI governance capacity paradox
You need to build the AI governance system, but you just laid off the builders
TL;DR
The article makes five claims that matter.
Claim 1: Companies spent the last year eliminating the middle managers who held AI governance together.
Claim 2: The EU AI Act transparency requirements activate on August 2, 2026, and 78 percent of enterprises have not moved past basic awareness.
Claim 3: The talent market cannot clear the gap. AI governance is now the hardest role to fill globally, and it takes 18 to 24 months to develop someone who can actually do it.
Claim 4: Hiring a consulting firm to write your governance strategy adds a more expensive layer of documentation on top of the same broken foundation.
Claim 5: Three moves can limit immediate exposure before August 2 : assign data ownership by pain not title, rebuild your data community around demonstrated results not policy, and implement AI risk corridors.
You are being asked to build the governance system your board wants, your regulator requires and your auditors will review in 130 days.
The people who knew how to build it are gone.
Gone as policy. Gone as part of the transformation narrative. Gone because the AI business case needed a numerator and middle management was the most available denominator.
This is the Governance Capacity Paradox:
Enterprises are eliminating the exact human layer required to build the governance systems regulators and boards now urgently demand, and the collision is happening on a fixed date.
The EU AI Act transparency requirements activate on August 2, 2026. The elimination already happened. The talent to rebuild does not exist at the scale or speed required.
You are inside a paradox with a fixed end date. And most organizations have not realized it yet.
The pattern observed
The warning signs have been building for twelve months. Nobody put them together until the EU AI Act deadline made the gap impossible to ignore.
Companies have been cutting middle managers at scale.
Korn Ferry’s survey of 15,000 workers found that 41 percent say their company has already stripped out management layers. Gartner forecasts that by end of 2026, one in five companies will use AI to eliminate more than half of their middle management. Amazon cut 14,000 corporate roles in 2025 explicitly citing AI-enabled leaner structures. The trend is documented and is still running.
Most companies are nowhere near ready for what regulators now require.
Vision Compliance's April 2026 report found that 78 percent of enterprises have not moved past basic awareness — no AI inventories, no named owners, no documentation.
Deloitte's State of AI 2026, based on 3,235 leaders across 24 countries, confirmed that three in four companies plan to deploy agentic AI within two years. Yet only one in five has a governance model ready for it.
The people you would hire to fix this do not exist in sufficient numbers.
ManpowerGroup’s 2026 survey of 39,000 employers found AI governance roles are now the hardest jobs to fill anywhere in the world. Competitive. Expensive. And simply not available at the required scale or speed.
Twelve months. Three separate signals. One date where they all meet: August 2, 2026.
The job cuts created this gap.
The regulation made it visible.
The talent shortage made it permanent.
And all this happened in slowmo in front of our eyes.
The system revealed
Earlier this year I worked on an AI governance project at a large company. The kind of place that has been running AI pilots for two years, has a Chief Data Officer, a 40‑page governance framework, and still cannot get a single business unit to take real ownership of its data.
Inside this company there were two power centres pulling in different directions.
At headquarters, a VP for Digital Operations responsible for reducing risk and keeping the operating model stable.
Offshore, a VP for AI whose job was speed - he ran the AI layer meant to accelerate roughly 500 engineering projects.
They were not fighting about “AI vs governance” as ideas. They were living in different timeframes.
The HQ VP told me very clearly:
“This job is 90 percent data governance and 10 percent AI.”
She didn’t exaggerate. It was her honest view of the mess. She knew the big consulting company had delivered a polished governance strategy: good on slides, empty in production. Nice wording, no working plumbing.
The AI VP needed clean, trusted data right now. Not after a six‑month rebuild. His teams were stuck at proof‑of‑concept. They could not safely deploy models on data they did not control. He was not against governance. He was against waiting.
The governance lead role sat right in the middle of that squeeze.
If you lean towards the AI VP’s urgency, you turn into a “data janitor”: fixing tables by hand, writing one‑off scripts, racing to clean inputs so a model can go live this quarter, while the deeper problems stay untouched.
If you lean towards the HQ VP’s patience, you build careful frameworks that nobody uses while the AI teams quietly route around you and ship models on ungoverned data anyway.
In both cases, the company ends up in the same place:
Shadow AI systems in production, built on data nobody really owns, carrying risks nobody has formally accepted.
Exactly the outcome the HQ VP was trying to avoid.
That is an operating model failure. And under that failure, I kept seeing the same three cracks.
First, the governance illusion.
On paper, governance looks solid. There are policies, committees and RACI charts. In reality, the core business data ( customers, products, contracts, incidents ) flows through systems with no proper quality checks and no single person clearly accountable when it drifts. The document says “this role is responsible.” The actual data shows that “no one is.”
Second, the broken community.
The Community of Practice that is supposed to connect IT, data and business has fallen apart, or never really existed. Business users experience governance as extra forms, extra fields and extra meetings, with no visible benefit. So they ignore it. From their perspective, they are right. Governance has mostly delivered bureaucracy, not better outcomes.
Third, the HQ versus delivery‑centre disconnect.
HQ sets policies and wants discipline. The offshore engineering and AI teams are paid to deliver features and models at high speed. They work on the same data but live on different clocks and are judged by different metrics.
One is rewarded for saying “no” until the risk is understood.
The other is punished for saying “no” because it slows down delivery.
Without a clear way to connect them, they talk past each other and ship incompatible decisions into the same environment.
When you remove the layer of people who used to bridge those three cracks - usually experienced middle managers who understood both the business and the data - the whole structure starts to fail in visible ways.
Deloitte’s 2026 State of AI report shows the same picture in numbers: nearly three‑quarters of companies plan to roll out agentic AI in the next two years, but only one in five currently has a mature governance model for those agents. In other words: we are adding more autonomous systems on top of a governance layer that is already too thin.
Privacy and AI governance experts at the IAPP keep flagging the same operational gaps: who is actually accountable, how training data is sourced and documented, how automated decisions are explained, who owns incident response, and how cross‑border data flows are tracked.
These are not “nice to have” controls. They are the basics. And they are exactly the things that break when you strip out the human layer that used to improvise fixes between policy and reality.
This is why your governance program stalls even when people are trying hard.
The effort is real. The capacity you (not so) quietly removed is no longer there.
You cannot buy your way out of this either
The obvious answer is to go and hire the people you need. Yet, it will not work.
Verifywise's May 2026 AI Governance Salary Report found that demand for AI governance roles grew 150 percent in a single year. By late 2025, more than 14,000 positions were open and unfilled. The people to fill them do not exist yet. At least, in sufficient numbers.
So companies do the next obvious thing. They call a consulting firm - an Artefact, an Accenture, a McKinsey - to produce an AI governance strategy. Then they hire an interim manager to run it. That interim walks into an organisation where the internal data governance team already exists on paper: they have the title, they attend the meetings, they write the presentations. What they do not do is walk into a business unit, sit down with the people who actually use the data and build the kind of trust that makes data ownership real.
So you end up with MDM tools nobody really uses. Policies nobody really follows. A community of practice that meets once a month and produces minutes of the meeting. And with a business that still does not know who actually owns its customer data.
The external strategy layer does not fix this. It adds more documentation on top of the same broken foundation.
PwC's 2026 AI Performance Study surveyed 1,217 executives across 25 industries and found that 74 percent of all AI value is being captured by just 20 percent of companies.
The difference was not which models they chose, or how big their AI budget was.
The companies capturing that value did not BUY their way there. They BUILT it internally before they scaled.
EY is the case study in what happens when you do not. In May 2026, GPTZero researchers found that a published EY Canada cybersecurity report was full of citations that either did not exist or pointed to pages that had never contained the information cited. More than half the sources were fabricated. EY pulled the report.
The model generated convincing-looking garbage. Nobody inside EY caught it before it went out. That is what “governance on paper” looks like when it meets a real deadline - even inside the firm that audits other people’s controls for a living.
What can be done
Not everything. But three moves are still inside the window (August 2, 2026), and none of them start with a strategy deck.
Assign governance by pain rather than title.
The first failure mode in every stalled governance program is identical: data ownership is assigned to whoever has “Data” in their job title, not to the person who absorbs the pain when the data is wrong. Those are rarely the same person.
The immediate move is to identify the three to five master data domains causing the most downstream AI failures and assign ownership to the business unit leader whose team is actually suffering the errors.
Not based on org chart position. Based on who feels the cost of the problem.
That conversation is uncomfortable. It is also the only one that produces a real data owner rather than a slide-parrot with a governance mandate and no real accountability when it fails.
Rebuild the community of practice around proof of value.
The broken CoP cannot be relaunched with a new name and a kickoff meeting. Business users disengage from governance programs when governance means administrative burden with no visible return.
The fix is a ten-person cohort: find the stakeholders actively suffering from poor data quality right now, solve one specific pain point for them in under thirty days. Use that result to bring the next group in.
Governance as utility, not compliance theater. The community reforms around demonstrated value. Or it does not reform at all. And if it does not reform, no framework document, no external vendor, no interim manager fixes the broken incentive structure underneath.
Implement risk corridors before the AI delivery team bypasses you entirely.
The most predictable failure mode in the HQ-versus-delivery-center dynamic is shadow IT. The offshore AI team, blocked by slow governance, routes around it. By the time HQ discovers what was built on ungoverned data, it is in production and touching customers.
Risk corridors prevent this without stopping velocity.
Low-risk internal data gets fast-tracked to the AI team.
Medium-risk data gets automated controls.
High-risk data - financial records, customer PII, anything in scope for the August 2 transparency requirements - requires validated data owner sign-off before the AI team can scale its use.
The HQ VP gets the guardrails. The AI VP gets to ship.
These three moves do not fully resolve the paradox. The paradox is structural and the date is fixed. But they limit the immediate liability risk while the longer rebuild is designed. And they work with the people you actually still have, not the governance team you were supposed to hire.
The one test
The falsification test is this:
Find me an enterprise that eliminated 20+ percent of middle management in 2025-2026 and has a live, board-ratified AI governance program.
With documented data lineage, model accountability records and named incident response owners.
And operational before August 2026.
Not a roadmap. Not a working group. Operational.
If that enterprise exists at scale, the paradox is wrong.
If you are an operator who has lived this: tell me where it breaks.
My final ask
These Signals come from conversations I am having with executives right now, just written down.
If this one helped you see something you had not named yet, do two things.
And if you want to support the work directly:
Connects to:
The three moves at the end are worth doing, but they don't reach the underlying problem.
"Assign governance by pain not title" is correct on the diagnosis — the wrong person is holding the responsibility. The fix assumes that once the right person has the assignment, they can act on it. The person who absorbs the pain from bad data is usually the same person with least standing to push back upstream on how that data gets created in the first place. Pain is not a power source.
The deeper loss isn't a governance function. The middle layer was a translation layer — the people who held the institutional memory of why decisions were made the way they were, what the edge cases looked like in practice, and who to call when the policy met reality and broke. That knowledge was never documented because it didn't need to be. The people carrying it were still there.
A consultant can write a governance strategy. They cannot write down what the person who just left knew about why the third-party data feed breaks every quarter-end, or who in the business unit actually has the authority to pause it. That's the gap the August deadline is about to make visible. The three moves are triage on a structural wound, not a repair.