//Question

Who should own AI governance within an organization, security, legal, or a dedicated team?

Posted on 09th July, 2026

Harry

Harry

//Answer

Most mature organizations have moved toward a cross functional ownership model rather than assigning AI governance to a single department. Legal and compliance teams typically take the lead on defining regulatory requirements and understanding how frameworks like emerging AI specific legislation apply to the organization's particular use cases. A dedicated AI governance or risk function, where one exists, generally sets overall policy and coordinates across departments. Security's role has grown significantly within this structure as governance has shifted from being primarily a policy exercise toward something that increasingly requires technical enforcement.

This shift matters because policy decisions about acceptable AI use, data handling boundaries, and required approvals only have real effect if something is actually verifying they are being followed in production. That verification work, including guardrail enforcement, runtime monitoring, and adversarial testing, sits squarely within security's traditional skill set rather than legal or a purely policy focused governance team's, which is why security has increasingly become a core stakeholder rather than a downstream consulted party in AI governance discussions.

The practical division tends to work best when legal and governance define what the rules should be based on regulatory and business risk considerations, and security implements and continuously verifies the technical controls that make those rules operationally real. Akto sits at that implementation layer, giving security teams the technical means to operationalize governance decisions for AI agents specifically, translating policy language into enforceable guardrails and ongoing monitoring rather than leaving that translation work unaddressed.

Comments