Five takeaways on AI governance, trust and innovation

WorkAI.TV Editorial Desk
3 Min Read

Share with your CISO

SAP’s Chief Security, Compliance and Risk Officer Marielle Ehrmann makes the case that AI governance done early and seriously becomes a speed advantage, not a drag on deployment. The argument draws on EY data showing nearly all organizations are scaling AI while only about a third have responsible controls in place. SAP claims ISO 42001 certification for AI governance achieved in Q3 2025, positioning that credential as proof that governance can be operationalized, not just promised. The central warning is blunt: most AI risk originates in human behavior around models, not the models themselves.

What this means for your business

The governance gap Ehrmann describes has a specific shape that most security leaders will recognize immediately. AI deployment starts in browser tabs, not architecture reviews. An employee pastes a contract into a public model, a team validates nothing in an AI-generated compliance summary, and the formal governance program is still in draft when the exposure is already live. If your AI policy inventory and your actual AI usage inventory don’t match, you’re already managing a gap, not a plan, and the question is how wide it’s grown.

The piece’s sharpest claim is that governance precedes trust, and trust precedes sustained innovation velocity. That’s a harder argument than it looks. The short-term incentive structure inside most enterprises runs the opposite direction: teams that deploy fast get credit, teams that govern carefully get called slow. Ehrmann’s framing only holds if the accountability mechanism actually reaches the people making daily deployment decisions, not just the board slide deck. The ISO 42001 certification SAP cites is real external discipline, but it’s worth noting that SAP sells governance tooling into exactly the enterprise market it’s advising here, which nudges the argument toward making certification sound more universally accessible than it is for a mid-sized organization with no dedicated AI risk function.

The question to weigh differently after reading this isn’t whether your organization needs an AI governance program. It’s whether the one you have can answer Ehrmann’s diagnostic in real time: name where AI is deployed, what data it touches, and who owns the risk when an output is wrong. If that question goes quiet in your own staff meeting, the governance you have is the PowerPoint version, and the next audit or incident will make that distinction for you.

Based on reporting from Five takeaways on AI governance, trust and innovation, originally published 2026-07-07 03:00:00.

TAGGED:
Share This Article