Who Should Own AI Governance in Your Organisation?

AI governance ownership should sit with your IT Manager, Compliance Officer, or the most senior operations leader in your business — whoever currently owns data protection and IT risk decisions. The role requires management authority to enforce policy, not deep AI expertise. For businesses under 30 people, this is often the MD directly. What matters most is that it is one named person, with accountability written into their role — not a committee, not "the IT team", and not whoever happens to notice a problem first.

Why ownership matters more than process

Most AI governance failures are not process failures — they are ownership failures. A business can have a perfectly written acceptable use policy and still find, six months later, that employees are using a dozen unsanctioned AI tools, that the policy has not been updated since the day it was written, and that no one reviewed the OAuth grants that accumulated in the interim.

This happens because governance was treated as a project with a completion date rather than an ongoing responsibility with a named owner. Writing the policy is the start, not the finish. Someone needs to maintain it, enforce it, and update it as the AI tool landscape evolves.

What the role actually requires

The AI governance owner does not need to understand how large language models work. They need:

• Authority to make and enforce tool approval decisions, including telling teams they cannot use a tool they want to use
• Access to the IT admin console (or a direct line to whoever manages it) to audit OAuth grants and review tool access
• Time — realistically two to four hours per month once the initial framework is in place
• Organisational knowledge to understand what data the business handles, which teams handle it, and which data handling decisions carry the most risk
• Willingness to be the person who says no — governance owners who cannot refuse requests are not governing anything

Who typically owns it, by company size and type

Under 20 people

The Managing Director or a senior operations hire typically owns AI governance directly. There is rarely a dedicated IT Manager at this stage. The governance effort is light — a simple policy, a quarterly tools review, and an annual refresh. The MD needs to be personally briefed on what AI tools are in use and what data they can access.

20–100 people

An IT Manager or Head of Operations is the natural owner. At this size, the governance task becomes more complex — more employees, more tools, more diversity in how different teams work. A dedicated tool approval process becomes worthwhile, and a quarterly governance review should go on the calendar. If you have a Data Protection Officer (required if you process large volumes of personal data or special category data), they may co-own governance with the IT Manager.

100+ people

At this size, a formal governance committee is warranted — but it still needs a single named owner who holds accountability. Typically this is a Head of IT, IT Director, or Chief Operating Officer. The committee advises; the owner decides. Without this distinction, committee-based governance becomes slow and consensus-driven in a way that lets risky tools accumulate while reviews are scheduled.

Professional services (legal, accountancy, consulting)

In professional services, client confidentiality obligations make AI governance especially important. Ownership tends to sit with the practice manager, a senior partner, or the Head of Compliance. The governance framework needs to align with professional indemnity insurance requirements and any sector-specific regulatory guidance (SRA for solicitors, ICAEW for accountants).

What to document about the ownership role

Write the AI governance ownership into the person's role description or management objectives. Document the following in your governance framework: the owner's name and role, their decision-making authority, the escalation path for decisions that exceed their authority, and what happens to the role if they leave. The last point matters: governance ownership that lives in a person rather than a documented process does not survive staff turnover.

Common mistakes to avoid

• Assigning governance to IT without giving them authority over business decisions.If the IT Manager can identify a risky tool but cannot compel a department head to stop using it, they are an advisor, not an owner.
• Treating governance as a one-time project. Writing a policy and running a single audit is a start. Without scheduled reviews and a named owner to run them, the governance framework goes stale within months.
• Delegating ownership to a junior team member without backing them up.A junior IT analyst cannot tell a department head that their team has to stop using a tool. Governance requires seniority or explicit senior backing.
• Confusing the DPO role with AI governance ownership. If you have a DPO, their primary obligations are GDPR-specific. AI governance is broader. Clarify the boundary between the two roles explicitly.

Frequently asked questions

Who should own AI governance in a small business?

In a business of under 30 people, AI governance ownership typically sits with the most senior person responsible for IT or data protection — usually the IT Manager, Operations Director, or the Managing Director directly. The role requires management authority, not deep technical knowledge.

Does a business need a dedicated AI governance role?

No. For most SMEs, AI governance is a part-time responsibility added to an existing role. The effort is typically two to four hours per month once the initial framework is in place — auditing new tools, reviewing policy, and managing approvals.

What is the difference between an AI governance owner and a DPO?

A DPO is responsible specifically for GDPR compliance. An AI governance owner has broader responsibility for how AI tools are used across the business. These roles often overlap and may be held by the same person, but the scope is distinct.

What happens if no one owns AI governance?

Without a named owner, governance defaults to informal norms — no consistent policy, no visibility into what tools are in use, and no accountable person when something goes wrong. Shadow AI expands and data risks accumulate without anyone tracking them.