When we first sat down to design AI governance, we did the obvious thing. We started listing risks. Data leakage, hallucination, bias, privacy, model drift, vendor lock-in. The list grew fast, as risk lists do. Workshops were held. The spreadsheet acquired colour coding.
It felt rigorous. It was our first mistake.
Here’s what a risk-first frame does, quietly. It defines the entire program as a threat to be contained rather than a capability to be built. Every conversation starts from what could go wrong, so the default answer to anything novel becomes no, or the slower cousin of no: “let’s assess that”. The people running governance become the people running prevention, and prevention, done in the abstract, has no natural stopping point. You can always imagine another risk. I watched our list grow while our actual understanding stayed flat, because we were cataloguing hypotheticals instead of examining anything real.
The fix was to invert the starting point. We began again from a different question: what is this organisation trying to become, and what decisions will get us there? Then, and only then: what could derail those specific decisions, and what controls do those risks deserve?
The difference sounds subtle. In practice it changes everything. Risks stop being an undifferentiated cloud and attach themselves to real intentions, real workflows, real data. Some risks that dominated the spreadsheet turned out to barely apply to anything we planned to do. Others we’d barely noted, like the slow erosion of human review quality as outputs were getting better, so less rigour was given to check them properly. And governance conversations became decision conversations: what are we doing, what does it need to be safe, who owns it?
Risk management matters more in critical infrastructure than almost anywhere. That’s exactly why it deserves better than a list compiled in a vacuum.
If your AI governance began with a risk register, ask what it’s actually governing. Risks need something to attach to. Start with being clear on how your using it today and how you plan to use it over time, and let the risks find their places.