The AI Governance Gap: What Project Managers Need to Own

Published On:

May 14, 2026

The AI Governance Gap: What Project Managers Need to Own

A few months ago, a client asked me to help them “formalize their AI strategy.” When we sat down with their steering committee, I opened with a simple question: “How many AI tools are currently in production in your organization?”

The room went quiet.

After some digging, we identified 23 AI-enabled tools running across the company. A handful were standalone deployments approved through a formal process. Most were features embedded in existing SaaS products, activated by individual teams, and never reviewed by anyone outside those teams. Sales had turned on an AI note-taker during customer calls. HR was using an AI resume screener. Finance had experimented with an AI-powered forecasting tool. None of it had gone through IT review. None of it had been evaluated for regulatory exposure. And none of it had an owner if something went wrong.

This is what I mean when I talk about the AI governance gap.

In Part 1 of this series, I made the case that AI is a project manager’s problem, not just IT’s. AI projects fail because nobody owns the process around the model, and PMs are uniquely positioned to own that process. I also introduced four ownership zones where AI work concentrates for project professionals: governance, risk, adoption, and delivery.

This article zooms into the first of those zones. Because if there is one area where the current state of AI in most organizations is visibly broken, it is governance.

What the Governance Gap Actually Looks Like

The governance gap is not about missing policies. Most large organizations have policies. They have AI ethics statements. They have responsible AI frameworks on their websites. What they do not have is a working system that connects those policies to the actual AI tools being used, by real teams, on real work.

The gap shows up in four specific ways:

Tools enter the organization outside any review process (the shadow AI problem)
Existing AI deployments have no designated business owner accountable for outcomes
Risk, compliance, and legal teams are notified after problems occur, not before
There is no clear line of escalation when an AI tool produces a bad result

Each of these is a project management problem before it is a legal or technical problem. Project managers are the people in organizations who routinely build exactly these kinds of review gates, ownership maps, and escalation paths. Governance is not new to PMs. Governance for AI is just the latest variant.

Why Existing IT Governance Does Not Cover This

You might be thinking: don’t we already have IT governance for this? Doesn’t every new tool go through procurement, security review, and architecture approval?

In theory, yes. In practice, AI is slipping through the cracks for three reasons.

First, most AI capabilities now arrive as features in existing tools. Your CRM adds AI-generated summaries. Your collaboration platform adds AI meeting notes. Your HR system adds AI-driven candidate matching. These are not new vendors, new contracts, or new architecture reviews. They are toggles inside tools that were already approved. Traditional procurement and IT governance have no trigger to catch them.

Second, AI governance requires judgment that goes beyond IT’s usual remit. Is this use case high-risk under the EU AI Act? Does this tool make decisions that affect employees, customers, or citizens in ways that require human oversight? Are we using personal data in a way that creates GDPR exposure? These are business, legal, and regulatory questions. IT cannot answer them alone, and it should not try.

Third, traditional IT governance is gate-based: approve, deploy, done. AI governance has to be continuous. Models drift. Data changes. Vendors update behavior without notice. A tool that was low-risk at deployment can become high-risk six months later without anyone noticing. That continuous oversight demands a project-style discipline that most IT governance functions are not built for.

The Regulatory Reality Closing In

If the business case for AI governance is not enough, the regulatory case is getting harder to ignore.

The EU AI Act entered into force in August 2024 and is rolling out in phases. Prohibitions and AI literacy obligations took effect in February 2025. Obligations for general-purpose AI models and governance structures followed in August 2025. On August 2, 2026, most of the remaining provisions become enforceable, including the full compliance framework for high-risk AI systems listed in Annex III, transparency obligations, and the penalty regime. For organizations operating in the EU market, the clock is running.

One detail often missed in early discussions: the AI Act applies to both providers and deployers. If your organization uses an AI tool built by someone else in a high-risk context, you carry obligations too. That nuance matters enormously for most PMs, because most of us work in organizations that deploy AI tools rather than build them.

Outside Europe, the NIST AI Risk Management Framework has become the reference point for AI governance in the United States, and ISO/IEC 42001, published in December 2023, provides a certifiable management system standard for AI. These frameworks are not legally binding everywhere, but they are rapidly becoming the baseline any organization needs to meet to demonstrate responsible AI practice to clients, regulators, or auditors.

None of these frameworks will be implemented by data scientists alone. They require inventories, risk assessments, documentation, review processes, and clear accountability. Every one of those deliverables is, at its core, a project management deliverable.

What Project Managers Should Specifically Own

Zooming in on the governance ownership zone, here is what I would argue sits squarely in a project manager’s remit on any AI initiative:

AI system inventory: knowing what AI is in use, where, and by whom. Not a one-time audit, but a living register.
Role clarity: defining who owns the tool on the business side, who owns it on the technical side, and who owns the risk decisions.
Review gates: embedding AI-specific checkpoints into project initiation, procurement, and change management.
Risk classification: running AI use cases through a simple risk screen before deployment, mapped to whatever regulatory framework applies.
Human oversight design: specifying where humans stay in the loop, what they see, and what authority they have to override the system.
Incident response: defining what happens when the AI produces a bad output, who gets notified, and how the issue is escalated.
Documentation: maintaining the paper trail that regulators, auditors, and internal stakeholders will eventually ask for.

None of this requires a PhD in machine learning. All of it requires the kind of structured thinking PMs apply every day to scope, stakeholders, and risk. The difference is that PMs need to know enough about AI to ask the right questions and to recognize when the answers do not add up.

Starting Where You Are

If you are a project manager wondering how to engage with AI governance in your own organization, here are three steps that work regardless of whether your organization has a formal AI strategy.

First, start the inventory. Even informally. Talk to three or four colleagues in different functions and ask what AI tools they are using, officially sanctioned or not. You will almost certainly find more than anyone in leadership realizes. That inventory is the foundation for every other governance conversation.

Second, bring governance language into your next project kickoff. Ask the standard scope and stakeholder questions, then add one more: “Where does this project touch AI, directly or indirectly, and who owns the governance of those touchpoints?” If the answer is unclear, you have just identified a gap worth naming.

Third, learn enough about the relevant regulatory landscape to have a grounded conversation. You do not need to read the EU AI Act cover to cover. You need to know that high-risk AI systems carry specific obligations, that the NIST AI RMF exists as a reference framework, and that ISO/IEC 42001 is the emerging certification standard. That is enough to be credible in a governance discussion.

The Governance Conversation Needs You

AI governance is not a problem waiting for another specialist. It is a problem waiting for someone who can coordinate the specialists, build the process, and hold the whole thing together. That is the job description of a project manager.

The PMs who step into this space now will define how AI governance gets practiced in their organizations for years to come. The PMs who wait will inherit whatever gets built by people without their training.

For project professionals, the opportunity is clear: step into the governance gap before it is defined by someone else. The organizations that handle this well in the next 18 months will be the ones that treated AI governance as project management from the start.

In the next article in this series, we will move from governance to delivery and walk through a practical framework for running AI-ready projects end to end.

PML would like to extend a huge thank you to Markus Kopko for sharing his knowledge and wisdom with the PML community!
Learn more about him below and reach out to connect!

About the Author

Markus Kopko, PgMP®, PMP®, CPMAI®, CAITL™, ITIL® 4 Strategic Leader
Founder, PMotion.ai | Founder, The PM AI Coach | PM Team Lead, CPMAI Lead Coach & Trainer at Alvission Education GmbH
PMI AI Standards Core Development Team | PMBOK® Guide 7th Edition Reviewer
Based in Hamburg, Germany

Markus Kopko (He/Him) is an internationally recognized program and project management leader with 25+ years of professional experience across finance, telecom, pharma, and energy. As a certified Program Management Professional (PgMP®), Project Management Professional (PMP®), and Certified Professional in Managing AI (CPMAI®), he supports organizations in delivering high-impact programs leveraging agile, hybrid, and traditional methodologies.

Markus is the founder of PMotion.ai, an AI governance and transformation advisory, and The PM AI Coach, a certification and career coaching platform for project professionals. At Alvission Education GmbH, he serves as PM Team Lead and CPMAI Lead Coach & Trainer, guiding practitioners through PMI’s AI certification pathway.

He serves on the PMI AI Standards Core Development Team, contributing to the forthcoming Standard for Artificial Intelligence in Portfolio, Program, and Project Management, and reviewed the PMBOK® Guide 7th Edition. A passionate speaker, mentor, and trainer, Markus is committed to growing the next generation of project leaders and closing the gap between AI hype and execution.

Services: AI Governance Advisory · CPMAI Coaching · PMP & PgMP Certification Prep · Project & Program Management Training · Executive Coaching · Change Management

Reach out to Markus on LinkedIn: https://www.linkedin.com/in/markuskleinpmp/

Who is Project Management Life (PML)?

Project Management Life (PML) is a growing community focused on helping project leaders build sustainable performance through community, content, virtual retreats, courses, and transformational learning experiences.

We share exclusive content around project management, career and personal branding, health and well-being, self-care, and so much more. PML offers a space to connect, recharge, and discover new ways to live your best life.

We founded PML on the idea that we can inspire each other with stories of success and valuable lessons learned, empower each other with career advice and resources to thrive both personally and professionally, and support each other to achieve a fulfilling work-life balance and focus on our health and well-being.

By living our best life, we bring our best selves to our projects, our teams, our loved ones, and the world.

Join the PML Community

The PML Community is a community of project managers and like-minded professionals supporting each other. Whether you’re a new or experienced project manager, this is a place where we can connect, learn, celebrate, and support one another.

The PML Community Newsletter is free, and jam-packed with exclusive content about project management, career growth and personal branding, health and well-being, personal self-improvement, professional development, work-life balance, and more. If you’re ready to go deeper with PML, we also have our PML Membership if you’re looking for more great content to live your best life. Check out our PML Membership page to learn more.

Join us today, and don’t miss out!

Share this Blog Post:

Standard PML Contributor Disclaimer: The views, thoughts, and opinions expressed in this PML Contributor guest post are solely those of the author and may or may not reflect the views of Project Management Life. We appreciate the many diverse perspectives shared by our contributors as part of our commitment to fostering insightful discussions within the PML Tribe Community.