Blog/

AI /

AI Risk Management Is Becoming Operational, Not Theoretical

For the past few years, most conversations about AI risk have focused on policy.

Should we allow employees to use AI? Which tools are approved? Do we have an acceptable use policy? What happens if a model hallucinates?

While those questions are still important, they're no longer the questions keeping me up at night. What I'm increasingly focused on is the shift from AI as a tool people use, to AI as a system that acts on behalf of people.

We call them copilots, assistants, bots, and workflows, which makes them sound lightweight. In reality, some AI agents are beginning to look a lot like highly privileged employees without management structures. They can access information, summarize contracts, generate code, update records, trigger actions, and move across systems that were previously connected by human judgment and approval. If an employee had that level of access, leadership teams would immediately ask: Who owns this person? What are they authorized to do? How is their work reviewed? When should their access be removed? Many companies aren't asking those same questions about AI with the same discipline.

Learn more: The AI Governance Gap: A Practical Guide for Compliance Teams Playing Catch-Up

In my conversations with founders, security leaders, and operators, I don't think most companies have an AI problem – I think they have a visibility problem. They often don't know exactly which AI tools are being used across the organization, what data is flowing through them, what systems they can access, or who is ultimately accountable for the outcomes they produce.

Having spent much of my career in banking and risk management before becoming a startup founder, I've seen both sides of this challenge. While large enterprises can throw committees, specialists, and review processes at emerging risks, startups simply don’t have the resources to do so.

A 200-person company can't spend 18 months building a governance framework before product, engineering, sales, and support teams begin experimenting with AI. The business has to keep moving, so the issue needs to be ensuring that governance evolves as quickly as adoption.

For smaller and mid-sized companies, the answer doesn't start with a complex new framework – it starts with visibility. Leaders should be able to answer a few basic questions:

  • Where are we using AI?
  • What data can it access?
  • What systems can it touch?
  • Who owns it?
  • Where is human review required?

Those sound like simple questions, but many organizations struggle to answer them consistently today, which can cause problems, because compliance and audit are changing along with the underlying operating model.

Traditional control frameworks were largely built around human decision makers. People requested access. People approved vendors. People reviewed exceptions. People left evidence behind when decisions were made.

AI doesn't remove human accountability, but it can blur the path between instruction and action. A person may approve a workflow once, while an AI system executes it hundreds or thousands of times. That's why I believe governance is becoming less about annual reviews and more about continuous visibility into how systems operate.

This doesn't mean companies need more bureaucracy. In fact, too much process often creates workarounds. Good governance should make responsible adoption easier, not harder.

As AI adoption grows, customers, auditors, boards, investors, and business partners are all asking some version of the same question: Can we trust how this company operates? The answer has for years been rooted in security, controls, accountability, and transparency. As AI becomes embedded in everyday business processes, governance becomes part of that answer as well.

The fundamentals haven't changed. Organizations still need clear ownership, oversight, and accountability. What's changing is the operating environment.

AI risk management is moving from theoretical to operational, and increasingly, trust will depend on how well companies manage that transition.

icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long

In this post:

Stay Connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Eva Pittas

See all Posts

Related Posts

The AI Governance Gap: A Practical Guide for Compliance Teams Playing Catch-Up

AI adoption is moving faster than compliance programs can keep up. Learn how to close the AI governance gap with practical steps for policies, controls, evidence, and training.

Read Article

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Want to join our team?

Help Thoropass ensure that compliance never gets in the way of innovation.

View Open Roles

Have any feedback?

Drop us a line and we’ll be in touch.

Contact us
Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRCMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueImpartiality and InquiriesTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2026 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com