Beyond the committee: the real work of governing AI at scale

Beyond the committee

The real work of governing AI at scale

May 2026

AI governance is rising fast, but most firms still can’t prove it works in practice. EY explores why strategy, ownership, and real control (especially over third‑party AI) will define who leads at scale.Contents

Thank you for reading

Lessons from South Africa’s financial sector on risk, control and executive accountability.

Most firms have AI governance in place. Far fewer can make it work in practice
Without clear strategy and ownership, governance risks becoming process without direction
The real test is proving control, particularly where AI sits in third-party ecosystems

South African financial institutions have moved well beyond treating AI as a future issue. It is already showing up in pilots, live use cases, vendor tools, board discussions and rising expectations around productivity, service and growth. That is real progress. It also creates a more demanding risk environment than many firms were facing even a year ago.

This article builds on findings from EY’s recent South African AI governance survey, which examined how financial institutions are responding to the growing use of AI across their operations. Read more here.

The governance challenge is no longer simply whether leaders are paying attention. Most are. The harder question is whether institutions are building the practical capability to govern AI once it becomes part of day-to-day operations. That is a more exacting test. It asks whether firms can move from awareness to execution, from oversight structures to operating discipline and from broad principles to evidence of control.

That is one of the clearest messages in the South African survey. Financial institutions are not asleep to the topic. Governance is visible. Leadership attention is rising. Yet many firms still appear to be building the basic disciplines that make AI governable in practice: clear strategic intent, settled ownership, current inventories, effective challenge, reliable monitoring, tested escalation and stronger assurance. In other words, the issue is no longer whether AI governance exists. The question now is whether AI governance can operate consistently under real conditions.

^{The next AI risk challenge is execution}

There is no shortage of awareness in financial services. Boards know the topic matters. Risk teams are engaged. Compliance teams are alert. Technology leaders are under pressure to support adoption without allowing the organisation to drift into unmanaged exposure. The conversation has matured quickly. That does not mean control maturity has kept pace.

The survey suggests many institutions have made a serious start but are still building the routines and controls that turn governance from intent into discipline. In insurance, several core governance capabilities still sat in the emerging category rather than appearing mature or deeply embedded. Internal assurance also looked uneven. Most insurance responses said AI or GenAI risk and control effectiveness had not been subject to an internal audit in the previous 12 months. Banking responses pointed in a similar direction, with targeted review activity still not consistently complete. This suggests the market is still progressing through this stage rather than operating beyond it.

That work is less glamorous than the public conversation around AI often suggests. It includes keeping inventories current, understanding where AI sits inside products, processes and third-party systems and risk-tiering use cases properly rather than treating them as one broad category.

It also means making validation, monitoring and escalation routine rather than exceptional. This ensures first-line leaders understand how AI is used in their areas and where human judgement still needs to sit.

For experienced risk leaders, none of this is conceptually new. AI does not create a completely new governance world, but it does broaden and intensify the risk picture. Model-related issues remain important but the exposure is now broader: operational risk, conduct risk, reputational risk, cyber exposure, third-party dependency, concentration risk and the risk of decisions or outputs changing quietly as tools evolve.

Once AI is embedded in service operations, claims handling, underwriting support, fraud detection, regulatory processes or employee decision support, governance stops being an abstract virtue and becomes an operating capability.

That is why execution matters more than awareness. Most firms know the subject is important. Fewer can yet say, with confidence, that they know exactly what they have, where it sits, how it is controlled and how they would respond if something material went wrong.

Strategy needs to come before governance can work properly

One of the more important issues in the survey is not a narrow control issue. It is a strategy issue.

A number of firms appear to be moving into AI governance before they have fully settled their AI strategy. They may have committees, policies and active discussions but that is not the same as having a coherent point of view on where AI should create value, where it should support differentiation, what risks are worth taking, where the organisation wants to move quickly and where it should be deliberately cautious.

That matters more than it may seem at first. Without a clear strategic anchor, governance can quickly become reactive. It manages activity rather than shaping it. It reviews proposals, discusses risks and creates process but does not offer much directional clarity on what the institution is actually trying to achieve with AI. When that happens, governance can become process-heavy without becoming more effective. Investment fragments. Decision-making slows. The organisation looks careful but not always purposeful.

For boards and executive teams, this is becoming more pressing as the competitive backdrop is changing. Incumbents are starting to recognise that staying in expert follower mode may not be enough. They do not need to mimic the posture of AI-native challengers, but they do need a more explicit view on how AI fits into their future model, economics and customer proposition. Without that, governance risks becoming a brake on movement rather than an enabler of confident adoption.

The aim is not reckless risk-taking, but greater clarity about which risks are being taken and why. Firms that are explicit about the value they want from AI, the choices they are willing to make and the boundaries they want to maintain will usually govern better than firms that approach the topic mainly through process and review.

^{Governance is visible but ownership is still unclear}

The South African responses make clear that governance is visible. Committees exist. Structures are being formalised. More senior people are involved. At one level, that is exactly what should be happening. In a regulated industry, stronger oversight is part of the price of progress.

The problem is that governance can become more elaborate without ownership becoming more settled.

Across the survey, the data do not point to absent oversight so much as distributed ownership across committees, risk leaders, technology leaders and executive teams in ways that do not always look fully resolved. Banking responses were suggestive, with governance committees playing a prominent role in decision-making. Insurance showed a related pattern, with accountability often sitting across the CRO and CIO or CTO.

Still, there is a difference between shared accountability and unclear accountability. When decision rights are unclear, progress slows, often quietly. More people are consulted. More perspectives are heard. Risks are discussed at length. Yet the hard calls do not always land cleanly.

These are not abstract governance questions. They are day-to-day management questions. They sit close to the logic of the three lines of defence. The first line needs enough clarity to use and supervise AI responsibly in the business. The second line needs sufficient standing and visibility to challenge, set guardrails and monitor emerging risk. The third line needs enough evidence and structure to assess whether the control environment is actually working. Where those roles are vague, AI governance tends to look stronger on paper than it feels in operation.

^{Most firms can describe control. Fewer can prove it.}

Most institutions can now articulate responsible AI principles. They can talk about fairness, transparency, accountability, human oversight and governance. In some cases, they can point to a framework that captures all the right concepts. That is a useful foundation. That foundation still needs to translate into clear, demonstrable control in practice.

The more revealing questions are practical. Can the institution show where AI is being used, including tools embedded in third-party platforms? Can it distinguish low-risk productivity use from higher-stakes applications that affect customer outcomes, operational decisions or regulated processes? Can it demonstrate testing, challenge and validation in a way that would stand up to internal audit, board scrutiny or supervisory inquiry? Can it explain how incidents would be identified, escalated and managed? Can it show that control expectations hold regardless of whether the model was built internally, procured externally or embedded in a broader technology product?

The South African data is especially useful here. The insurance responses suggest that several enabling disciplines are still in development. Monitoring and metrics were often still in the process of emerging. Documentation and transparency were not yet consistently strong. Training and change management were also far from being fully embedded. Regulatory readiness also looked uneven, even though a notable share of insurers referenced the EU AI Act in describing the external frameworks shaping their thinking.

One of the most practical issues here is inventory. If a firm lacks a reasonably complete, current view of where AI is being used or embedded, governance becomes incomplete. That inventory needs to be broader than formally approved use cases. It needs to include third-party tools, evolving vendor functionality and AI-enabled capabilities that may have entered the environment through broader technology adoption.

The more meaningful divide is between firms that can describe governance and those that can clearly evidence how it works in practice.

^{Third-party AI may be the weakest link in the control chain}

Third-party AI is often treated too narrowly, as though governance sits mainly with the vendor.

For many institutions, AI will not arrive mainly through internally built models. It will come through software providers, cloud platforms, core systems, workflow tools and enterprise vendors steadily layering AI into products and services. On the surface, that is efficient. Banks and insurers do not need to build everything themselves, but third-party adoption does introduce additional governance complexity.

The institution still owns the consequences. It still needs to know where the tool is used, which decisions it influences, what data it touches, how outputs are checked and what degree of human intervention remains possible. A vendor may update a model, change an underlying feature or improve a product release, and suddenly the outputs shift. The institution remains exposed even where the model originates externally.

Vendor governance, therefore, needs to become more than a procurement checkpoint. Institutions need sharper questions and better evidence. What is the tool actually doing? What has it been trained on? How often is it updated? What can be explained and what cannot? What happens when outputs are wrong or unexpected?

What incident obligations exist, and what leverage does the institution have if something material goes wrong? These questions now sit close to the core of AI governance.

Three questions boards should now be asking

Boards and executive teams need a sharper conversation about governed scale.

The South African market is clearly moving. Institutions are more active, more alert and more serious than they were even a year ago. But greater focus does not yet fully equate to readiness. Many are still building the disciplines that connect oversight to execution, policy intent to operating evidence and AI activity to a clear strategic view of where it should take the organisation. For boards, three questions now matter more than whether a committee or a framework exists:

Do we actually know where AI is being used across the organisation, including in third-party tools, and can we show how those uses are being risk-tiered, monitored and controlled?
Are ownership and decision rights clear enough to let us move with confidence, or are we relying on unclear accountability and governance processes to substitute for real executive judgment?
Is our AI governance anchored in a clear strategic view of where we want AI to create value and where we are prepared to draw limits, or are we still mainly reacting to activity as it appears?

The greater risk may be that AI activity is outpacing business model change.

The firms that move ahead may not be the firms with the loudest claims about trustworthy AI or the neatest set of principles. They will be the ones who have done the slower, harder work of clarifying strategy, settling ownership, tightening assurance, strengthening vendor challenge and making human supervision real where it needs to be.

In other words, they will know how to govern AI once it becomes part of everyday operations. That sets a higher bar than committee formation, and a more practical one.

A realistic place to start is with two disciplines that sound basic but are often still unsettled in practice. First, make executive accountability explicit: one leader, with clear authority to drive decisions across business, technology, risk and operations. Second, build a current AI inventory anchored in the firm’s own definition of AI, including third-party tools and embedded capabilities. Without clear ownership and a credible view of what is actually in play, governance remains more visible than real.

Without a clear strategic anchor, governance can quickly become reactive.

Marius van den Berg
EY Africa Financial Services Leader