The Governance Gap
Governance & Risk is the lowest-scoring dimension in AI readiness assessments globally — with an industry median of 28 out of 100 and even top-quartile companies reaching only 55. Every other dimension — strategy, data readiness, architecture, team culture, competitive position — scores higher. Governance is where the floor drops out.
That number should stop you. Companies are not scoring 28 because they don't care about governance. They are scoring 28 because AI adoption is moving faster than the organizational infrastructure required to govern it responsibly. Tools are deployed before policies exist. Agents are running in production before anyone has documented what they can do, what they can spend, or who owns the kill switch. Shadow AI — tools adopted by employees outside IT procurement — is proliferating across every department, invisible to the people responsible for managing risk.
The gap between adoption velocity and governance maturity is not an abstract problem. It is the risk that surfaces in due diligence. Growth equity buyers and strategic acquirers have started treating AI governance as a distinct diligence workstream — not as a proxy for cyber security, but as a standalone signal about how the company has thought about and managed the risks specific to AI adoption.
Evidence means training completion rates. Evidence means a shadow AI scan report from last quarter with findings dispositioned. Evidence means a tool approval workflow audit log with entries in it. The question is never "do you have a policy?" — it is "what evidence exists that the policy is followed?" Most companies are somewhere between those two questions and closer to the first one than they realize.
Seven Principles That Change the Conversation
Most governance conversations start with frameworks and checklists. This one starts with principles — because a framework built on the wrong assumptions produces governance theater, not governance substance. The seven principles below are the load-bearing assumptions that determine whether a governance control is real or cosmetic.
1. Human accountability is non-delegable.
An AI system cannot be the accountable party. Every AI capability must have a named human owner — a person with a title, a reporting line, and explicit responsibility for what the system does and the decisions it influences. When an acquirer asks "who is responsible for this AI system?" the answer must be a person, not a team name or a model version.
2. Evidence over policy.
A governance control that cannot produce evidence of enforcement is a governance gap, not a governance control. Policies that exist only in documents do not survive due diligence. Auditors and acquirers ask for training records, scan results, audit logs, and incident reports. A well-written policy with no evidence trail is worse than acknowledged absence, because it suggests the organization doesn't know the difference.
3. Governance scales with blast radius.
The rigor of oversight is proportional to what the AI system can do, spend, or break. A copilot suggestion that a human reviews before acting gets lighter governance than an agent with production write access or the ability to send communications on behalf of the company. Over-governing low-risk tools kills adoption and drives shadow AI. Under-governing high-risk agents creates liability that doesn't surface until something goes wrong.
4. Shadow AI is a governance failure, not a user failure.
When employees adopt unsanctioned AI tools, the governance program has failed to provide a viable sanctioned path. The right response is not punishment — it is discovery, followed by either enablement or risk-justified prohibition with a supported alternative. Prohibition without alternatives produces hidden risk, not safer behavior. This is the most provocative principle in the framework because it shifts blame from users to the governance program itself — which is exactly where it belongs.
5. AI incidents are distinct from cyber incidents.
Model hallucination, bias drift, prompt injection, agent misbehavior, and output toxicity require their own response playbooks. A cyber IR plan does not cover "our AI recommended a harmful action to a customer" or "our agent sent 10,000 emails before anyone noticed." Different failure modes require different ownership, different escalation paths, and different post-incident analysis.
6. Vendor governance is supply chain governance.
AI providers — model APIs, fine-tuning platforms, inference infrastructure — are critical operational dependencies, not interchangeable SaaS utilities. A company whose entire AI capability runs through a single provider has a single-vendor dependency at the infrastructure layer. That is a board-level risk in any PE portfolio company, and it is the kind of risk that appears as a finding in a quality-of-earnings review if not proactively documented.
7. Governance enables velocity.
The purpose of a governance framework is not to slow AI adoption — it is to make adoption sustainable. Ungoverned AI programs do not move faster; they move faster until the first significant incident, then they stall while leadership decides what to do. The companies that will compound AI advantage over time are the ones that build governance infrastructure early, not the ones that sprint without guardrails and then stop to clean up.
What a Governance Framework Actually Looks Like
The Just Keen AI Governance Framework organizes AI governance into six domains, each covering a distinct layer of the governance stack. Domain 1 establishes foundational policy infrastructure. Domain 2 addresses AI-specific risk management — the blast-radius documentation, adversarial testing, and incident response playbooks that distinguish an AI risk program from a cyber risk program. Domain 3 covers regulatory and compliance readiness, with particular relevance for companies operating in financial services, healthcare, or insurance. Domain 4 operationalizes AI ethics — not as a published principles document, but as a testing program with logged results by AI feature. Domain 5 addresses explainability and audit, including the ability to produce a complete account of any AI-driven decision within a defined response SLA. Domain 6 covers vendor and supply chain governance, including concentration risk, sub-processor tracking, and AI-specific insurance coverage.
Every domain follows the same seven-component structure: domain statement, governing principle, maturity model, RACI table, governance indicators, industry alignment, and PE due diligence signal. The structure is consistent because inconsistency is itself a governance risk — if each domain assessed differently, comparing maturity across the program becomes impossible.
The Domain 1 maturity model gives you a concrete sense of what the levels mean in practice:
| Level | What It Looks Like |
|---|---|
| 1 — Absent | No AI governance policy exists. Individual teams are making AI adoption decisions entirely at their own discretion with no central visibility. |
| 2 — Acknowledged | AI governance has been recognized as a need at the leadership level, but no formal policy has been drafted and no owner has been designated. |
| 3 — Informal | Informal guidelines exist — a Slack channel, a Confluence wiki page, or an all-hands slide — but they are not enforced and most employees are unaware they exist. |
| 4 — Formal | A written AI governance policy exists with a named owner, version number, effective date, org-wide communication, a defined approval workflow, and a scheduled annual review cycle. |
| 5 — Optimized | The policy is actively enforced with documented evidence: training completion rates tracked, shadow AI discovery scans run quarterly, approval workflow produces an audit trail, and violations result in documented follow-up. |
Most mid-market SaaS companies score at Level 2 or Level 3. A few are at Level 4. Almost none are at Level 5. The distance between Level 3 and Level 5 is the distance between governance theater and governance substance — and it is the distance that shows up in due diligence. Each domain in the full framework includes the complete RACI accountability table, governance indicators that tell you whether a control is actually operating, industry alignment mapping to NIST AI RMF, ISO/IEC 42001, and the EU AI Act, and a PE due diligence signal translating each domain into evidence that survives a quality-of-earnings review.
The PE Value Creation Lens
Governance matters for three reasons that PE operating partners and portfolio company CTOs should care about directly — and none of them is "because it's the right thing to do."
Due diligence readiness. Governance artifacts are data room items. Growth equity and M&A buyers increasingly include AI governance as a distinct diligence workstream. The table is simple: can you produce, from existing documentation and within minutes rather than days, evidence that your AI governance program has been exercised and not just written? A versioned policy with a review history. A shadow AI scan report from last quarter. A tool approval workflow audit log. A blast-radius document for every deployed agent with a named kill-switch owner. If these artifacts don't exist, they cannot be produced under time pressure — and the absence is priced into the deal.
Risk-adjusted valuation. Ungoverned AI creates valuation risk across four distinct dimensions. Regulatory exposure is the most visible: a company whose AI features have not been mapped to applicable regulations is carrying a remediation liability that an acquirer will quantify. Customer liability risk is adjacent but distinct — when an AI system causes harm and the company has no incident response playbook and no documented accountability owner, the liability calculation becomes open-ended. Key-person dependency is subtler but equally material: AI systems built without documentation or formal ownership create organizational fragility that surfaces in a quality-of-earnings review. Shadow AI compounds all of these — tools adopted outside IT procurement represent unknown data exposure and undisclosed vendor dependencies. An acquirer who discovers shadow AI in due diligence is not looking at a governance gap. They are looking at evidence that the governance program was not real.
The exit narrative. The company that arrives at exit with a versioned governance policy, an active risk register, a vendor register with concentration analysis, and bias testing results by AI feature is telling a fundamentally different story than the one that adopted AI fast and deferred governance to later. An acquirer asks the CTO to walk through every deployed AI agent, its blast radius, and its kill-switch owner. The pause before answering is itself a finding. The CTO who produces that document in minutes — listing every agent, its read versus write access, its communication authority, its spend limits, and its named owner — is signaling operational excellence, not compliance. That is the story an operating partner tells the next buyer: this team moved fast with judgment. Governance maturity at exit is the difference between a feature on the pitch deck and a defensible claim about how the company is run.
Start With Your Baseline
The fastest way to know where you stand is to take the AI Readiness Assessment. The assessment covers six dimensions of AI readiness; your Governance & Risk dimension score maps directly to maturity levels across the governance framework's domains.
The mapping is explicit. A score of 2 on "formal AI governance policy" maps to Level 2 in Domain 1 — Acknowledged, with a designated gap in policy drafting and ownership. A score of 4 on "how AI-related risks are managed" maps to Level 4 in Domain 2 — Cross-functional, with a formal risk register and defined escalation paths in place. You can take your assessment results directly into the framework and know immediately which domains to prioritize, which governance indicators to target first, and what "good" looks like for your company's size and stage. The assessment takes under 10 minutes and produces a scored readout you can bring into your next operating review.
Read the Full AI Governance Framework
Principles, maturity models, and two complete governance domains are free to access. The full 6-domain framework — including implementation roadmap, PE value creation appendix, and industry alignment reference — is available with an Insider membership.
View the Framework →