Learning AI governance lessons from SaaS and Web2

The experimental phase of generative AI is over. Enterprises now face mounting pressure — from boardrooms to the front lines — to move AI into production to streamline operations, enhance customer experiences, and drive innovation. Yet, as AI deployments grow, so do its reputational, legal, and financial risks.

The path forward is clear. After all, good governance is good business. Gartner expects enterprises that invest in AI governance and security tools to achieve 35% more revenue growth than those that don’t. But many leaders are unsure where to start. AI governance is a complex, evolving field, and navigating it requires a thoughtful approach. Fortunately, lessons from the governance journeys of SaaS and Web2 offer a proven roadmap.

AI governance challenges

AI governance isn’t just a technical hurdle — it’s a multifaceted challenge. Gaining visibility into how AI systems interact with data remains difficult, because AI systems often operate as black boxes, defying traditional auditing methods. Solutions that have worked in the past, such as observability and periodic reviews of development practices, don’t mitigate the risks of unpredictable behavior nor prove acceptable use of data when applied to large language models (LLMs).

Complicating matters further is AI’s rapid evolution. Autonomous systems are advancing quickly, with the emergence of agents capable of communicating with each other, executing complex tasks, and interacting directly with stakeholders developing. While these autonomous systems introduce exciting new use cases, they also create substantial challenges. For example, an AI agent automating customer refunds might interact with financial systems, log reason codes for trends analysis, monitor transactions for anomalies, and ensure compliance with company and regulatory policies — all while navigating potential risks like fraud or misuse. 

The regulatory landscape also remains in flux, particularly in the U.S. Recent developments have added complexity, including the Trump administration’s recent repeal of Biden’s AI Executive Order. This will likely lead to an increase in state-by-state legislation over the coming years, making it difficult for organizations operating across state lines to predict the specific near-term and long-term guidelines they need to meet. Recent developments like the Bipartisan House Task Force’s report and recommendations on AI governance have highlighted the lack of clarity in regulatory guidelines. This uncertainty leaves organizations struggling to prepare for a patchwork of state-specific laws while managing global compliance demands like the EU AI Act or ISO 42001.

In addition, business leaders face numerous governance frameworks and approaches, each optimized to address different challenges. This abundance of approaches forces business leaders into a continuous cycle of evaluation, adoption, and adjustment. Many organizations resort to reactive, resource-intensive processes, creating inefficiencies and stalling AI progress.

It’s time to break the cycle. AI governance must evolve from reactive to proactive to drive responsible innovation.

From reactive to proactive governance

This ad hoc approach to AI governance mirrors the initial paths of SaaS and Web2. Early SaaS and Web2 companies often relied on reactive strategies to address governance issues as they emerged, adopting a “wait and see” approach. SaaS companies focused on basics like release sign-offs, access controls, and encryption, while Web2 platforms struggled with user privacy, content moderation, and data misuse.

This reactive approach was costly and inefficient. SaaS applications scaled with manual processes for user access management and threat detection that strained resources. Similarly, Web2 platforms faced backlash over privacy violations and inconsistent enforcement of policies, which eroded trust and hampered innovation.

The turning point for both industries came with the adoption of continuous, automated governance. SaaS providers implemented continuous integration and continuous delivery (CI/CD) pipelines to automate the testing of software and deployed tools for real-time monitoring, reducing operational burdens. Web2 platforms implemented machine learning to flag inappropriate content and detect fraud at scale. The results were clear: improved security, faster innovation, and lower costs. 

AI is now at a similar crossroads. Manual, reactive governance strategies are proving inadequate as autonomous systems multiply and data sets grow. Decision-makers frustrated with these inefficiencies can look at the shift toward automation in SaaS and Web2 as a blueprint for transforming AI governance within their organizations. 

Continuous and automated AI governance

A continuous, automated approach is the key to effective AI governance. By embedding tools that enable these features into their operations, companies can proactively address reputational, financial, and legal risks while adapting to evolving compliance demands.

For example, continuous, automated AI governance systems can track data to ensure compliance with the EU AI Act, ISO 42001, or state-specific legislation such as the Colorado AI Act. These systems can also reduce the need for manual oversight, allowing technical teams to focus on innovation rather than troubleshooting. 

As organizations increasingly integrate AI into their operations, the stakes for effective governance grow higher. The companies that adopt governance strategies focused on continuous and automated monitoring will gain a competitive edge, reducing risks while accelerating deployment. Those that don’t risk repeating the costly mistakes of SaaS and Web2 — falling behind on compliance, losing customer trust, and stalling innovation.

The message is clear: A continuous, automated approach to governance isn’t just a best practice — it’s a business imperative.

Greg Whalen is CTO of Prove AI.

—

Generative AI Insights provides a venue for technology leaders—including vendors and other outside contributors—to explore and discuss the challenges and opportunities of generative artificial intelligence. The selection is wide-ranging, from technology deep dives to case studies to expert opinion, but also subjective, based on our judgment of which topics and treatments will best serve InfoWorld’s technically sophisticated audience. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Contact doug_dineley@foundryco.com.