AI Governance from the Boardroom to the Front Line

Consider two organisations. Both have AI policies. Both have governance committees and risk frameworks. Both, if asked, would say they take AI governance seriously.

In the first, a product manager identifies an AI tool that could cut her team’s analysis time by half. She mentions it in a meeting. Her manager says it sounds interesting. Six weeks later, nothing has happened. The approval path is unclear, the IT security review process is opaque, and no one has official permission to proceed. The tool sits unused.

In the second, the same situation plays out differently. There is a clear list of approved tools and a lightweight process for getting new ones assessed. The security review takes five working days. The product manager does not need to escalate above her immediate manager to begin a pilot. Within two weeks, her team is testing the tool. Within six weeks, they have redesigned their workflow and documented what works.

Same governance intent. Completely different structural design. And a measurable performance gap between the two.

Many organisations building AI governance in 2026 are building more of the first of those two organisations than the second. They are creating the executive layer of AI governance — the direction, oversight, risk management and formal accountability — faster than they are building the participative layer: the structural conditions under which people can actually use AI well in the flow of work.

McKinsey’s 2025 global survey found that only 39% of organisations reported enterprise-level EBIT impact from AI, and that redesigning workflows was one of the strongest contributors to meaningful value creation (Singla et al., 2025). The gap is not primarily a technology gap. It is a governance design gap.

This is why AI governance needs two layers. The first is executive AI governance: the governance of direction, risk, investment, oversight and formal control. The second is participative AI governance: the governance of responsible contribution throughout the organisation. The first makes AI governable. The second makes AI usable, adaptable and scalable.

That distinction extends the strategy-governance framework set out in The Complete Guide to Strategy Governance (Baxter, 2026). There, governance is presented as having two inseparable domains: executive governance at the top and participative governance across the organisation, with a nine-facet architecture describing the conditions under which distributed contribution becomes governable rather than chaotic. This article applies that logic directly to AI.

AI’s real bottleneck is often not technology, but permission

Clay Parker Jones makes the point with unusual force. In Permission to Move, published in April 2026 alongside his book Hidden Patterns, he argues that the organisations that win with AI will not simply be the ones with the best models or the biggest budgets, but the ones where permission is “baked into how the system already works” (Parker Jones, 2026a; Parker Jones, 2026b). AI, in this account, is an accelerant. Once routine effort is automated away, the underlying bottlenecks become more visible — and those bottlenecks are structural rather than technical.

His survey data reinforces the point. Across 174 respondents in twelve industries, high-performing organisations adopt the relevant structural patterns at 1.44 times the rate of everyone else (95% CI: 1.27x–1.64x, Cohen’s d = 0.85 — meaning the average high performer scores above 80% of the comparison group). Parker Jones also reports that the data appears bimodal: two distinct populations, not a smooth gradient. In his interpretation, organisations do not gradually drift toward better structural patterns. They either have the system or they do not. On that reading, partial adoption appears unstable — teams doing some of the right things but not enough tend to drift back toward weaker performance rather than toward durable improvement (Parker Jones, 2026a).

This has a specific implication for AI governance: getting the executive layer right while leaving the participative layer undesigned is not a particularly good interim position. It is a position likely to become more problematic as AI capabilities expand.

What sits underneath the permission problem is a default assumption. Jurriaan Kamer, writing on participatory governance, frames the choice directly: the default assumption in most organisations is that you cannot act unless you are given permission. In progressive organisations, the assumption runs the other way — you can do anything unless a specific policy or agreement prohibits it (Kamer, 2021). Hamel and Zanini’s wider critique of bureaucracy makes the same point at the level of organisational philosophy: the problem is not simply that bureaucracy is slow, but that it suppresses initiative, underuses intelligence and treats judgement as something to be centralised rather than cultivated widely (Hamel and Zanini, 2025). That inversion is the structural change participative AI governance is trying to achieve. It is not a question of culture or attitude. It is a question of design.

This is what this series will call structural permission — permission baked into the operating model rather than granted case-by-case. The contrast is with case-by-case authorisation: a person asks, another person decides, every time. Structural permission is what changes when the default flips from “you may not act unless authorised” to “you may act unless prohibited”. The remainder of this article describes the conditions under which structural permission can be designed and operated rather than merely asserted as cultural aspiration.

What executive AI governance covers

Executive AI governance is the part of AI governance most organisations now recognise. It is the domain of formal authority, strategic choice and risk-bearing responsibility.

At minimum, it includes deciding which AI opportunities to pursue, what level of risk is acceptable, where investment should go, which standards and controls apply, who is accountable for oversight, and what escalation paths exist when something goes wrong. It also includes lifecycle monitoring, policy setting, documentation requirements and assurance processes.

A useful distinction sits inside the risk question. Strategic AI risk is the risk that the chosen AI direction is wrong — that capabilities are shifting faster than the organisation can absorb, that AI investment is misaligned with strategic intent, or that competitors are building structural advantages an executive team has not yet recognised. Operational AI risk is the risk that specific systems fail in specific ways: model drift, hallucination, bias, security failures, regulatory non-compliance. Both matter. But they are governed differently, and conflating them tends to produce review meetings rich in operational detail and poor in strategic insight (Baxter, 2026).

Current frameworks and regulation strongly reinforce the executive conception. NIST’s AI Risk Management Framework is organised around GOVERN, MAP, MEASURE and MANAGE, with governance treated as a cross-cutting function across the lifecycle (NIST, 2023). ISO/IEC 42001 describes itself as the world’s first AI management system standard and sets out a structured way to manage AI-related risks and opportunities while balancing innovation with governance (ISO, 2023). The EU AI Act similarly places strong emphasis on deployer obligations around human oversight, monitoring and the use of high-risk systems, within a wider regime of risk management, documentation and lifecycle responsibility across the Act (European Union, 2024).

These AI-specific frameworks sit inside a broader governance benchmark. ISO 37000:2021, the international guidance standard on the governance of organisations, places purpose at the centre of governance and treats stewardship, ethical behaviour and effective performance as the three core outcomes of good governance (ISO, 2021). That broader frame matters because AI governance is not a separate domain from the governance of the organisation as a whole. It is a strand of it. An AI governance regime that is well-aligned with NIST and ISO 42001 but disconnected from the organisation’s purpose, stakeholders and strategic intent is governing the technology while losing sight of why the technology is there.

All of this is necessary. AI governance without an executive layer is not serious governance. Boards and senior leadership cannot abdicate responsibility for risk posture, compliance, investment, accountability or the legitimacy of organisational AI use. But executive governance, though necessary, is not sufficient.

The missing half: participative AI governance

If executive AI governance governs direction and control, participative AI governance governs contribution.

It asks a different set of questions. Under what conditions can people closest to the work identify valuable AI opportunities? How easily can they test an idea without beginning an approval odyssey? How clearly do they understand what is allowed, what is prohibited, what needs checking, and where escalation is required? Can they challenge a poor output, revise a workflow, surface a new risk, or improve a control without needing permission for every move?

These questions matter because AI adoption does not happen only at the level of enterprise strategy. It happens in drafting, analysis, scheduling, customer handling, design work, coding, knowledge retrieval, summarisation, decision support and operational process redesign. OECD evidence is especially useful here. Its workplace surveys found that both workers and employers were generally positive about AI’s effects on productivity and working conditions, but also that more could be done to improve trust. Training and worker consultation are associated with better outcomes for workers (Lane, Williams and Broecke, 2023; OECD, 2024).

The wider organisational evidence points the same way. Edmondson and Bransby’s review of psychological safety identifies four major themes in the literature — getting things done, learning behaviours, improving the work experience, and leadership — and reports a systematic search of 185 empirical articles (Edmondson and Bransby, 2023). A 2024 meta-analysis on team reflexivity adds an especially relevant finding: leaders who support team members’ active participation in discussion and decision-making help create team psychological safety, which in turn supports reflexivity and better team performance (Leblanc et al., 2024). Governance cannot be reduced to formal oversight from above. Better outcomes are associated not only with managerial control, but with involvement, capability and voice among the people affected by AI in their daily work.

The architecture of participative AI governance: a balance of enforcement and engagement

Participative governance is not the soft side of governance. It is a balance of enforcement-leaning conditions, which establish the perimeter and structure within which contribution happens, and engagement-leaning conditions, which make contribution meaningful. The Complete Guide identifies nine facets in total, with accountability binding both halves (Baxter, 2026). Applied to AI, those facets describe the conditions under which distributed AI use becomes governable rather than chaotic.

These should not be read as a checklist. They describe conditions that weaken when introduced in isolation and strengthen when designed alongside one another.

Setting the perimeter: enforcement-leaning conditions

Policies and standards for AI define what cannot be done, and how things must be done when they are done. They mark the perimeter of legitimate AI use: which tools are approved, which data classes can be processed, what evidence outputs require, where human validation is mandatory. Their value depends on currency and clarity. A policy library that has accumulated for three years without retirement reviews becomes a maze rather than a perimeter. People stop reading it, and start asking. That collapses autonomy quietly, regardless of what the policies say.

Performance management for AI runs in two directions. Downward, it tracks whether AI use is delivering against the value it was supposed to release: cycle times, quality, output volume, defect rates. Upward, it asks whether the targets being measured are still the right targets given what AI has actually changed about the work. McKinsey’s findings are again instructive: most organisations have not yet redesigned workflows deeply enough to realise material enterprise-level benefits, while higher performers are much more likely to have done so (Singla et al., 2025). Performance management designed only to measure activity within unchanged workflows misses the point. It should also surface where workflow redesign is needed.

Budget allocation is where AI governance becomes concrete. Strategy that names AI as a priority but funds none of it is rhetoric. The governance question is not only how much is spent, but where authority over AI spend sits. Centralising every AI tool decision concentrates strategic learning at the top, where the people farthest from the work must judge what to fund. Devolving spend within clear envelopes places those decisions closer to where evidence accumulates and adaptation is fastest. Most organisations operate hybrid models. The test of whether participative AI autonomy is real is whether teams have the resourcing to act on the autonomy they are nominally given.

Organisation design and RACI convert the abstract ambition of “wider participation in AI” into something operable. Without explicit clarity about who participates in AI decisions, in what role, and at what point, distributed contribution becomes either duplication or omission. RACI for AI is not the same as RACI for a project: it has to address who decides which tools are approved, who is accountable for outputs, who must be consulted before a workflow is redesigned, and who is informed once it has been. Parker Jones’s work on the patterns beneath formal structures applies directly here: a clean RACI on paper produces little if the underlying patterns make consulted parties feel decorative (Parker Jones, 2026b).

Enabling contribution: engagement-leaning conditions

Autonomy in AI use means bounded self-direction. Teams and practitioners should be able to use approved AI capabilities, test promising applications and improve their workflows within a clear strategic and risk-management frame. Autonomy does not mean anything goes. It means freedom within known boundaries — and the location of those boundaries must have been clearly communicated rather than left for individuals to guess at. Autonomy in AI is strongest when policies and standards are explicit, when accountability is clear, and when teams have genuine influence over how AI is used in their context.

Influence means that participation is not merely ceremonial. People should be able to affect how AI is actually used — what gets automated, what remains human-led, what counts as good output, what triggers review or escalation. Consultation without influence is governance theatre. The team-reflexivity literature reinforces this: leaders who support active participation in discussion and decision-making improve team psychological safety and performance, which in turn supports the kind of reflective adaptation that AI-mediated work demands (Leblanc et al., 2024).

Transparency means people understand the rules of AI use. They know which tools are approved, what data can and cannot be used, where human validation is required, what evidence should accompany outputs and how decisions are reviewed. Transparency works in both directions. Downward, transparency lets people across the organisation interpret AI policy intelligently rather than guess at it. Upward, it lets governing bodies see how AI is actually being used, where it is succeeding, and where it is being concealed. NIST explicitly links governance to transparency and accountability, and treats governance as integral to the full AI risk-management cycle (NIST, 2023).

Consultation means the people closest to the work help shape how AI is introduced, where it is genuinely useful, and what the main risks are likely to be. AI use cases are rarely neutral technical insertions. They change how work is done, what gets delegated, what gets checked and where responsibility sits. Meaningful consultation has to occur early enough and seriously enough to change minds. Consultation that arrives only once key choices are fixed may secure compliance, but loses access to precisely the local knowledge AI governance most needs.

Accountability binds both halves

Accountability sits at the apex of the architecture because it belongs to both halves. The four enforcement-leaning conditions establish the structure under which AI accountability can be enforced. The four engagement-leaning conditions establish the conditions under which AI accountability can be felt. Both routes lead to the same place: people doing what they said they would do with AI, and being answerable for the result.

Participative governance is not governance without consequences. People should know what they are responsible for when they use AI, how outputs are reviewed, what evidence needs to be retained and what happens when something goes wrong. The point is not to eliminate standards. It is to distribute responsible action more intelligently. Where accountability is treated as enforcement only, it produces compliance without ownership. Where it is treated as engagement only, it produces ownership without consequence. Both failures undermine AI governance.

Participative governance is also permission to design controls

A common misunderstanding is to assume that bounded autonomy must be designed solely by management and handed down to everyone else. In practice, that is too narrow. One of the strongest forms of participative AI governance is giving front-line teams permission not only to use AI within clear boundaries, but to help design the lightweight controls that make their own work more reliable.

This matters because teams closest to the work are often the first to see the real failure modes.

This brings into focus a distinction that does load-bearing work in the rest of this series: the difference between supervisory control and structural control. Supervisory control depends on a person inspecting, approving or escalating after the fact. Structural control is embedded in the procedure itself: the work cannot proceed cleanly unless the relevant conditions have been met. The first depends on memory and diligence. The second takes effect by design.

Diagram contrasting supervisory control (a person inspects after the fact) with structural control (the procedure itself prevents the work from proceeding unless conditions are met). — Figure 1. Supervisory control depends on a person inspecting after the fact. Structural control is embedded in the procedure itself.

Consider a practical example. Suppose AI is used to review existing documentation and draft design notes for future work. The human reviewer reads those notes and checks that they broadly make sense, but relies on the AI to do the heavy lifting in assimilating existing knowledge and synthesising a way forward. A predictable failure mode appears: the AI sometimes relies on out-of-date source documents and therefore misses important accumulated knowledge. The problem is not obvious in the fluency of the output. It is silent. It may surface only later, once the design note has already influenced further work.

One response would be to add more supervisory control: more manual checking, more approvals, more escalation. But that is not the only option, and often not the best one. A better response is to design a structural control directly into the workflow: require all regulated documents to display a visible last-updated timestamp; require AI-assisted reviews to cite those timestamps; and require a final check that the cited documents are the most current versions before the design note is committed.

That is governance. But it is governance generated from the work itself, in the interests of the people doing it. It reduces silent failure, rework and delayed error discovery. It preserves permission to move, but makes movement safer.

For AI governance, this distinction is particularly important because AI systems are often very good at exactly the kind of check that structural control requires. What would feel like tedious administrative overhead for a person — finding timestamps, citing them, verifying version freshness across multiple sources — can be performed by an AI-mediated workflow in seconds. AI does not only increase the need for governance; it can also reduce the cost of performing governance well. In practice, some controls that would be cumbersome if performed manually can feel almost costless when embedded procedurally in an AI-mediated workflow. That changes the economics of governance in ways most organisations have not yet thought through.

What happens when governance stops at the top

If an organisation builds only the executive layer of AI governance, several predictable things tend to happen.

Some people wait. They hold back from using AI for worthwhile tasks because the rules are unclear, the escalation path is uncertain, or the social signal is that permission has not really been granted.

Some people work around the system. They use AI anyway, but privately, inconsistently and without enough shared structure.

Others use AI confidently but on weak foundations — with unclear source provenance, insufficient checking, ambiguous accountability or little organisational learning from what is working and what is failing.

Recent evidence suggests this is not a fringe problem. Gillespie et al. (2025) report that 57% of employees say they hide their use of AI and present AI-generated work as their own, while only 47% say they have received AI training and only 40% say their workplace has a policy or guidance on generative AI use. The survey suggests that AI use is often outpacing formal governance arrangements at work. People are moving — but without the participative layer, they are often moving in the dark. The executive governance exists, or is being built, but the structural permission to act responsibly within it has not been distributed. What has been created is not safe, governed AI use. It is concealed AI use (Gillespie et al., 2025).

McKinsey’s findings point in a similar direction from a performance angle. Most organisations had not yet embedded AI deeply enough into workflows and processes to realise material enterprise-level benefits, while higher performers were much more likely to have fundamentally redesigned individual workflows (Singla et al., 2025).

The lesson is straightforward. Executive governance can make AI permissible. Participative governance is what helps make AI productive.

Governance is not the enemy of permission

At this point, some readers may worry that the argument is becoming contradictory. If the problem is too much permission-seeking, why introduce more controls at all?

The answer is that the real opposition is not between permission and governance. It is between poorly designed governance, which slows work through avoidable friction, and well-designed governance, which makes good work more dependable without constant escalation.

That is why bounded autonomy is the right frame — not maximum freedom, and not minimum freedom, but the negotiated zone in which people understand what they can do and do not need to ask. And one aspect of that negotiated zone is permission to improve the lightweight controls around your own AI-mediated work, so that the work is less likely to fail silently.

This is also where AI governance begins to point beyond itself. Once controls are embedded in the procedure of work rather than existing only as written expectations, governance starts to become structural rather than merely documentary. The shift — from governance as a document about how things should happen to governance as a structural artefact that takes effect by its design — is the subject of the next article in this series.

From governance documents to governance by design

A policy that says “use the latest approved documents when drafting design notes” is better than nothing. But it still leaves compliance dependent on memory, diligence and after-the-fact inspection.

A workflow that requires timestamps to be cited and automatically checks that cited versions are current before the work is committed is something else. Governance is no longer only a document. It has become part of the operational structure of the work itself.

The broader implication is that AI governance should not be imagined only as a set of constraints on AI systems. It should also be understood as a way of using AI-mediated workflows to make good governance cheaper, faster and more consistent to perform. NIST’s framing of governance as a cross-cutting function, rather than a single gate at the front of a process, is consistent with this view (NIST, 2023).

Conclusion

AI governance needs two layers. Many organisations are still building one faster than the other.

The first is executive AI governance. It sets direction, defines limits, allocates resources, establishes formal accountabilities and governs strategic and operational risk. Current standards and regulation are right to emphasise this — and the broader purpose-led benchmark of ISO 37000 reminds us that AI governance is a strand of organisational governance, not a separate domain. Without an executive layer, AI governance is superficial (European Union, 2024; ISO, 2021; ISO, 2023; NIST, 2023).

The second is participative AI governance. It creates the conditions under which people can use AI responsibly and effectively in real work. It works as a balance: enforcement-leaning conditions (policies and standards, performance management, budget allocation, organisation design and RACI) set the perimeter; engagement-leaning conditions (autonomy, influence, transparency, consultation) make contribution meaningful; and accountability binds both halves. It also gives teams permission to improve the controls around their own AI-mediated workflows — making those workflows more dependable and more resistant to silent failure. OECD’s findings on training and worker consultation, McKinsey’s findings on workflow redesign, the wider psychological-safety and team-reflexivity literature, and Parker Jones’s argument about structural permission all point in this direction (Edmondson and Bransby, 2023; Lane, Williams and Broecke, 2023; Leblanc et al., 2024; OECD, 2024; Parker Jones, 2026a; Singla et al., 2025).

The question worth sitting with is not whether your organisation has a governance framework. It almost certainly does, or is building one. The question is whether the people doing the work — the ones closest to the real failure modes, the ones whose judgment determines whether AI output is used well or used badly — have been given genuine structural permission to act within it. Not permission they have to ask for. Permission that is already there.

References

Baxter, M. (2020) Strategy governance. Chapter 5 of The Strategy Manual: A step-by-step guide to the transformational change of anything. Unpublished manuscript provided by the author.

Baxter, M. (2022) Strategy governance from the boardroom to front-line teams. Strategy Distilled newsletter, April. Unpublished manuscript provided by the author.

Baxter, M. (2026) The Complete Guide to Strategy Governance: Executive and Participative Governance from the Boardroom to the Front Line. Goal Atlas.

Edmondson, A.C. and Bransby, D.P. (2023) ‘Psychological safety comes of age: Observed themes in an established literature’, Annual Review of Organizational Psychology and Organizational Behavior, 10, pp. 55–78. Available at: https://doi.org/10.1146/annurev-orgpsych-120920-055217 (Accessed: 30 April 2026).

European Union (2024) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, 12 July. Available at: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng (Accessed: 30 April 2026).

Gillespie, N., Lockey, S., Ward, T., Macdade, A. and Hassed, G. (2025) Trust, attitudes and use of artificial intelligence: A global study 2025. Melbourne: University of Melbourne and KPMG. Available at: https://assets.kpmg.com/content/dam/kpmgsites/xx/pdf/2025/05/trust-attitudes-and-use-of-ai-global-report.pdf (Accessed: 30 April 2026).

Hamel, G. and Zanini, M. (2025) Humanocracy, updated and expanded: Creating organizations as amazing as the people inside them. Boston, MA: Harvard Business Review Press. Update notice available at: https://www.michelezanini.com/humanocracy-2-0/ (Accessed: 30 April 2026).

ISO (2021) ISO 37000:2021 — Governance of organizations: Guidance. Geneva: International Organization for Standardization. Available at: https://www.iso.org/standard/65036.html (Accessed: 30 April 2026).

ISO (2023) ISO/IEC 42001:2023 — Artificial intelligence management system. Geneva: International Organization for Standardization. Available at: https://www.iso.org/standard/42001 (Accessed: 30 April 2026).

Kamer, J. (2021) ‘Create an empowered organization using participatory governance’, The Ready / Medium, 10 March. Available at: https://medium.com/the-ready/create-an-empowered-organization-using-participatory-governance-b5dd2ed20161 (Accessed: 30 April 2026).

Lane, M., Williams, M. and Broecke, S. (2023) The impact of AI on the workplace: Main findings from the OECD AI surveys of employers and workers. OECD Social, Employment and Migration Working Papers No. 288. Paris: OECD Publishing. Available at: https://doi.org/10.1787/ea0a0fe1-en (Accessed: 30 April 2026).

Leblanc, P.M., Klamar, S., Ploeg, J. and Ottevanger, M. (2024) ‘A meta-analysis of team reflexivity: Antecedents, outcomes, and boundary conditions’, Research in Organizational Behavior, 44, article 100248. Available at: https://www.sciencedirect.com/science/article/pii/S1053482224000329 (Accessed: 30 April 2026).

National Institute of Standards and Technology (NIST) (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). NIST AI 100-1. Gaithersburg, MD: NIST. Available at: https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf (Accessed: 30 April 2026).

OECD (2024) Using AI in the workplace. Paris: OECD Publishing. Available at: https://www.oecd.org/en/publications/using-ai-in-the-workplace_73d417f9-en.html (Accessed: 30 April 2026).

Parker Jones, C. (2026a) ‘Permission to Move’, cpj.fyi, 6 April. Available at: https://www.cpj.fyi/posts/permission-to-move/ (Accessed: 30 April 2026).

Parker Jones, C. (2026b) Hidden Patterns. New York: Radius Book Group. Author page: https://www.cpj.fyi/hidden-patterns/ (Accessed: 30 April 2026).

Singla, A., Sukharevsky, A., Hall, B., Yee, L. and Chui, M. (2025) ‘The state of AI in 2025: Agents, innovation, and transformation’, McKinsey, 5 November. Available at: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai (Accessed: 30 April 2026).