AI Governance Is a Data Problem: How to Build Trustworthy AI at Scale

Key Insights 

• AI governance is inseparable from data governance – the trustworthiness of any AI system is only as strong as the quality, lineage, and controls of the data it relies on. Organizations cannot govern AI effectively without first governing the data that trains, tests, and operates it. 
• Governance is a competitive differentiator, not just a compliance cost. Organizations classified as “AI Masters” — those with advanced data governance and infrastructure — achieved approximately 24% higher revenue growth than less mature peers, demonstrating that governance programs deliver measurable business value. 
• A layered standards framework is the most practical path forward — combining NIST AI RMF for risk management, ISO/IEC 42001 for systematic AI management, and EU AI Act requirements provides organizations with a structured, extensible foundation that reduces regulatory fragmentation across jurisdictions. 
• The risks organizations fear most are governance failures — according to Deloitte, the top AI concerns — data privacy and security (73%), regulatory compliance (50%), and governance oversight (46%) — all stem from inadequate governance, not technical limitations. 
• Trustworthy AI requires continuous oversight, not a one-time exercise — Model drift (changes in behavior over time without explicit updates), response hallucinations (false or inaccurate responses), emerging regulations, and evolving ethical expectations mean governance must be embedded as an ongoing operational discipline, with regular monitoring, revalidation, and cultural commitment at every level of the organization. 

Introduction 

AI is no longer experimental, it’s operational. But as adoption accelerates, most organizations are discovering the same problem: the risk is scaling just as fast as the value. The discipline that has emerged to address these challenges is AI and data governance — a structured set of policies, processes, standards, and accountability mechanisms that ensure AI is developed and used responsibly. 

This research document explores what AI and data governance mean in practice, why it has become a strategic imperative for organizations of every size, and how leaders can build robust governance frameworks aligned with emerging global regulations and industry best practices. 

What Is AI and Data Governance? 

AI governance is about one thing: ensuring AI systems produce outcomes you can trust—and defend. 

At its core, AI governance is the application of oversight, accountability, and control mechanisms to AI systems throughout their lifecycle — from data collection and model training to deployment, monitoring, and eventual retirement. Data governance, its essential companion, focuses on ensuring that the data underpinning those systems is accurate, complete, consistent, secure, and used ethically. 

Trust 

AI deployments that aim to gain the trust of organizations and their stakeholders (leadership, employees, and customers) must demonstrate [1]: 

• Transparency & Explainability – stakeholders can understand how a model reached its conclusions. 
• Fairness & Bias Mitigation – systematic checks to prevent discriminatory outcomes. 
• Accountability & Compliance – clear ownership at each stage of the AI lifecycle, aligned with regulations such as the EU AI Act [2] and U.S. Executive Order 14110 [3] 

Consistent Standards 

AI governance depends on data governance. Poor data leads to biased models, security risks, and failed audits. Teams may lack visibility into how model decisions were produced, leading to trust and adoption issues. 

Data governance answers critical questions, such as: 

• Who owns the data? 
• Who or what systems should have access? 
• How was it prepared, and what transformations were applied? 
• Where else is it used? 
• Does the data contain sensitive data? [4] 

Traditional Data Governance vs. AI Data Governance 

Traditional data governance focused on reporting, analytics, and regulatory compliance — a settled discipline built around neatly organized, well-structured data. Then came generative AI. Suddenly, organizations scrambled to govern new technology, leaning on newly formed AI councils to set the rules and police the road [5]. 

Today, as the pace of AI innovation accelerates, adoption across the enterprise has made data governance a key roadblock to AI progress: 62 percent of organizations believe a lack of data governance is the primary data challenge hindering AI initiatives [5, 6]. 

AI data governance extends that scope to cover the full lifecycle of data flowing into models — including training data sets, real-time inputs, derived features, and outputs. Data governance must draw on lessons from traditional practices and integrate them with the realities of generative AI. AI is only as trustworthy as its data. Without quality, lineage, and access controls, outputs can’t be trusted—or audited. Conversely, a robust data governance program that fails to account for the novel risks of AI (such as model drift, adversarial inputs, or emergent behaviors) leaves organizations exposed.

Effective AI Governance 

The following interdependent concepts underpin effective AI and data governance: 

• Accountability and Ownership – Define clear roles such as Chief Data Officers (CDOs), AI Ethics Boards, and model owners who are responsible for governance outcomes. 
• Compliance – Ensure AI systems comply with evolving regulations, including EU Regulation 2024/1689, California SB53 (discussed in more detail below), GDPR, the CCPA, and other emerging AI-specific legislation. Regulations are evolving quickly—reactive compliance is no longer enough. 
• Data Quality, Integrity, and Lineage – Establish end-to-end traceability of data sources, transformations, and dependencies across AI pipelines. Robust lineage is essential in multi-source environments, enabling rapid root-cause analysis, auditability, and transparency. It also enforces standards for completeness, accuracy, timeliness, and representativeness of datasets used in model training and validation. 
• Data security – Prevent sensitive information from infiltrating AI training datasets, where it can become embedded in current LLMs and potentially be accessible to users without detection. Hidden security risks arise when terabytes of data containing personal information are used to train models. 
• Ethical considerations – Implement bias detection and fairness testing to prevent discriminatory outcomes. AI systems can perpetuate historical biases in training data, making ethical oversight crucial for responsible AI deployment. 
• Risk Management and Compliance – Systematically identifying, measuring, and mitigating risks — technical, ethical, and regulatory across the entire AI lifecycle [1]. 

NIST AI Risk Management Framework (RMF) & ISO/IEC 42001 

The following table provides a crosswalk for an AI Governance Framework based on NIST and ISO standards. 

The NIST AI Risk Management Framework 

The NIST AI Risk Management Framework provides a widely adopted structure for managing AI risk: 

• Map — Identify and contextualize AI risks within organizational objectives and the broader sociotechnical environment. 
• Measure — Assess and monitor the impact and likelihood of identified risks using quantitative and qualitative methods. 
• Manage — Prioritize and mitigate risks based on their potential organizational and societal effects. 
• Govern — Establish an organizational culture and accountability structure for responsible AI. 

Sector regulators in the United States, including the CFPB, FDA, SEC, FTC, and EEOC, are citing NIST AI RMF principles in their expectations for safe AI deployment, making adoption a practical necessity for organizations in regulated industries [7]. 

SO/IEC 42001: The Emerging Global Benchmark 

ISO/IEC 42001 — the AI Management System Standard — is becoming the global benchmark for AI governance compliance. It integrates principles from the NIST AI RMF and the EU AI Act into a certifiable management system [8] that organizations can implement alongside existing ISO standards, such as ISO 27001 (cybersecurity) [9], ISO 27017 (cloud services security) [11], and ISO 9001 (quality management) [10].  

Layered Standards 

Many organizations are adopting a layered compliance strategy: starting with the NIST AI RMF for risk management, adding ISO/IEC 42001 for systematic AI management. 

Why AI and Data Governance Matter Now 

The urgency of AI governance has never been greater. According to Gartner, by 2026, 50 percent of large enterprises will have formal AI risk management programs—up from less than 10 percent in 2023. A 2025 study by IDC and NetApp found that organizations classified as “AI Masters”—those with advanced data governance, infrastructure modernization, and security integration—achieved approximately 24.1 percent higher revenue growth than less mature peers. Governance is not just a compliance cost; it is a competitive differentiator [13]. 

AI and Data Strategy 

AI Platforms are becoming decision-making Platforms. Artificial Intelligence (AI) is revolutionizing data science and analytics by fundamentally improving what practitioners can accomplish and, in some cases, shifting the role of the data scientist  [14]. However, with these enhanced capabilities comes risk. AI models are still not foolproof. Hallucinations, as well as improper model training, can lead to unforeseen results and to decisions based on invalid information and assumptions. 

AI Risk Management 

According to a recent Deloitte study, the AI risks companies are most worried about all relate to governance. Data privacy and security tops the list at 73%, followed by legal, intellectual property, and regulatory compliance (50%), governance capabilities and oversight (46%), and model quality, consistency, and explainability (46%). [7, 15] 

Under ISO/IEC 42001, lineage directly supports requirements for data quality, system transparency, and auditability by enabling organizations to document the origin, transformation, and use of data across AI system lifecycles.[16] 

Similarly, the NIST AI Risk Management Framework emphasizes traceability and documentation as core to trustworthy AI, requiring organizations to maintain sufficient records to support explainability, validation, and ongoing monitoring of AI systems.[12] 

Reputational and Ethical Stakes 

AI systems that perpetuate bias, invade privacy, or make unexplained consequential decisions carry real reputational risks. High-profile failures — from biased hiring algorithms to flawed facial recognition deployments — have demonstrated that poorly governed AI can erode public trust, invite regulatory scrutiny, and expose organizations to litigation. Data governance for AI goes beyond mere compliance: it is the mechanism by which organizations demonstrate that they take their ethical obligations seriously. [17] 

Operational Efficiency and Data Lineage 

Effective governance also delivers tangible operational benefits. When organizations implement comprehensive data lineage tracking — knowing exactly which datasets contributed to each model’s output — they can identify and remediate errors faster, reduce the risk of regulatory penalties, and improve the reproducibility of AI results. Data lineage is now a foundational capability within modern metadata management and governance platforms, with adoption accelerating alongside broader investments in data observability, AI risk management, and regulatory compliance.

Best Practices for Implementing AI and Data Governance 

Building a governance program that is both practical and durable requires more than compliance checklists. The following practices represent the current consensus among leading practitioners and research organizations. 

1. Establish Clear Roles and Responsibilities 

Governance without ownership is governance in name only. Organizations should designate accountable individuals for AI and data governance: a Chief Data Officer or Chief AI Officer at the executive level, supported by AI Ethics Boards or governance committees, data stewards for individual datasets, and model owners for each deployed system. Clear RACI matrices (Responsible, Accountable, Consulted, Informed) help prevent accountability gaps, particularly in cross-functional AI projects where data science, IT, legal, and business teams must collaborate [18]. 

2. Build a Data Quality Foundation 

Machine learning models amplify the quality of their training data — for better and for worse. Governance programs must set data quality standards that address representativeness across the problem space, temporal relevance, feature quality, and the absence of harmful biases. This requires both technical tooling (data profiling, automated quality checks, and anomaly detection) and human review processes, particularly for high-risk applications [19]. 

3. Implement End-to-End Data Lineage 

Data lineage — the ability to trace data from its origin through all transformations to its use in a model — is now a regulatory expectation under the EU AI Act and a growing requirement in many other jurisdictions. Organizations should deploy lineage tools that integrate with their data pipelines and model registries, providing an auditable record that can be presented on demand to regulators, auditors, and internal stakeholders [20]. 

4. Conduct Fairness Audits and Bias Testing 

The dual governance approach — combining traditional data governance with AI-specific oversight, such as fairness audits and bias reviews — is now considered essential to responsible AI development. Fairness audits should be conducted before model deployment and at regular intervals thereafter to assess disparate impact across protected characteristics, including race, gender, and age. Results should be documented, and remediation plans should be implemented where disparities are found [11].  

5. Design Human-in-the-Loop Checkpoints 

For high-impact decisions (e.g., credit, healthcare, hiring), human oversight is both an ethical and regulatory requirement. Governance frameworks should specify which decisions require human review, what thresholds trigger escalation, and how human oversight is documented [21]. 

6. Foster a Culture of Responsible AI 

Technology and policy alone cannot deliver trustworthy AI. Organizations must cultivate a culture in which every team member — from data engineers to business analysts to executive sponsors — understands their role in responsible AI. This requires ongoing training, clear ethical guidelines, psychological safety to raise concerns, and visible leadership commitment. Organizations with strong AI governance cultures are significantly better positioned to realize the full value of their AI investments while managing associated risks [5]. 

Common Challenges and How to Overcome Them 

Even well-resourced organizations encounter significant obstacles when implementing AI and data governance programs. Awareness of the most common pitfalls can help teams navigate them effectively. 

Siloed data and AI teams – AI projects isolated from data governance teams tend to produce systems lacking proper documentation, lineage, and risk oversight. Cross-functional governance committees and shared tooling are key to breaking down silos. 

Governance as a one-time exercise – AI models degrade over time as the world changes, a phenomenon known as model drift. Governance must be continuous, with regular monitoring, re-validation, and refresh cycles built into operational processes. 

Regulatory fragmentation. As we noted in other documents in this series, organizations operating across multiple jurisdictions must navigate a patchwork of standards [22, 23]. AI regulations are evolving, with several national and regional AI regulations. Adopting a layered framework (NIST AI RMF + ISO 42001 + EU AI Act) provides a structured foundation that can be extended as new requirements emerge. 

Legacy data infrastructure – Many organizations struggle to implement modern lineage and quality tools atop aging data architectures. Prioritizing data modernization, even incrementally, pays dividends in governance readiness and AI performance alike. 

Looking Ahead: The Future of AI and Data Governance 

The trajectory is clear: AI governance will only grow more demanding and more consequential in the years ahead. Several trends are shaping the future of the discipline. 

AI-powered governance tools are themselves becoming part of the solution. Intelligent cataloging platforms, automated policy enforcement, and real-time model monitoring are enabling organizations to scale governance in ways that were previously impossible with manual processes.  

The concept of trustworthy AI is becoming a market differentiator. As consumers, employees, and institutional investors grow more sophisticated about AI risks, organizations that can demonstrate robust governance will enjoy advantages in talent acquisition, customer trust, and access to capital. Today’s governance program is the reputational asset of tomorrow. 

Finally, global regulatory convergence is slowly underway. While the EU AI Act, NIST AI RMF, and ISO/IEC 42001 were developed independently, they share substantial conceptual overlap. International standards bodies and regulatory networks are working to harmonize requirements, a development that will eventually reduce the compliance burden for globally operating organizations, though significant work remains [24]. 

Conclusion 

AI and data governance are not constraints on innovation — they are the infrastructure enabling sustainable, trustworthy innovation. Organizations that invest in governance now will be better positioned to navigate the complex regulatory environment taking shape around AI, realize the full business value of their AI investments, and build the stakeholder trust that long-term success requires. 

The path forward is neither simple nor static. Regulatory requirements will evolve, AI capabilities will advance, and new ethical questions will arise. Organizations that embed governance into the DNA of their AI programs, with accountability, transparency, and continuous oversight from the outset, will be equipped to adapt. In an era defined by AI’s transformative power and real risks, governance is not optional. It is foundational.

About Green Leaf 

Green Leaf Consulting Group provides practical experience helping organizations of all types and sizes leverage data for risk management, customer analytics, digital transformation, strategic decision-making, and AI-driven innovation. Our experts can assist with AI Governance projects and develop AI-enabled data analytics solutions on platforms such as Snowflake and Databricks.

References 

1. Marco, D., PhD, AI and Data Governance: The Essential 4-Pillar Framework for 2025, in Data Governance. 2025, DataManagentU: https://www.ewsolutions.com/ai-and-data-governance/. 
2. Parliament, E.U.,REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. 2024.
3. Biden, J., Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, O.o.t. President, Editor. 2023, The United States Federal Register:https://www.govinfo.gov/content/pkg/FR-2023-11-01/pdf/2023-24283.pdf. 
4. Snowflake, Data Governance for AI: The Foundation for Scalable, Trustworthy and Compliant AI Systems, in AI Governance: Data Governance for AI. 2025: https://www.snowflake.com/en/fundamentals/ai-governance/data-governance/. 
5. KPMG Data governance in the age of AI Examining the paradigm shift to an integrated governance umbrella, 2025. 
6. Anandarajan, M., PhD and D. Jones2025 OUTLOOK: Data Integrity Trends and Insights. Precisely, 2025.
7. Digital, N.,NIST AI Risk Management Framework 2025: Secure Your AI Now, in Nemko Digital News. 2025, Nemko Digital: https://digital.nemko.com/regulations/nist-rmf. 
8. (ISO/IEC), I.S.O.,ISO IEC 42001:2023 Information technology — Artificial intelligence — Management system. 2023, International Standards Organization: Geneva, Switzerland.
9. ISO/IEC,ISO 27001:2005(E) Information Technology – Security Techniques – Information Security Management Systems – Requirements. 2005, ISO/IEC: Geneva, Switzerland.
10. Organization, I.S.,9001-2015-EN. 2015, International Standards Organization Geneva, Switzerland.
11. (ISO/IEC), I.S.O.,ISO-42001:2023 — Information technology — Artificial intelligence — Management system. 2023, International Standards Organization:https://www.iso.org/standard/42001. 
12. (NIST), N.I.o.S., Artificial Intelligence Risk Management Framework (AI RMF 1.0). 2023, National Institute of Standards (NIST):https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf. 
13. Nadkarni, A. and D. Pearson, Scaling Enterprise AI Responsibly: The Critical Role of Data Readiness and an Intelligent Data Infrastructure, in InfoBrief. 2025, IDC & NetApp: https://www.netapp.com/media/142474-idc-2025-ai-maturity-findings.pdf. 
14. Ferrara, E., Artificial Intelligence is Turning Data Platforms into Decision Engines, in Greenleaf Group Insights, N. Miner, Editor. 2026, Greenleaf Group: https://greenleafgrp.com/insights/ai-is-turning-data-platforms-into-decision-engines/. 
15. Rowan, J., et al.State of AI in the Enterprise: The untapped edge. Tapping into AI’s full potential, 2026.
16. Institute, I.S.,ISO/IEC 27033-1 – Information technology — Security techniques — Network security — Part 1: Overview and concepts. 2013, ISO/IEC.
17. Winks, E.,Data Governance for AI-Challenges & Best Practices. 2025, Atlan:https://atlan.com/know/data-governance/for-ai/. 
18. Schmelzer, R. and K. Kathleen Walch, AI Data Governance Best Practices for Security and Quality, in PMI Blog. 2025, Project Management Institute (PMI): https://www.pmi.org/blog/ai-data-governance-best-practices. 
19. Ataman, A., Data Quality in AI  Challenges, Importance & Best Practices. 2025.
20. Freestone, T.,2025 Guide to Secure, Affordable AI Data Governance, in Cybersecurity Risk Management. 2025, Kiteworks: https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-guide/. 
21. Alation Data Quality for AI Readiness-What You Need to Know. 2024.
22. Ferrara, E., Data in the Evolving World of Life Sciences: Chaos to Order, in Green leaf Group – Insights, M. Miner, Editor. 2025, Greenleaf Group: https://greenleafgrp.com/insights/data-in-the-evolving-world-of-life-sciences-chaos-to-order/. 
23. Ferrara, E. Layered Credit Card Data Architecture-Why No Single Standard is Enough. Greenleaf Group Insights, 2025.
24. Brui, V.,AI Regulations in 2026: How to Stay Compliant with the EU AI Act and More, in Sombra – AI  Lab. 2026, Sombra: https://sombrainc.com/blog/ai-regulations-2026-eu-ai-act.