Some organisations don't move too fast. They move too carefully, and arrive at the same failure by a different route.
This type commissions a working group. They draft a policy. Three months later, the Copilot governance framework reaches its fourth revision. It is thorough. It is considered. It will be excellent when it is finished.
Meanwhile, DeepSeek is running on personal devices. ChatGPT has been used to draft board papers. Claude is summarising contracts. Gemini is inside the workflow of a team that stopped asking permission eighteen months ago. None of this appears in the risk register because none of it has been looked for.
We are not aware of it, therefore it is not our problem.
That is not caution. That is institutional blindness dressed as diligence.
The people positioned to close that gap are quietly relieved by the permission structure. If it is not formally in my purview, I am not responsible for knowing it exists.
Both failure modes — the obfuscation and the paralysis — share the same underlying condition: accountability has been structurally decoupled from reality.
Good AI governance requires something most governance conversations avoid naming directly: a willingness to find things you would rather not find.
The organisations that will govern AI well are not the ones with the best frameworks. They are the ones with the institutional courage to look at what is already there.