Active Governance in Practice

The market is overloaded with information, frameworks, and advice about AI success. Every vendor promises a solution. Every framework claims to be comprehensive. Every consultant offers a roadmap. But amid all this noise, one critical truth keeps getting obscured: governance must operate at runtime if AI is to succeed. Cameron Price's original blog cuts through the complexity with precision and clarity. His argument, that knowing data exists is not governance, challenges the fundamental assumptions many organizations are operating under. This blog now aims to reinforce and operationalize Cameron's argument for those implementing governance and AI in practice. It examines real-world failures where governance existed but execution failed. It addresses the uncomfortable gap between governance documentation and runtime enforcement. And it provides a clear path forward for organizations serious about activating AI at scale. The central thesis is straightforward: documentation-based governance cannot protect AI systems that operate in real time. If your governance ends in a handover to engineering teams, it is not active. If your policies cannot execute automatically at the point of data access, combination, or model training, they are theoretical. And theoretical governance will not get you to AI success.

When Cameron published his latest blog on Active Governance, one line stayed with me:

From a customer and partnerships perspective, I see this play out. Business teams are being told that governance is the foundation for AI. And that's true.

But many are being led to believe that implementing a catalog, defining ownership, and documenting policy is enough.

It isn't.

Organizations invest millions in governance frameworks, catalogs, and documentation, yet AI initiatives still fail at scale. The disconnect isn't about governance quality. It's about governance execution.

Across industries, governance has been positioned as the safeguard that makes AI safe.

But governance that lives in documentation does not operate at runtime.

And AI operates only at runtime.

When models are trained, when data is combined, when automation triggers actions, governance must execute in that moment.

Otherwise, the control is theoretical.

This gap has shown up publicly.

The pattern across these failures is consistent and undeniable. In each case, governance structures existed. Policies were documented. Controls were defined. Ownership was assigned. Yet when systems executed in production environments, governance failed to operate. The failures were not about missing documentation, they were about absent runtime enforcement.

Target Canada

Target's failed expansion into Canada was widely analyzed as a breakdown in operational data reliability. Inventory systems reported products as available when shelves were empty. Governance structures existed, yet the data could not be trusted in execution.

Harvard Business Review and other analyzes pointed to systemic data and systems failures, not a lack of documentation.

Documentation did not prevent operational collapse.

Knight Capital

In 2012, Knight Capital lost $440 million in 45 minutes due to a faulty software deployment that triggered unintended trading activity. Governance and risk policies existed. Controls existed. But enforcement at runtime failed.

The U.S. Securities and Exchange Commission later cited weak production controls and execution failures.

The failure was not documentation. It was execution.

Banking and Risk Reporting

The Basel Committee on Banking Supervision, in its Principles for Effective Risk Data Aggregation and Risk Reporting, makes clear that governance must be effective in practice and resilient under stress.

The European Central Bank has repeatedly identified gaps where governance frameworks exist on paper, yet data quality and risk reporting fail in operational conditions.

When governance cannot execute in real conditions, AI and automated decision systems cannot be trusted.

Research reinforces this pattern.

McKinsey's State of AI reports consistently show that fewer than 30 percent of AI initiatives achieve sustained business value at scale.

Deloitte has highlighted that many organizations invest in governance frameworks but struggle to operationalize them in ways that drive measurable outcomes.

Collibra's thought leadership increasingly emphasizes trusted data usage, lifecycle management, and governance that spans both data and AI assets, not simply catalog visibility.

The pattern is consistent.

Organizations are investing in governance.

But they are not activating it.

Despite widespread agreement on the need for AI governance, there's a significant divergence in understanding and implementation. This creates confusion and directly contributes to the adoption gap, with organizations struggling to understand what 'active governance' truly means in practice.

Two main schools of thought prevail in how organizations approach AI governance:

Recently, I saw a discussion on LinkedIn arguing that governance is already active, and that conversations about runtime enforcement were overstated.

I understand the sensitivity.

Organizations have invested heavily in governance programs. It is uncomfortable to suggest they are incomplete.

But we have to be clear about what "active" really means.

Running agile sprints. Delivering engineering increments. Handing governance requirements to technical teams to implement.

That is not activation.

Agility in delivery does not automatically mean governance operates at runtime.

Activation is not about how fast engineers build.

It is about whether policy executes automatically when data is accessed, combined, reused, or exposed to AI systems.

Leading authorities are aligned on this direction.

The Basel Committee emphasizes effectiveness in practice.

The European Central Bank stresses operational resilience.

McKinsey identifies organizational and operating model gaps as barriers to AI scale.

IBM highlights trust as foundational to AI adoption.

AWS governance guidance focuses on embedded guardrails, not manual review cycles.

Across regulators, consultants, and platforms, the signal is clear:

Governance cannot remain a collection of rules and documents handed over for downstream implementation.

It must operate at runtime.

Active governance is not a sprint milestone.

It is an execution model.

This progression represents a fundamental shift in how governance functions within the enterprise technology stack.

Governance platforms themselves are evolving.

Collibra's recent positioning highlights unified governance across data and AI lifecycles, with increasing emphasis on lifecycle management of trusted data products from creation to consumption. The direction is clear: governance must support not just assets, but usable, trusted data products that can scale across the enterprise.

This reinforces Cameron's argument.

The future of governance is not static artifacts. It is governed data products that can be confidently used, shared, and activated.

But lifecycle visibility alone is not enough.

Governance must execute within those products.

This is where a data product workbench becomes essential.

If governance defines policy and structure, the workbench ensures that those policies execute at the point of use.

Rather than governance ending in documentation or handover, a workbench model embeds:

• Policies that travel with the data product
• Controls enforced automatically
• Runtime masking and protection
• Context-aware access evaluation
• Operational lineage that reflects real behavior

With decades of collective experience across data delivery, one thing is clear:

But trust does not come from documentation alone.

It comes from enforceable execution.

Latttice, a data product workbench, bridges that gap. It connects governance intent with operational reality. It ensures governance is not just visible, but active.

Not as an overlay.

As an execution layer.

Business teams do not need more governance documentation.

They need confidence.

When governance is active, AI becomes sustainable. When governance remains static, AI remains constrained. Cameron's blog lays out the strategic foundation for this shift. The next phase of governance is not more artifacts — it is operational enforcement.

• Harvard Business Review. "Why Target's Canadian Expansion Failed."
• U.S. Securities and Exchange Commission. "SEC Charges Knight Capital With Violations of Market Access Rule," 2013.
• Basel Committee on Banking Supervision. "Principles for Effective Risk Data Aggregation and Risk Reporting" (BCBS 239).
• European Central Bank. Supervisory Review and Evaluation Process findings on data governance and risk reporting.
• McKinsey & Company. "The State of AI" annual reports.
• Deloitte. Research and insights on data governance operating models and AI scaling challenges.
• Collibra. Thought leadership on unified governance and lifecycle management of trusted data products.
• IBM. Publications on Trust and Transparency in AI.
• Amazon Web Services. Governance and guardrails best practices for AI and data platforms.