A 2024 McKinsey Global Survey on the State of AI found that while 78% of organisations now use AI in at least one business function, only 18% have an enterprise-wide AI governance council with the authority to approve high-risk use cases. The gap between policy and practice is no longer a planning problem. It is an execution problem, and regulators, auditors, and boards are starting to notice. Most enterprises have written an AI policy. Far fewer can show, on demand, which AI systems exist, who owns them, what risks they carry, and which controls are operating. This article walks through why that gap forms, what closing it actually requires, and how leading governance teams are turning written commitments into evidenced practice.
What you’ll learn
- Why most AI policies stall before they reach engineering teams
- The five layers of execution that separate written policy from operational governance
- How ISO/IEC 42001, the EU AI Act, and the NIST AI RMF map to day-to-day practice
- Where the policy-to-practice gap typically breaks (and how to fix it)
- A practical 90-day plan to close the gap before your next audit or board review
Why the AI policy-to-practice gap exists
Writing an AI policy is not difficult. Most legal and compliance teams can produce a competent draft in weeks, often by adapting an existing data governance or model risk management framework. What proves difficult, and what most organisations underestimate, is converting that policy into something engineering, product, and procurement teams actually do differently on Monday morning.
The U.S. Government Accountability Office reviewed federal AI use cases in its 2024 report on artificial intelligence accountability, and found that fewer than half of the agencies it examined could produce documented evidence that their AI systems had completed required risk assessments, despite each agency having an approved AI policy on file. The pattern is not federal. It is structural. Policies live in PDF. Practice lives in tickets, code reviews, vendor contracts, model cards, and board memos. Without a deliberate translation layer between the two, drift is the default state.
Three reasons execution stalls
- Ownership ambiguity. AI policies typically assign accountability to a senior leader (often the Chief AI Officer, CISO, or CDO) but operational responsibility is split across product teams, engineering, legal, procurement, and risk. When a high-risk model is deployed, four functions believe someone else is logging it, and three believe someone else is approving it.
- No system of record. An AI inventory in a spreadsheet works for the first audit. By the second audit, version history, approvals, and risk classifications are out of sync with reality. By the third audit, the auditor stops asking the GRC team and starts asking engineering directly, which is where most non-conformities originate.
- Controls written for compliance, not operation. Policies often inherit phrasing from the standards they are mapped to. Controls written as “the organisation shall maintain” rather than “the model owner submits a Form X within five business days of deployment” cannot be operationalised without further translation, and that translation rarely happens.
The five execution layers between policy and practice
A useful way to diagnose the gap is to think of AI governance as five sequential execution layers. A policy is layer one. Audit-ready operational governance is layer five. Most organisations that consider themselves “on the journey” are stuck at layer two or three, which is also where the EU AI Act’s transparency and risk management obligations become difficult to evidence under inspection.
| Layer | Stage | What’s in place | Typical breakdown |
|---|---|---|---|
| 1 | Written policy | Approved AI policy, principles, ethical commitments | No translation into role-specific actions |
| 2 | Awareness | Training delivered, intranet pages live, leadership comms sent | Teams know it exists; behaviour unchanged |
| 3 | Inventory & classification | AI systems registered, risk-tiered against EU AI Act and ISO 42001 | Inventory drifts; shadow AI not captured |
| 4 | Operating controls | Risk assessments, approval gates, monitoring, incident workflow | Controls run; evidence not captured systematically |
| 5 | Evidenced governance | Audit-ready trail, dashboards, board reporting, continual improvement | Reaching this layer is the actual goal |
Most enterprises self-assess at layer four. Most external auditors place those same enterprises at layer three. The difference comes down to evidence: can you show, with timestamps and named approvers, that the control operated, or are you reconstructing it from memory and email threads the night before the audit?
Mapping ISO 42001, the EU AI Act, and NIST AI RMF to operational practice
Each of the three major AI governance frameworks pushes organisations toward operational evidence in slightly different ways. Treating them as separate compliance projects is one of the most common and costly mistakes enterprises make. The Plan-Do-Check-Act structure of ISO/IEC 42001:2023, the risk-tiered obligations of the EU AI Act, and the function-based architecture of the NIST AI Risk Management Framework overlap substantially, and most well-designed controls satisfy two or three of them at once.
| Operational requirement | Framework anchor | What evidence looks like |
|---|---|---|
| AI inventory with risk classification | ISO 42001 Clause 6.1 / EU AI Act Art. 6 / NIST AI RMF Map function | Versioned register with risk tier, owner, and approval state |
| Risk assessment per system | ISO 42001 Clause 6.1.2 / EU AI Act Art. 9 / NIST Govern + Manage | Completed assessment with mitigations and residual-risk sign-off |
| Human oversight design | ISO 42001 Annex A.6.2.4 / EU AI Act Art. 14 | Documented oversight role, escalation path, override capability |
| Post-deployment monitoring | ISO 42001 Clause 9.1 / EU AI Act Art. 72 / NIST Manage | Performance dashboards, drift alerts, incident log |
| Incident & serious-harm reporting | EU AI Act Art. 73 / ISO 42001 Annex A.8 / NIST Manage | Triage workflow, regulator notification template, retro records |
The practical takeaway: build controls once, evidence them once, and map the same evidence to multiple frameworks. Organisations that do this report substantially shorter audit cycles. The ISO Survey of Management System Standards has consistently shown that integrated management systems reduce average certification time across overlapping standards, and early ISO 42001 adopters appear to be following the same pattern. [VERIFY: confirm specific time-saving figure for ISO 42001 from 2025 ISO Survey when published]
Where execution actually breaks: four common failure modes
After enough audit preparations, the same patterns recur. None of them are exotic. All of them are fixable. Each maps to a specific operational change rather than another policy revision.
1. Shadow AI in the procurement pipeline
Most enterprises now have an internal AI usage policy. Far fewer have updated their third-party risk management process to flag AI capabilities embedded in vendor products. A new HR analytics tool, a customer support platform with a generative assistant, or a security product with anomaly-detection ML all introduce AI systems that the AI governance team never sees. By the time legal reviews the contract, the model is already processing employee or customer data.
Fix: amend procurement intake forms to require an AI capability disclosure, and route any “yes” answer to a lightweight AI risk triage before contract signature. This single change typically catches 60 to 80% of shadow AI within two quarters.
2. Risk assessments that are documents, not decisions
Many AI risk assessments are completed because the policy requires them, then filed without anyone signing off on the residual risk. Under EU AI Act Article 9, the Fundamental Rights Impact Assessment for high-risk systems is not just a record. It is a precondition for placement on the market. Treating it as a checkbox creates a legal exposure that no amount of policy language can absorb.
Fix: every risk assessment should end with a named risk owner accepting residual risk in writing, with a date and a review interval. If no one is willing to sign, the system should not deploy.
3. Evidence captured in chat, not in the system of record
A model owner approves a release in Slack. A reviewer comments “looks good” on a pull request. A legal reviewer emails their sign-off. Three months later, the auditor asks for the approval trail and the team spends a week reconstructing it. This is the most preventable failure on the list, and the most common.
Fix: every governance-relevant action (registration, classification, assessment, approval, monitoring exception, incident, retirement) needs a single durable system of record with timestamps, named actors, and immutable history. Spreadsheets and chat tools were not built for this. They are not where evidence should live.
4. Board reporting that is anecdotal, not measured
Boards are increasingly asking three questions: how many AI systems do we operate, what is the risk distribution, and where are we exposed. If the GRC team’s answer relies on a periodic email survey of business units, the data is already wrong by the time the deck is built. C-suite confidence in the governance programme erodes from there.
Fix: replace the survey with a live dashboard sourced directly from the AI inventory and control evidence. Even a basic version (count of systems by risk tier, percentage with current risk assessments, open incidents, audit findings status) materially changes the quality of board conversation.
| How Govern365.ai addresses this layerGovern365.ai’s AI model registry and audit evidence management module are designed to replace the spreadsheet-and-Slack pattern with a single system of record. Each registered system carries its risk classification, mapped controls across ISO 42001, EU AI Act, and NIST AI RMF, named approvers, immutable history, and live dashboard outputs. The board view is generated from the same data the auditor sees, which removes the reconstruction problem entirely. |
A 90-day plan to close the execution gap
The single biggest mistake organisations make at this stage is launching a transformation programme. AI governance does not need a transformation programme. It needs three months of disciplined, sequenced work that converts existing policy commitments into operating reality. The plan below is what consistently works.
Days 1 to 30: establish ground truth
- Inventory every AI system in production, in pilot, and embedded in vendor products. Use a structured intake covering owner, purpose, data types, deployment status, and risk indicators. Aim for completeness, not perfection.
- Risk-tier each system against EU AI Act categories (prohibited, high-risk, limited-risk, minimal-risk) and ISO 42001 risk criteria. Flag any system that is high-risk under either framework for priority assessment.
- Identify the named owner for each system. If no owner exists, the system has a problem before any framework is applied.
Days 31 to 60: operationalise the controls
- Translate each policy commitment into a specific operational action: who does it, when, in which system, with which evidence captured.
- Embed the AI risk triage into procurement intake and the software development lifecycle. Stop creating new shadow AI while you remediate the existing inventory.
- Stand up a single system of record for governance evidence. Migrate active controls (assessments, approvals, monitoring) into it. Leave historical artefacts where they are; do not retrofit.
Days 61 to 90: prove it works
- Run a tabletop audit using your top three high-risk systems. Treat it as a real audit. Note every gap.
- Publish the first board dashboard with live data: count by risk tier, control coverage, open incidents, audit findings.
- Schedule the first internal audit cycle and the external readiness review. By day 90, the governance programme should have moved from layer two or three to a credible layer four, with a clear path to layer five.
What “good” looks like at the executive level
For C-suite sponsors (the CIO, CISO, CDO, Chief AI Officer, or General Counsel funding this work), there is a simple test for whether the policy-to-practice gap has actually closed. Ask the GRC team five questions, on a random Tuesday, without warning:
- How many AI systems are in production today?
- How many are high-risk under the EU AI Act?
- Of those, how many have a current risk assessment with a named owner?
- How many incidents have we logged in the last 90 days, and what was the resolution time?
- Show me the evidence trail for one of them, end to end, in under five minutes.
If the team can answer all five with live data and produce the evidence trail on demand, the gap is closed. If any answer requires “let me get back to you,” the gap is still open and the next audit will find it.
This is the operating standard the European Commission’s AI Office has signalled it expects from providers and deployers of high-risk systems, and what U.S. enforcement bodies (the FTC, EEOC, and sector regulators) are increasingly probing under existing consumer protection, employment, and financial services authorities. The frameworks differ. The expectation, evidenced governance on demand, does not.
Frequently asked questions
How long does it take to close the AI policy-to-practice gap?
For most enterprises with an existing AI policy and an active GRC function, 90 days is realistic for reaching audit-defensible operational governance on top-priority systems. Full ISO 42001 certification readiness typically takes 9 to 14 months, depending on inventory size and the maturity of adjacent management systems (information security, privacy, quality). The execution gap closes faster than full certification because it focuses on operating reality, not documentation completeness.
Do we need a separate AI governance team, or can our existing GRC function handle it?
In most mid-sized enterprises, the existing GRC function can take operational ownership, provided it has at least one team member with AI literacy and is supported by a cross-functional working group including engineering, legal, and product. A standalone AI governance team becomes necessary when the AI inventory exceeds roughly 50 systems or when the organisation operates high-risk AI under the EU AI Act. The structure matters less than clear ownership.
How do ISO 42001 and the EU AI Act interact?
They are complementary, not duplicative. ISO 42001 is a voluntary management system standard that defines how an organisation governs AI internally. The EU AI Act is a regulation imposing specific legal obligations on providers and deployers of AI systems used in the EU market. An organisation certified to ISO 42001 will have built much of the operational machinery the EU AI Act requires, but certification alone does not satisfy the Act. The Act demands specific deliverables (technical documentation, conformity assessments, post-market monitoring) that ISO 42001 supports but does not replace.
What is the most common reason organisations fail their first AI governance audit?
Inability to produce evidence on demand. Policies are well-written, controls are described, training has been delivered, but when the auditor asks to see five risk assessments completed in the last quarter with named approvers and supporting analysis, the team cannot produce them in the available time. This is a system-of-record problem, not a policy problem, and it is the single most consistent finding across early ISO 42001 audits.
How does shadow AI affect compliance posture?
Significantly, and asymmetrically. Shadow AI rarely poses the highest model risk in an organisation, but it poses the highest governance risk because the controls that exist on registered systems do not apply. Under the EU AI Act, deploying a high-risk AI system without the required conformity assessment, even if it was procured rather than built, can trigger administrative fines of up to 7% of global annual turnover under Article 99. Procurement-stage detection is the most cost-effective control.
Should we build or buy our AI governance tooling?
For the inventory, control evidence, and audit-trail layer, buying is almost always faster, cheaper, and more defensible than building. Custom-built governance systems tend to under-invest in audit features and over-invest in workflow features. Purpose-built platforms (such as Govern365.ai, by the Global AI Certification Council) come with framework mappings already configured for ISO 42001, the EU AI Act, and NIST AI RMF, which removes months of internal work and reduces the risk of mapping errors.
Closing the gap
The AI policy-to-practice gap is not a strategy problem or a regulatory problem. It is an operational problem with a known solution: convert each policy commitment into a specific action, capture the evidence in a single system of record, and report it live to the people who are accountable for the outcome. Organisations that do this in the next 12 months will spend their next audits answering questions. Organisations that do not will spend them reconstructing answers.
Start by inventorying every AI system in your organisation today, including the ones embedded in vendor products. The list will be longer than expected. That is the point at which closing the gap becomes possible.
| Start your 14-day free trialGovern365.ai gives enterprise governance teams a single system of record for AI inventory, risk assessment, control evidence, and audit-ready dashboards, with ISO 42001, EU AI Act, and NIST AI RMF mappings built in. Start a 14-day free trial at govern365.ai. |
