AI Governance: Big G and small g.

You have a different way of thinking about AI governance. What is your focus?

I do not get distracted by technology marketing, focusing on the data and the extent to which it is subject to rules beyond management control. There is big G governance and small g governance. Small g governance refers to options within a technology artefact which limits some performance of the artefact, such as in an engine where the governor is a device which limits speed by reducing fuel supply. There are many such options in modern technology, and they are turned on or off as a management choice.

Big G governance is the big do not argue which comes from the Board or similar body. That is to say, it involves organisational directives which cannot be ignored by management teams, which can see rules as options and requirements as things which can be traded off. The Board generally is responsible for long-term stewardship of value and their role is to constrain management fiat. In some countries such as the US it is common to find Chair and CEO roles concentrated in the same person, in which case there is no real constraint, and I would analyse governance in that context as small g. There is also big G governance in the public sector, where elected representatives constrain management action.

An AI entity is a data entity or more properly an artificial knowledge agent. It was produced from data, needs data to function and uses data to network to other knowledge agents, either human or artificial. We can understand them through the data and do not need to get distracted by marketing, popular communications, glossy publications or t-shirted technologists on stages in front of giant screens. Without data, there is no AI (unless it leverages analogue computing, but I have not seen any of those on the market).

My primary concern is whether AI strengthens or weakens an organisation’s ability to build value over time, to function independently and responsibly within the society which sustains it. I do not focus solely on the implementation of laws and policies into an organisation’s fabric, considering also how to set up an organisation to enable the use and development of AI to create long-term value. This is particularly important in the public sector, which must make best use of taxpayer funds. So, I take an asset approach and the value is in the data.

The Problem: Over-Reliance on External AI Providers

So, what do you see currently as the problem with how organisations treat data?

The problem is that organisations are too dependent on external providers to generate value around organisational data. Organisational data comprises the data objects and entities which are under the control of the organisation by legal, contractual or other means. Where data is subject to another organisation, then control of the data is eroded and at best the asset is a joint one. At worst, the asset is controlled by the other organisation. The modern economy is heavily networked, with many AI agents deployed across the organisational perimeter. However, many of these services remain external to the client organisation. Some organisations are fortunate to have enough data capability and infrastructure in place to set up their own AI agents on their data and retain the full value. Other organisations might be too small to host any capability in-house while others will be so large that they receive data from multiple parties, process it and distribute outcomes back to multiple parties.

Where an external service is used to build value from the company’s own data and where that external service is used to train or improve that external service for the benefit of the supplier, then control over data assets and the value obtained are only partial. Control over services is also only partially possible through service-level agreements and other contracts. Without control over their data—and remember AI models are data entities—companies risk becoming little more than rent-paying intermediaries, positioned between the public—whose data they collect—and large third-party AI system providers. This is a problem, as value is increasingly extracted through organisational data. Relying on third parties for that extraction leads to dependency. Companies start realising that using external AI models reduces them to a revenue stream for the AI provider.

Ed Paulis, Editorial Committee Member: When considering “small g” governance within a technology artifact, such as a governor in an engine that limits performance to ensure safety and reliability, AI governance can similarly create value for a company by setting boundaries and controls within AI systems. This type of governance ensures that AI operates within safe, ethical, and optimal parameters.

How Data Creates Value

How does data create value?

Data derives its value from something else, often a tangible real-world object that the company produces or a service the company provides. Where there is a physical asset there will most probably be a digital asset. Where there is a digital asset there may be a data asset - but only if it can be made subject to organisational control.

Example: Modern cars are partly data centres on wheels (the 2015 Ford GT had about ten million lines of code, eight million more than the F-22 Raptor). A car manufacturer builds a car, a physical asset. However, the vehicle will be largely useless without parallel digital systems. Tesla, for example, has so many cameras in operation they may best be seen as always-on surveillance devices. The physical asset eventually depreciates but the data that the car collects during its lifetime remains valuable. Assuming the data remains accurate, it can be fed into an AI model, improving future designs and creating an additional asset for the company. Or with the likes of the MIT DrivAerNet++ dataset, the data goes to support the next generation of design.

When done well, data facilitates a cycle of value creation between the physical and digital worlds. The performance of the physical asset—the car—depends on the performance of the data asset—the data it generates. However, if the data is corrupted, unreliable, or restricted by a third party, future design work for the physical models degrades. The company will soon find itself in a downward spiral of value destruction.

The Role of AI Governance in Value Creation

How can AI governance create value for the company?

An AI asset is built from data, uses data and outputs data; it is a data entity and as with any data entity, its value will be affected by the governance framework that determines how data entities can be created, shared and used. How we govern our data is causal to how our AI assets perform. The ISO data governance standard speaks in terms of realising value, managing risk and meeting constraints across the data lifecycle, which can be extended to data entities such as AI.

Internal AI governance should be designed to facilitate long-term value creation from organisational data. As the OECD found, data have a specific combination of economic characteristics that distinguish them from other inputs into economic production. The long-term value generation for a data entity will depend on the extent it is bound together to the organisation’s core business. AI systems are knowledge machines for the knowledge economy so if they are peripheral to core business, they are less likely to deliver long-term value.

For many organisations, the main threat to long-term benefits realisation with AI will be over-reliance on providers they do not control. Over-reliance creates a formidable governance problem because organisations are no longer in charge of their own data—the engine of value generation for their company.

The dominant trend in the past two decades has been outsourcing key technological functions. This is predicted by Ronald Coase’s transaction cost view of the firm, and we have seen many internal capabilities of knowledge agents outsourced, both human and artificial. This has translated into organisations being hollowed out and in extreme cases turned completely inside out. These organisations participate in flows but maintain no stocks. They no longer control their own factors of production, settling for earning small margins. It may be that returns to scale for a few hyper-large organisations is the future for the whole data economy, in which case everyone is just competing for margins of a few cents. However, the commodification of data science and accessibility of knowledge also provides organisations with pathways to bring capability back inside the organisational perimeter and avoid overwhelming dependence.

We see that the big G governance changes driven by the current US administration is upending many comfortable organisational relationships and demonstrating an ability to force costs on organisations headquartered in overseas jurisdictions. This significantly changes the power dynamic and organisations which discover they have no internal capability will have to reverse that and bring critical functions back in-house. Without control, there is no asset.

Consider you are a farmer and drive a Giant Dragon tractor, which is a heavily instrumented vehicle and which bundles multiple data feeds, data entities and data objects. Farming data is of primary importance to ever-optimising farmers and is a key differentiator in land valuation and privacy. In this case, you do not have access to the diagnostic software or repair tools so your ability to understand the physics of the machine are limited and you soon find yourself locked into a monopolist's contract.

You are also fully surveilled while working the vehicle, meaning you are supplying agentic data to a model which will be deployed for the benefit of other third parties. Once this telemetry data is stored on a Giant Dragon server, its consequent use becomes opaque. That data is potentially very valuable to you because it describes much of your commercial operation. But is now somewhere in the cloud and you have to trust they have good cybersecurity.

In this toy example, we can see the opportunity to obtain the most from agricultural science is greatly constrained because the physical asset is also a well-controlled data asset. It may be that the best course of action is for you to divert some money and hire someone to build a model for you, from the data you have scattered across your digital landscape. Giant Dragon meanwhile has an ongoing source of intelligence which can be used for precision science.

I would say that if an organisation depends on external AI models to process organisational data, it has already lost a significant amount of control. Data must be fed into those models, but the model and its future development path remains in the hands of the external provider. The provider’s economic interests—not the company’s—determine the future of that system. This is particularly relevant for large language models that require enormous amounts of training data. If organisations cut off external providers from data streams, those providers will eventually struggle to maintain their models. They will have to rely on synthetic data, which is already known to introduce training challenges and may cause models to collapse.

Key Questions for Boards When Establishing AI Governance

What should boards focus on when establishing AI governance?

In an era where AI is ubiquitous, AI governance must enable a company to become an effective data organisation. To do this, they need to create valuable data assets. In a somewhat circular definition, a data asset is a grouping of data which has the properties of an asset. These properties are: (i) being able to produce future economic benefit, (ii) being subject to organisational control and (iii) coming about by a previous transaction or event.

Data needs to be treated as a valuable asset. It is sometimes said that if organisations treated financial assets as they treat data assets the organisation would need to fire the whole management team to avoid going out of business. The change here is to see data as something more than we consume or burn. An extension of the critical element of control, the organisation needs to have agency over its data, so that it can decide how and when its data is used. This requires that actual use cases can be identified.

There also needs to be a clearly defined individual person who is accountable for the data. The simplest definition of data governance is that it must enable a person to explain system behaviour and an AI asset needs to have someone who can make an account to the Board. Where there is no single person to make an account, it is likely that there is a diffusion of responsibility and an absence of control. This goes to the old proverb that victory has a thousand fathers, but defeat is an orphan.

The organisation also needs to be able to restrict the flow of data where necessary. Doing so prevents external third parties from extracting value without returning sufficient benefits. AI model developers often have a short contractual or SaaS window before businesses and individuals can cut off access to the data streams that feed its models. This is the leverage the company has, and it needs to be retained as a strategic necessity.

If the organisation sees data as a commodity, does not have agency in its deployment, cannot surface an accountable individual and can’t restrict the flow of organisational data, then the company is likely not an owner of a valuable data asset. In fact, the company might already be the product or a dependent rent payer of another provider.

Simply, the best approach is to exercise full control over:

• The data coming in.
• The AI model trained on that data; and
• The data outputs.

The Role of Regulation in AI Governance

Do the EU AI Act or other AI-specific regulations play any role here?

We have just seen the EU remove the AI liability directive from its work programme and the Paris AI Summit went in a different direction from those in Seoul and Bletchley Park. The reaction here is against loading up too much cost onto the current AI economic model as aspects such as privacy and diversity-equity-inclusion are seen as cost centres not profit centres. That said, all organisations are to some extent socially embedded and have to take into account the expectations of society and community. The continued growth of considered consumption, concern over climate cost and worries about widespread social harm remain top of mind for many in Europe and other countries.

However, simply adding more regulations does not solve the problem as what looks like adding rules is actually multiplying complexity and with it increasing the likelihood of increased transaction and deadweight costs. From the perspective of commercial decision-makers or technologists developing and maintaining AI systems, the difficulty of resolving regulatory conflicts is non-trivial and with the huge cost of training AI systems, regulatory burden is real. Because of the movement of global capital, all jurisdictions need to give thought to the costs they are imposing on what is a genuine engine of economic growth. DeepSeek is an outlier here because it has demonstrated dramatically that the established organisations seem to be charging exorbitant economic rent for AI services.

If laws do not address the core issue—control over assets—they may only add costs and extend development time. Those costs will either be passed on to customers or ignored by organisations that do not see compliance as a priority. As we see with the very large technology companies, they can easily sweat fines.

Industry self-regulation is also unlikely to work because the economic incentive is to externalise risks and costs. This is why issues like bias, discrimination, and ethical concerns continue to emerge. The incentive is always to keep profits and transfer risks elsewhere. This is also why, in my opinion, all AI organisations need a Board which can give management the “big do not argue.” Anthropic is a notable outlier here, as they are recognising that some costs need to be retained in the production process.

What Should Policymakers Focus On?

If neither more regulation nor self-regulation is the solution, what should policymakers focus on?

I do not have a complete answer for that yet, although my analysis keeps returning to the same place - we do not understand well enough how to place data on an asset basis. Furthermore, in a jurisdiction data may not have its own regulatory regime. We may find we have such regimes for data analogues such as water, petrol and radio frequencies but not data. In some situations, we may even lack a clear definition of what data is.

However, in spite of the likes of transgressors such as certain LLMs, intellectual property laws, particularly copyright, should play a central role in my view. Many of the concerns about large AI models stem from the fact that they are built using data scraped without permission. That is a fundamental intellectual property issue. Intellectual property rights may help organisations retain control over their data, if they are employed to force model providers to negotiate any access they wish to have to the organisation’s or their customers’ or workers’ data. This is why my analysis keeps returning to the basic importance of an organisation being able to put its foot on the hose and stop the flow.

‍

Rohan Light is the Principal Analyst for Data Governance at Health New Zealand (Te Whatu Ora) and a member of the Editorial Committee of 20Minds.