I've framed AI governance as an operating-model issue: the gap between governance intent and execution, between policy documents and enforceable controls. That remains accurate — but it underemphasized security, and recent events make that omission critical. AI governance without AI-native security is not true governance; it is simply aspirational.
The evidence is accumulating fast. HiddenLayer's 2026 AI Threat Landscape Report found autonomous agents now account for more than one in eight reported AI breaches as enterprises move from experimentation to production. Prompt-injection attacks caused an estimated $2.3B in losses globally in 2025 — OWASP's single highest-severity vulnerability category for deployed language models — while current detection tools catch only ~23% of sophisticated attempts. Most organizations building AI administrative frameworks are writing policies and forming committees while deploying systems against threats their existing security tools were never designed to handle.