What was the impact of NotPetya on businesses?

NotPetya caused billions in losses globally, severely impacting industries like logistics, healthcare, and finance. Some organizations faced operational shutdowns lasting weeks due to IT system failures.

Why is Business Continuity Planning (BCP) important?

BCP ensures organizations can recover quickly from cyberattacks, natural disasters, and operational failures. Without it, businesses risk prolonged downtime, financial losses, and reputational damage.

What are the key lessons from NotPetya for businesses?

Key lessons include regularly updating Business Continuity Plans, conducting risk-based thinking exercises, testing recovery strategies through drills, ensuring leadership support, and collaborating with third-party partners for emergency solutions.

Beyond the Basics: Why AI Governance Demands More Than Traditional IT Rules

Kiran Dev Appikonda
3 days ago
4 min read

“Diagram comparing AI governance vs IT governance”

“AI governance framework with ethics, accountability, and transparency pillars”

Why AI Governance Matters Now

While in the early 2000s everyone thought that by 2020 we’d have flying cars and futuristic gadgets, what truly transformed our world was far less visible: artificial intelligence. Unlike a shiny invention you can see and touch, AI works in the background — silently reshaping lives, decisions, and businesses in ways we never anticipated.

Today, AI powers everything from the recommendations you see on Netflix, to chatbots handling millions of banking queries, to tools analyzing patient scans in hospitals. The transformation is unprecedented: organizations are embedding AI not just to cut costs, but to drive strategy, improve decision-making, and personalize customer experience.

Consider Bank of America, which in 2025 committed $4 billion toward AI innovations like “MERRILL edge”, aiming to give bankers supercharged insights and customers tailored services. Or think about healthcare, where AI models are helping doctors detect early signs of disease with greater accuracy than ever before.

But with this scale of adoption comes a new set of risks. As Navrina Singh, founder of Credo AI, said in a McKinsey interview:

“AI governance should not be an afterthought. It should be the first thing you consider.”

Source: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/keeping-artificial-intelligence-real

Why? Because unlike traditional IT, AI doesn’t just run systems, but it makes decisions that impact people, society, and organizations. A biased algorithm can deny someone a loan, filter out qualified job candidates, or misdiagnose a patient. That’s why experts are calling AI governance not just a compliance necessity but an ethical imperative.

This is the backdrop for our thought: how AI governance fundamentally differs from traditional Information Security Governance or IT governance, and why organizations must adapt now if they want to not only adopt AI but also earn trust in its outcomes.

How AI Governance Differs from Traditional Information Security & IT Governance

We don’t just need systems that work we need systems we can trust.

When organizations talk about governance, the first thing that usually comes to mind is IT governance or information security governance. These frameworks focus on how technology is managed, secured, and aligned with business goals. But when it comes to Artificial Intelligence, the rules of the game shift.

The Nature of the Risk Is Different

In IT governance, risks are often technical like downtime, data breaches, access control failures. The controls are tangible: firewalls, audits, compliance checks.

AI governance, however, deals with behavioral risks. An AI system can make decisions that look fine on paper but end up biased, unfair, or opaque. Imagine an AI-powered hiring tool that unintentionally favors one group over another. The risk isn’t just data loss — it’s trust loss.

From Security to Responsibility

InfoSec governance is about protecting information. AI governance is about ensuring responsibility. It asks:

Is the AI fair?
Is it explainable?
Who is accountable if it fails?

This means AI governance is more about ethics, transparency, and accountability than just compliance.

A Shift in Control Mechanisms

In traditional IT, we measure control with metrics like uptime, patching, and vulnerability scans. In AI, control is more fluid: continuous monitoring, dataset audits, bias detection, and even explainability testing.

Put simply, IT governance is about keeping the system secure and efficient, while AI governance is about keeping the system trustworthy and human-centered.

The Foundation: Training Data

One of the most critical yet often overlooked aspects of AI governance lies in the data that trains the models. Unlike traditional IT systems where data is just an input/output to secure, in AI the training data becomes the foundation of how the system thinks and acts.

If the dataset is biased, the model will inherit and amplify that bias. If the data is of poor quality or incomplete, outcomes will be unreliable. And if the data isn’t properly anonymized or secured, organizations risk serious privacy violations and compliance failures.

That’s why governance requires:

ensuring lawful and ethical data collection.
testing datasets for imbalances.
applying anonymization and consent management.
recording origins, intended use, and known limitations.
assigning accountability for dataset quality and access.

How Governance Turns Principles Into Action

So how do organizations actually achieve these ideals? AI governance rests on several pillars:

ethics and fairness, transparency, accountability, data governance, robustness, human oversight, and continuous monitoring.

Unlike traditional IT governance, it’s not enough to have controls written on paper. These pillars must be backed by real governance mechanisms. That means:

Policies and frameworks that set ethical standards and fairness checks before deployment.
Accountability structures - clear roles, AI oversight boards, and RACI charts to define who owns decisions.
Transparency practices - using model documentation and explainability tools so stakeholders understand outputs.
Robust risk management - bias audits, security stress tests, and adversarial resilience testing built into the lifecycle.
Human-in-the-loop guardrails - ensuring people can step in and override AI where it matters most.
Continuous monitoring - with ModelOps pipelines to track drift, audit logs, and regular re-validation of systems.

To summarize in simple words, IT governance keeps systems secure and efficient. AI governance ensures those systems remain trustworthy, human-centered, and aligned with societal values.

Why This Matters Now

As AI becomes embedded in decision-making from finance to healthcare to everyday apps, the consequences of “getting it wrong” are bigger than a server outage. They touch people’s lives, rights, and opportunities.

“Good AI governance is not just about avoiding harm; it’s about building confidence.”

And that’s the real difference. IT and InfoSec governance protect the system. AI governance protects the society around the system.

As organizations race to deploy AI, those who build governance into the foundation won’t just stay compliant, they’ll earn trust, stay resilient, and lead in a world where invisible algorithms increasingly shape visible outcomes.

Gorisco has a wide range of experts who are experienced in defining and designing various solutions to help organizations mitigate their risks and resolve their problems.

At Gorisco, our motto is 'Embedding Resilience,’ and we are committed to making the organizations and their workforce resilient. Reach out to us if you have any queries, or clarifications, or need any support on your initiatives.

To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.