Skip to content
IT Security

Jul 02, 2026

AI Governance Is Only as Strong as the ITSM Processes Behind It

Effective AI governance requires strong ITSM processes, ensuring accountability and operational maturity to manage AI responsibly and efficiently.

Diagram of AI governance at the center, surrounded by gears labeled with ITSM processes such as risk, security, asset, incident, problem, change, supplier, and continuity management.

This isn’t going to be your typical article on AI governance—or governance in general, for that matter.

After more than 26 years of helping organizations improve their ITSM processes to achieve better business outcomes, including operational resilience, efficiency, and customer satisfaction, we at Navvia have come to a simple conclusion: real governance lives in your operational processes, not in a policy manual, committee, or risk register.

That may sound controversial, especially with so much attention focused on AI governance frameworks, policies, and tools. But while those things are important, they don’t deliver governance on their own. Governance only becomes real when it is embedded into the processes people follow every day.

In this article, we’ll explain why we believe having operationalized ITSM processes are the foundation of effective AI governance—and why organizations that overlook them are likely to struggle as AI adoption accelerates.

Everyone Is Talking About AI Governance

A quick search on LinkedIn reveals many thousands of professionals with “AI Governance” in their job title, and every day our feeds are filled with posts proclaiming things like, “AI governance isn’t the brake—it’s the throttle” or “AI governance will define success.”

And it’s easy to see why.

AI adoption is accelerating at an unprecedented pace. Organizations are developing their own AI solutions, employees are using public AI tools, and software vendors are embedding AI into almost every application they sell.

At the same time, we’re seeing AI projects fail, regulatory scrutiny increase, proprietary data exposed, biased decisions, hallucinations, and growing legal liability when AI systems influence or make important business decisions without appropriate human oversight.

The increased focus on AI governance is both necessary and welcome.

However, much of the conversation centers on AI governance frameworks, regulations, policies, and controls. These are essential because they explain why AI governance matters and what organizations should govern.

What they rarely explain is how governance actually happens.

How do governance principles become part of the everyday activities involved in designing, deploying, changing, operating, monitoring, and retiring AI-enabled services? That’s the question organizations need to answer if they want AI governance to move beyond good intentions and become part of the way they operate.

What People Get Wrong About AI Governance

One of the biggest misconceptions about governance is that people think it lives in frameworks like the NIST AI Risk Management Framework, ISO/IEC 42001, the EU AI Act, or guidance from organizations such as the MIT AI Risk Repository.

Don’t get us wrong—these frameworks are invaluable. They explain why AI governance is important and what organizations should be governing. They provide principles, best practices, and regulatory guidance that every organization should understand.

The problem is they don’t tell you much about how to make governance part of the way your organization actually operates.

The same is true for technology.

Today we’re seeing an explosion of AI governance products that promise policy enforcement, agentic monitoring, and governance substrates that provide continuous oversight of AI across the enterprise. These innovations represent an important step forward and will undoubtedly become part of the AI governance landscape.

However, even the most sophisticated governance substrate can only monitor and enforce the governance that has already been defined.

If your policies are weak, your governance framework is incomplete, or your operational processes are inconsistent, the substrate simply scales those weaknesses. It’s another example of “garbage in, garbage out”—or perhaps even worse, a false sense of security.

AI governance isn’t an island. It isn’t delivered by a framework, a policy manual, a committee, or a software platform. Effective governance requires all of these working together.

After more than 26 years helping organizations improve ITSM processes, we’ve come to a simple conclusion: governance only becomes real when it’s operationalized.

Frameworks tell you why. Regulations define what. Technology helps automate, monitor, and enforce. But it’s the operational processes people follow every day that determine whether governance actually happens.

AI Governance Needs to Be Operationalized

So, what do we mean by operationalized?

Governance frameworks tell us that we should maintain an inventory of AI solutions. They tell us to establish policies for the responsible use of AI, train employees, protect AI models and the technology they run on, manage third-party AI risk, and implement the legal and technical controls needed to reduce risk. We could go on.

The frameworks are right. They define what good AI governance looks like. What they don’t spend much time on is how those governance activities actually happen every day inside an organization.

The answer is surprisingly simple. They happen through the same ITSM processes you’ve been using for years to manage the rest of your technology.

But we’d like to go one step further. Having ITSM processes isn’t enough. They need to be operationalized.

Every IT organization has processes. So ask yourself this: if that’s true, why do we still see so many failed changes, security breaches, service outages, audit findings, and operational failures?

It’s because there’s a big difference between having a process and having one that’s mature, consistently followed, continually improved, and working as part of an integrated system of processes.

Think about your own organization.

 

  • Does every process have someone who is truly accountable for its performance?
  • Do process owners regularly work together to improve how their processes interact?
  • Are the processes documented, understood, and consistently followed?
  • Were the people who actually use the processes involved in designing them?
  • Does automation follow the process, or has the process been shaped around the tool?
  • Are you measuring whether the process is effective, or simply counting activities?
  • Is that performance data used to improve the process, or is it only reviewed when something goes wrong?

These are the conversations we have every day.

We see organizations with processes that have no owner—or three owners. Automation platforms configured from a list of requirements without first agreeing on the process they’re supposed to support. Process documentation that hasn’t been reviewed in years. Metrics that count tickets but say nothing about whether the process is actually delivering better business outcomes. And improvement? That usually starts only after an outage, an audit finding, or a security incident.

No manufacturer would build iPhones that way. Nuclear power plants don’t operate that way. Airlines certainly don’t. They rely on disciplined, repeatable, measured processes that are continually improved because failure isn’t an option.

Yet many IT organizations still rely on acts of heroism rather than mature operational processes.

AI doesn’t change that—it simply raises the stakes.

If the ITSM processes you already use to manage assets, implement changes, secure platforms, manage suppliers, respond to incidents, monitor services, and recover from failures don’t explicitly include AI models and AI-enabled services, then AI governance has a blind spot.

The frameworks may be in place. The policies may be written. The governance platform may even be monitoring your environment. But if the operational processes aren’t executing that governance every day, the organization is still exposed to operational, regulatory, financial, legal, and reputational risk.

That’s what we mean by operationalized AI governance.

The ITSM Processes That Drive AI Governance

Virtually every ITSM process has a role to play in operational resilience and AI governance. Some are more directly involved than others, but together they provide the operational foundation that turns governance from a set of policies into something that is consistently executed.

Think about the lifecycle of an AI solution. Someone requests it. It is assessed for risk, approved, built or acquired, deployed into production, monitored, supported, updated, and eventually retired. None of those activities happen in isolation. They are already managed through the operational processes most IT organizations use every day.

That is why we believe organizations don’t need to invent an entirely new operating model for AI. Instead, they should look at how AI fits within the ITSM processes they already have and ensure those processes explicitly incorporate AI governance activities.

Some of the key processes include:

 

  • Asset Management ensures AI models, services, and supporting components are identified, inventoried, owned, and managed throughout their lifecycle.
  • Change Management provides the governance needed to assess, approve, test, and implement changes to AI systems while managing risk.
  • Information Security Management protects AI models, data, prompts, APIs, and supporting infrastructure from unauthorized access, misuse, and tampering.
  • Risk Management identifies, assesses, and manages AI-related risks, ensuring they are understood, monitored, and treated appropriately.
  • Supplier Management extends governance to third-party AI providers, ensuring contractual, legal, security, and operational risks are understood and managed.
  • Monitoring & Event Management provides continuous visibility into the health, performance, and behaviour of AI-enabled services so issues can be detected before they become business problems.
  • Incident Management provides a structured approach to responding when AI systems fail, produce unexpected results, or negatively impact the business.
  • Service Continuity Management helps ensure AI-enabled services can continue to support critical business operations during disruptions and recover quickly when failures occur.

While these are some of the more obvious examples, they are by no means the only ones. AI governance touches almost every operational process. The more mature and integrated your ITSM processes are, the stronger the operational foundation for AI governance becomes.

That’s why we believe AI governance isn’t something you bolt onto the side of the organization. It becomes part of the way the organization operates, with ITSM processes providing the structure, discipline, and accountability that turn governance principles into everyday practice.

What You Need to Do Today to Improve AI Governance

AI governance doesn’t have to begin with a major transformation program. In fact, some of the most effective improvements can be made by building on the operational capabilities you already have.

1. Establish Your Baseline

You can’t improve what you don’t understand. Start by assessing your current AI governance capability. Identify where AI is being used, evaluate the maturity of the processes that support it, and understand where the biggest governance gaps exist. A baseline assessment provides a roadmap for improvement and helps prioritize effort where it will have the greatest impact.

2. Assign Clear Ownership

Governance without accountability rarely succeeds. Identify who is responsible for the key operational processes that support AI governance, and ensure those owners understand how AI changes their responsibilities. Just as importantly, those process owners need to work together. AI governance spans multiple operational processes, so collaboration is every bit as important as individual accountability.

3. Extend Existing ITSM Processes

Don’t create a separate operating model for AI if you don’t have to. Instead, review your existing ITSM processes and determine where AI-specific governance activities should be incorporated. Change Enablement, Asset Management, Information Security Management, Supplier Management, Risk Management, and Incident Management are often good places to start, but virtually every ITSM process should be reviewed to ensure AI has been considered.

4. Measure, Learn, and Improve

AI governance isn’t a project with a finish line. Like every mature operational capability, it requires continual improvement. Establish meaningful measures, regularly review process performance, learn from incidents and near misses, and refine your governance practices as AI technologies, regulations, and business needs evolve.

Conclusion

AI governance has become one of the most important topics facing organizations today, and rightly so. As AI becomes embedded in more business processes, products, and services, the need for effective governance will only continue to grow.

Frameworks, regulations, policies, and governance platforms all have an important role to play. They provide direction, establish expectations, and help organizations monitor and manage risk. But they don’t execute governance.

People and operational processes do.

If there is one message we’d like you to take away from this article, it’s that AI governance shouldn’t be viewed as another standalone initiative or technology project. It should become part of the way your organization already plans, designs, secures, changes, operates, and continually improves its technology services.

Organizations don’t need to reinvent IT management to govern AI effectively. They need to extend the mature ITSM processes they already have, ensure those processes explicitly include AI governance activities, and continually improve them as AI technologies evolve.

After more than 26 years helping organizations improve ITSM processes, we’ve seen the same principle hold true time and time again. Governance doesn’t succeed because a policy was written, a committee was formed, or a tool was purchased. It succeeds because the right people consistently follow well-designed, well-managed operational processes.

Real governance lives in your operational processes. AI doesn’t change that. It simply makes it more important than ever.

David Mainville, CEO and co-founder of Navvia, advocates for Service and Business Process Management. With 40+ years of experience, he’s held senior roles bridging Business and IT. David drives Navvia's innovative ITSM & BPM solutions, focusing on product development, marketing, and operations.

Latest Articles

AI Governance Is Only as Strong as the ITSM Processes Behind It
IT Security

AI Governance Is Only as Strong as the ITSM Processes Behind It

Effective AI governance requires strong ITSM processes, ensuring accountability and operational maturity to manage AI responsibly and effic...

July 02, 2026

Is Shadow AI the New Shadow IT?
Operational Resilience

Is Shadow AI the New Shadow IT?

Explore the rise of Shadow AI and its governance challenges, mirroring past issues with Shadow IT. Learn how organizations can manage AI re...

June 15, 2026

How Does Process Ownership Affect Operational Resilience in Enterprise Environments?
ITSM Best Practices

How Does Process Ownership Affect Operational Resilience in Enterprise Environments?

Discover how clear process ownership enhances operational resilience in enterprises, fostering accountability, consistency, governance and ...

June 08, 2026