Boards are starting to ask a simple question and the answers do not match. What AI is in use here. Who approved it. On what data. Three capable people in the same room can return three different answers. The policy says one thing. The organization is doing something else. The gap between the two is where governance actually lives.
On paper, governance is a binder. A policy. An approval workflow. A list of approved vendors and use cases. A statement of values. The binder exists. The question is whether it accurately describes what the organization is actually doing on a Wednesday afternoon when nobody is consulting the binder.
The conditions around AI now make this question harder to ignore. Boards want a defensible answer. Auditors want a current one. Regulators are sharpening their version of the question. Customers and partners are asking their own. When the answer comes back as three different things from three different people, no version of the audience is satisfied, and the organization's claim to be governing AI starts to look thinner than the binder suggests.
Governance is not the binder. It is the organization's ability to know, at any moment, what is actually true about its AI. That ability rests on a source of truth: a current, authoritative record of what AI is in use, who owns it, what data it touches, and what has been approved. Without that record, the policy in the binder governs a version of the organization that does not quite exist.
Governance is only as real as its source of truth
A policy is a statement of intent. It says what the organization wants to be true. Governance is the discipline of being able to demonstrate what is actually true at any given moment. The two are related, but they are not the same thing, and the distance between them is where many AI governance positions quietly fall apart.
A policy does not know what changed last Tuesday. It does not know that a team started using a new AI feature inside a tool the organization already had, or that a vendor quietly added a generative capability to a platform approved for something else, or that a workflow now routes data through a service nobody reviewed. The policy is still in force. The practice has moved on without it.
The distinction shows up when the question is asked under pressure. An auditor asks for the inventory of AI uses. A board member asks who signed off on the customer-service model. A client asks whether the AI used to draft their report touched their confidential data. A regulator asks for the documentation behind the responsible-AI claim on the website. Each of those questions has a clean answer or a fumbled one, and the difference is not how good the policy is. It is whether the organization has a current record of what is actually happening.
That is the difference between having a policy and having a position. A position can be defended. A policy alone can only be shown.
A policy is a statement of intent. Governance is whether the organization can say what is true.
Source-of-truth discipline is what makes governance defensible rather than performative. A defensible position is one a leader can stand behind, because the leader can say, with a record the organization actually maintains, what is in use, who owns it, what data it touches, and what is approved. A performative position points to the policy and hopes nobody asks for the current view. The two look identical from outside the organization, until the moment the question is asked.
Where governance drifts from reality
Governance drift is rarely dramatic. There is no moment when the policy is abandoned. There is no day when leadership decides to stop tracking AI use. The drift happens through ordinary decisions, taken in good faith, each one individually looking small enough to skip the formal step.
A team finds a tool that solves a problem. They adopt it. They mean to add it to the central register later, and later does not arrive in the form it was scheduled in. A workflow shifts to a new model through a vendor's release notes nobody on the receiving side reads. A pilot moves from experimental to production in conversation, with no record. An approval is given in a meeting where nobody took minutes. The verbal yes is what people remember. The written yes never existed.
None of these are governance failures in the malicious sense. They are failures in the structural sense, which is harder to fix because there is nobody to blame and no single moment to point to. The policy did not stop being in force. The organization simply stopped updating its picture of what was true, and the picture and the reality kept diverging, quietly, in ways that compound.
The compounding is what makes the drift expensive. A single uncataloged tool is a small problem. Fifty of them, used across different functions on different data, become a problem that costs months of work to reconstruct when the question finally arrives, and the cost falls due at the worst possible moment, when an outside party is waiting for the answer.
The useful measure here is not how many organizations use AI. It is how many can account for the AI they use. That is the sharper question, and it is rarely a flattering one. It is also rarely a surprise to the people inside the organization, who tend to know the inventory is incomplete and the policy is older than the practice. What they are usually waiting for is the leadership conversation that makes maintaining the picture a priority rather than an aspiration. That is what keeps governance from depending on panic.
What a working source of truth looks like
A working source of truth is more boring than it sounds. It is one current record the organization actually trusts, covering what AI is in use, who owns each use, what data it touches, what is approved, and what is pending. The fields are not exotic. The discipline is.
What separates a working record from a filed one is whether it changes when the organization changes. A working record is updated when a tool is added, when a model changes, when an owner moves roles, when a use case shifts from pilot to production. A filed record is updated when somebody remembers, which usually means when an outside question is about to arrive. Working records survive scrutiny. Filed records produce the scramble.
This matters more, not less, for a smaller organization. Formal governance becomes self-defeating when it tries to mimic enterprise machinery a small team cannot sustain. A working source of truth is the lighter, more practical starting point. It does not require a large bureaucracy. It requires a habit: when AI enters the organization, changes purpose, touches new data, or moves from experiment to regular use, the record changes with it.
This is the practical shape of what recognized standards describe. ISO/IEC 42001 treats AI governance as an ongoing management system, a set of processes the organization maintains, not a document it once produced. The NIST AI Risk Management Framework names govern as a core function, the one that holds the others accountable to a coherent picture, and it applies to any organization using AI rather than a single sector. Both treat governance as something done continuously, not signed off once.
A maturity read is where this becomes visible: whether the source of truth exists, whether it is current, whether anyone owns it, and whether it matches what the organization is actually doing. The AI Maturity Audit produces that picture, and the Governance Pack is the discipline of keeping it current. The answer to those questions is a more accurate measure of AI governance than any number of policy documents.
Where governance lives
AI governance is not the binder. It is the living record the binder points to. The organizations that govern AI well are the ones that can answer the simple question without flinching. What AI is in use, who approved it, on what data. The answer is current, it agrees with itself across the room, and it can be defended outside the room.
That is the practical test. Policy makes the position possible. The source of truth makes it real, a current record, trusted across the organization, showing what is true enough to act on.
Clarity, as ever, comes before action.