Closing the Ownership Gap in AI-Era Information Management

Machines Can Recommend. They Can’t Be Accountable.

In November 1997, I attended my first corporate board meeting. I was 28, and it seemed impressive, a seat on a board of directors at such a young age. However, appearances were misleading. The actual board consisted of me, my brother, our wives, and my mother. Our five children, all under six, were the future board members. The meeting took place at my mom’s kitchen table, while those future members played in Grandma’s living room.

The company microfilmed paper records for large organizations. My mother had come to own it almost by accident: an earlier investment in a publishing company had gone under, and instead of returning her money, the owners handed her a struggling microfilm business. She accepted. By the night of that board meeting, annual revenue was under $150,000, our largest customer had just relocated out of state, and the core service we sold was sliding down the back of its own bell curve, think Blockbuster or Kodak. By every visible measure, the technology was dying.

At twenty-eight, I realized I wasn't truly in the microfilm business. Instead, my focus was on assisting organizations with managing their information, making decisions about its use, determining trustworthiness, and assigning accountability when issues arose. The film, scanners, workflow engines, and BPM platforms that appeared later were simply tools, not the main goal. They served as a means to achieve that end.

In the twenty-eight years since, I’ve ridden wave after wave of technology, document imaging, workflow, BPM, RPA, cloud, big data, and now Enterprise AI. The tools changed every few years. The core never did. And as enterprises rush to adopt artificial intelligence, that unchanging core has quietly become the most important question. It isn’t whether the system can perform the task. It’s who takes responsibility for the result when it does.

The Real Problem: A Gap Nobody Owns

Information management leaders already know how to secure systems and oversee processes. During every platform transition, they've honed skills such as controlling access, protecting data, managing retention, satisfying auditors, and proving compliance afterward. These skills are real and well-established.

AI breaks the assumptions they were built on.

Traditional enterprise software functions deterministically: the same input consistently produces the same output. When problems occur, the questions are clear and answerable: Who changed the rule? Who accessed the record? Who approved the action? Governance was managed externally, through policies, reviews, and approvals layered over predictable processes.

AI systems do not operate in that manner. They analyze context, provide suggestions, and are increasingly taking actions based on them. Minor changes in prompts across different situations can produce different results. Occasionally, even the system's developers find its reasoning difficult to understand. Governance cannot remain external to the system anymore, as the system now actively engages in decision-making processes.

Many organizations often face challenges here. Traditionally, security and governance function separately, with their own teams, budgets, and reporting lines. When AI is integrated, each function applies its procedures independently. Security focuses on whether the model is secure and risk-free, treating it like infrastructure. Governance assesses if the AI use case complies with regulations, ensuring it's permitted and auditable. Neither group fully understands the other’s assessments, nor do they share responsibility for what happens in the shared space between them.

AI failures occur in that space, between a technically secure model and an inexplicable decision, between governance policies and systems that cannot enforce them. It is a neglected space that no one was assigned to manage.

Why This Happens: We Delegated Authority Faster Than Oversight

The pattern persists because the failures are subtle and go unnoticed. Organizations have silently abandoned AI-based hiring and risk-scoring tools, not due to system failures, but because no one could explain when or why their outputs deviated from acceptable ranges. The models worked as designed. No one took responsibility for their behavior.

The data confirms how widespread this gap has become. In McKinsey’s State of AI in 2025 survey, 51% of organizations reported experiencing at least one negative consequence from their use of AI. Yet only 28% said their CEO takes direct responsibility for AI governance, and just 17% said their board does.1 Incidents are now common. Clear ownership of them, especially at the top, is not. That is the ownership gap stated in numbers.

The core problem remains: authority was granted to a system before adequate oversight was established. Scale grew before accountability was in place. The organization allowed the machine to make influence or decisions without first asking an essential question, who is accountable if things go wrong?

This is not a problem of awareness so much as one of pace. McKinsey’s State of AI Trust in 2026, which surveyed governance and risk leaders between December 2025 and January 2026, found that only about one-third of organizations report a governance maturity level of 3 or higher and noted that oversight structures are struggling to keep pace with increasingly autonomous systems.2 Capability is advancing faster than the structures meant to govern it. Authority keeps being delegated before the oversight to manage it exists.

The behavior this produces is already visible. McKinsey’s 2025 playbook on deploying agentic AI found that 80% of organizations had already encountered risky behaviors by AI agents, including improper data exposure and unauthorized access to systems, even as autonomous deployments accelerated.3 The agents are acting. The oversight is still being built.

This matters acutely for information management. When an AI system is misconfigured, manipulated, or overly trusted, what is exposed isn’t just data or credentials, it is decision logic, behavioral influence, and institutional trust. A single misconfiguration can propagate incorrect behavior across thousands of interactions before anyone notices. Once behavior shifts, tracing how a particular output was generated can be difficult or impossible, making the decision hard to defend after the fact.

AI doesn’t fail because it lacks intelligence. It fails when an organization can’t clearly own, explain, or intervene in its work.

The Solution: Answer the Ownership Questions Before You Delegate

The key challenge is defining clear ownership before giving an AI system authority, knowing data locations, responsible handlers, and how to ensure trustworthiness over time. This has always been part of information management. AI doesn’t remove this responsibility; it heightens its importance. Before entrusting a system that recommends flags, scores, or acts, three specific questions should already have designated owners.

1. Who holds responsibility if this system produces the wrong results? Not the model or “the business.” A specific individual who is accountable if the output causes harm. If the response is a blame game among risk, compliance, data, and IT, the system isn’t ready for the authority you’re about to assign it.
2. How will drift, misuse, or manipulation be identified and managed? A model starts aging the moment it goes live: the world it was trained on keeps evolving while the model holds its last snapshot. Who monitors that? By what mechanism? How often? Without clear answers, the system gradually becomes less accurate until the problems surface downstream.
3. Who must explain and defend these decisions a year from now? Auditors, regulators, customers, and your own executives will eventually ask why the system acted as it did. That capability can’t be added after the fact; it must be built in before deployment, not uncovered during an investigation.

If answers are unclear, the risk is already present, regardless of whether the system is active or not. The most effective step an information management leader can take is to clarify these answers early, when resolving them is inexpensive, rather than waiting until an incident makes fixing them costly. Organizations that govern AI intentionally by investing in ownership before deployment typically outperform those that focus on speed; they experience fewer failures and can scale further because their foundation is solid.

Two Real Examples: When the System Worked and Accountability Didn’t

A government chatbot that confidently violated the law. In October 2023, New York City introduced MyCity, a generative AI model trained on thousands of pages of official city guidance to assist small-business owners with regulation navigation. By March 2024, The Markup and THE CITY investigation revealed it was confidently advising businesses to engage in illegal activities, telling employers they could keep workers’ tips and landlords they could refuse tenants using housing vouchers. The system wasn’t hacked or malfunctioning; it was producing fluent, convincing answers like any language model. What was lacking was oversight: no accountability for accuracy, no process to prevent dangerous advice from reaching the public via the official .gov site, and no limits on what it could respond to. The city’s initial response was to add a disclaimer and continue operating the system.

An airline that argued its own chatbot wasn’t its responsibility. When a grieving customer inquired about bereavement fares through Air Canada’s website chatbot, the bot incorrectly stated that the discount could be applied retroactively, which conflicted with airline policy. Air Canada refused to issue the refund. The customer then brought the case to British Columbia’s Civil Resolution Tribunal, where the airline claimed the chatbot was a separate legal entity responsible for its actions. However, in February 2024, the tribunal dismissed this argument, affirming that a company is accountable for all content on its website, including chatbots. As a result, Air Canada was found liable for negligent misrepresentation. This case highlights a misconception that using a chatbot shifts responsibility for its responses away from the company.

Two sectors. Two technologies. The same failure. In neither case did the model break, nor was there a security breach. Each failed in the space between a functioning system and the human responsibility for what it produced, exactly where security assumes governance is watching and governance assumes security has it covered. The lesson is consistent: when a system speaks or decides with your organization’s authority, someone must own what it says, explain how it got there, and have the power to stop it. Those aren’t features you add after launch. They’re the conditions that make deployment defensible in the first place.

Next Steps

Machines are increasingly skilled at recommending, scoring, summarizing, and suggesting at a scale beyond what human teams can handle. However, they cannot be accountable, regardless of their capabilities. Accountability requires owning consequences, which only people can do. This highlights that this is as much an issue of information management as it is a technological challenge. Here are some initial steps to consider:

• Map the boundaries. Clarify the boundary between security’s assessment of an AI system and governance, and determine who is responsible for the space between them. Currently, most organizations would honestly say, “no one.” The first step is to address that gap.
• Assign a person to each model. In or near production, not a team, identify who owns the outcome. If you cannot specify someone, that is your top risk.
• Treat data freshness as a governance control, not a maintenance task. Decide which sources expire, how fast, and who is responsible for updating what the model reads.
• Prepare explanations in advance. Assume an auditor, regulator, or executive will ask why a decision was made. Build traceability now, while it’s cheap.

Technology continuously evolves, and this will never change. The core discipline, knowing where information is, who owns it, and who is responsible for the decisions it impacts, has never been more important. This is precisely when it is needed most.

Sources

1. McKinsey & Company, “The State of AI in 2025: Agents, Innovation, and Transformation,” November 2025.
2. McKinsey & Company, “State of AI Trust in 2026: Shifting to the Agentic Era,” March 2026 (survey conducted December 2025–January 2026).
3. McKinsey & Company, “Deploying Agentic AI with Safety and Security: A Playbook for Technology Leaders,” November 2025.
4. C. Lecher, “NYC’s AI Chatbot Tells Businesses to Break the Law,” The Markup / THE CITY, March 2024.
5. Moffatt v. Air Canada, 2024 BCCRT 149, British Columbia Civil Resolution Tribunal, February 2024.