Machines Can Recommend. They Can’t Be Accountable.
In November 1997, I attended my first corporate board meeting. I was 28, and it seemed impressive, a seat on a board of directors at such a young age. However, appearances were misleading. The actual board consisted of me, my brother, our wives, and my mother. Our five children, all under six, were the future board members. The meeting took place at my mom’s kitchen table, while those future members played in Grandma’s living room.
The company microfilmed paper records for large organizations. My mother had come to own it almost by accident: an earlier investment in a publishing company had gone under, and instead of returning her money, the owners handed her a struggling microfilm business. She accepted. By the night of that board meeting, annual revenue was under $150,000, our largest customer had just relocated out of state, and the core service we sold was sliding down the back of its own bell curve, think Blockbuster or Kodak. By every visible measure, the technology was dying.
At twenty-eight, I realized I wasn't truly in the microfilm business. Instead, my focus was on assisting organizations with managing their information, making decisions about its use, determining trustworthiness, and assigning accountability when issues arose. The film, scanners, workflow engines, and BPM platforms that appeared later were simply tools, not the main goal. They served as a means to achieve that end.
In the twenty-eight years since, I’ve ridden wave after wave of technology, document imaging, workflow, BPM, RPA, cloud, big data, and now Enterprise AI. The tools changed every few years. The core never did. And as enterprises rush to adopt artificial intelligence, that unchanging core has quietly become the most important question. It isn’t whether the system can perform the task. It’s who takes responsibility for the result when it does.
Information management leaders already know how to secure systems and oversee processes. During every platform transition, they've honed skills such as controlling access, protecting data, managing retention, satisfying auditors, and proving compliance afterward. These skills are real and well-established.
AI breaks the assumptions they were built on.
Traditional enterprise software functions deterministically: the same input consistently produces the same output. When problems occur, the questions are clear and answerable: Who changed the rule? Who accessed the record? Who approved the action? Governance was managed externally, through policies, reviews, and approvals layered over predictable processes.
AI systems do not operate in that manner. They analyze context, provide suggestions, and are increasingly taking actions based on them. Minor changes in prompts across different situations can produce different results. Occasionally, even the system's developers find its reasoning difficult to understand. Governance cannot remain external to the system anymore, as the system now actively engages in decision-making processes.
Many organizations often face challenges here. Traditionally, security and governance function separately, with their own teams, budgets, and reporting lines. When AI is integrated, each function applies its procedures independently. Security focuses on whether the model is secure and risk-free, treating it like infrastructure. Governance assesses if the AI use case complies with regulations, ensuring it's permitted and auditable. Neither group fully understands the other’s assessments, nor do they share responsibility for what happens in the shared space between them.
AI failures occur in that space, between a technically secure model and an inexplicable decision, between governance policies and systems that cannot enforce them. It is a neglected space that no one was assigned to manage.
The pattern persists because the failures are subtle and go unnoticed. Organizations have silently abandoned AI-based hiring and risk-scoring tools, not due to system failures, but because no one could explain when or why their outputs deviated from acceptable ranges. The models worked as designed. No one took responsibility for their behavior.
The data confirms how widespread this gap has become. In McKinsey’s State of AI in 2025 survey, 51% of organizations reported experiencing at least one negative consequence from their use of AI. Yet only 28% said their CEO takes direct responsibility for AI governance, and just 17% said their board does.1 Incidents are now common. Clear ownership of them, especially at the top, is not. That is the ownership gap stated in numbers.
The core problem remains: authority was granted to a system before adequate oversight was established. Scale grew before accountability was in place. The organization allowed the machine to make influence or decisions without first asking an essential question, who is accountable if things go wrong?
This is not a problem of awareness so much as one of pace. McKinsey’s State of AI Trust in 2026, which surveyed governance and risk leaders between December 2025 and January 2026, found that only about one-third of organizations report a governance maturity level of 3 or higher and noted that oversight structures are struggling to keep pace with increasingly autonomous systems.2 Capability is advancing faster than the structures meant to govern it. Authority keeps being delegated before the oversight to manage it exists.
The behavior this produces is already visible. McKinsey’s 2025 playbook on deploying agentic AI found that 80% of organizations had already encountered risky behaviors by AI agents, including improper data exposure and unauthorized access to systems, even as autonomous deployments accelerated.3 The agents are acting. The oversight is still being built.
This matters acutely for information management. When an AI system is misconfigured, manipulated, or overly trusted, what is exposed isn’t just data or credentials, it is decision logic, behavioral influence, and institutional trust. A single misconfiguration can propagate incorrect behavior across thousands of interactions before anyone notices. Once behavior shifts, tracing how a particular output was generated can be difficult or impossible, making the decision hard to defend after the fact.
AI doesn’t fail because it lacks intelligence. It fails when an organization can’t clearly own, explain, or intervene in its work.
The key challenge is defining clear ownership before giving an AI system authority, knowing data locations, responsible handlers, and how to ensure trustworthiness over time. This has always been part of information management. AI doesn’t remove this responsibility; it heightens its importance. Before entrusting a system that recommends flags, scores, or acts, three specific questions should already have designated owners.
If answers are unclear, the risk is already present, regardless of whether the system is active or not. The most effective step an information management leader can take is to clarify these answers early, when resolving them is inexpensive, rather than waiting until an incident makes fixing them costly. Organizations that govern AI intentionally by investing in ownership before deployment typically outperform those that focus on speed; they experience fewer failures and can scale further because their foundation is solid.
A government chatbot that confidently violated the law. In October 2023, New York City introduced MyCity, a generative AI model trained on thousands of pages of official city guidance to assist small-business owners with regulation navigation. By March 2024, The Markup and THE CITY investigation revealed it was confidently advising businesses to engage in illegal activities, telling employers they could keep workers’ tips and landlords they could refuse tenants using housing vouchers. The system wasn’t hacked or malfunctioning; it was producing fluent, convincing answers like any language model. What was lacking was oversight: no accountability for accuracy, no process to prevent dangerous advice from reaching the public via the official .gov site, and no limits on what it could respond to. The city’s initial response was to add a disclaimer and continue operating the system.
An airline that argued its own chatbot wasn’t its responsibility. When a grieving customer inquired about bereavement fares through Air Canada’s website chatbot, the bot incorrectly stated that the discount could be applied retroactively, which conflicted with airline policy. Air Canada refused to issue the refund. The customer then brought the case to British Columbia’s Civil Resolution Tribunal, where the airline claimed the chatbot was a separate legal entity responsible for its actions. However, in February 2024, the tribunal dismissed this argument, affirming that a company is accountable for all content on its website, including chatbots. As a result, Air Canada was found liable for negligent misrepresentation. This case highlights a misconception that using a chatbot shifts responsibility for its responses away from the company.
Two sectors. Two technologies. The same failure. In neither case did the model break, nor was there a security breach. Each failed in the space between a functioning system and the human responsibility for what it produced, exactly where security assumes governance is watching and governance assumes security has it covered. The lesson is consistent: when a system speaks or decides with your organization’s authority, someone must own what it says, explain how it got there, and have the power to stop it. Those aren’t features you add after launch. They’re the conditions that make deployment defensible in the first place.
Machines are increasingly skilled at recommending, scoring, summarizing, and suggesting at a scale beyond what human teams can handle. However, they cannot be accountable, regardless of their capabilities. Accountability requires owning consequences, which only people can do. This highlights that this is as much an issue of information management as it is a technological challenge. Here are some initial steps to consider:
Technology continuously evolves, and this will never change. The core discipline, knowing where information is, who owns it, and who is responsible for the decisions it impacts, has never been more important. This is precisely when it is needed most.