The governance category we haven’t named yet — and can’t afford to skip
In 2007, every IT department in America had the same rule.
No personal devices on the corporate network. The company issued the phone. The company controlled the device. The company owned the data.
Clean. Simple. Easy to enforce — until the moment it wasn’t.
Then the iPhone shipped.
Employees showed up with better hardware than IT issued. IT said no. Employees used them anyway. For email. For documents. For calendar. For everything.
Nobody approved it. Nobody made a list of them. Nobody governed any of it.
The shadow fleet deployed itself.
IT fought it for three years. IT lost.
Then came MDM. Mobile Device Management. Containers on the phone. One side for the company, one side for the person. The employee owned the device. The company controlled the data inside the work container.
It took years to build. It cost real money. It required new thinking about what “security” even meant when the perimeter was gone.
Eventually it became invisible. Just infrastructure. The way things work.
Here is the part nobody said out loud at the time.
The iPhone didn’t create the risk. The iPhone revealed a governance model that was already broken. The corporate BlackBerry felt safe because the boundary was physical. One device. One owner. One policy.
That felt like control. It wasn’t.
Humans were always the threat surface. The device just made it impossible to pretend otherwise.
Usual frame: BYOD was a device problem. The reframe: BYOD was a governance model that couldn’t survive contact with how people actually behave.
We are having the same conversation right now. About agents.
Your sales rep has a tool writing follow-up emails before the CRM is updated. Your analyst is summarizing a contract before legal has seen it. Your operations manager asked an AI to pull data from three systems, combine it, and draft a recommendation. No review step. No audit trail. Nobody signed off.
Nobody approved any of it. Nobody made a list of them. Nobody built the container.
The shadow fleet is already deployed.
This is the non-obvious problem. Not “AI is coming.” Every executive in America knows AI is coming. Conference rooms are full of debates about the right platform, the right vendor, the right rollout sequence.
The roadmap is 18 months long. The deployment is already six months in.
Your AI policy governs what you approved. Agents don’t read the policy.
Here is where the BYOD comparison breaks down. And why this moment is more dangerous.
BYOD took years to govern, but the connection surface was bounded. A device connects to a network. You can see it. You can audit it. You can put a container around it.
An agent connects to everything it can reach — and acts on what it finds.
One agent, given access to your employee’s email, can reach your CRM through an integration nobody fully understood. It can draft. Send. Summarize. Update. With no human in the loop. With no audit trail most companies could reconstruct. With no record that would survive a regulator’s first request.
That is not a future scenario. That is a Tuesday.
The connection surface doesn’t grow in a straight line as agents multiply. It compounds.
One sanctioned platform. Three tools your employees installed on their own. The AI your software vendor quietly added in the last update. The agent your procurement team is piloting without IT’s knowledge.
A year from now you have dozens of paths through your enterprise data acting on their own. Your governance model was built for a world where humans moved information one decision at a time.
Agents don’t move information. They act on it. At machine speed. Across every surface they can reach.
Usual frame: We need an AI strategy. The reframe: You already have an AI deployment. The governance didn’t come late. It was never in the plan.
Now here is what nobody in the room is saying.
When the audit arrives — and it will — who gives you the unvarnished picture of what is actually running?
Not IT. IT governs what IT deployed.
Not the vendor. The vendor benefits from expansion. They are not going to tell you the unsanctioned deployment is a liability.
Not the implementation partner. They built what you asked for. They are not auditing what your employees installed last Thursday.
Not the internal team. The internal team owns the decisions that led here.
Every voice with visibility into your AI deployment has a financial or political reason to keep it moving. That is not a technology problem. That is a structural conflict of interest dressed up as a governance gap.
The BYOD fight eventually created a new function. The CISO mandate. The mobile governance layer. The containment architecture. None of that existed before the iPhone forced the question. The companies that figured it out fastest did not fight the behavior. They built the function.
Every other high-stakes industry already figured this out.
You don’t close a hospital acquisition without independent clinical due diligence. You don’t take a company public without an independent auditor. You don’t buy a seven-figure building without an inspector who is also not the contractor.
Nobody skips the inspection. And nobody wants the inspector to also be the contractor.
Enterprise technology never built that function. For two decades the consequences were expensive but survivable. Management presentations drifted from operational reality. Platforms piled up debt. Roadmaps were built on composite pictures nobody verified.
It was survivable because the gap stayed hidden long enough.
AI ends that.
Usual frame: AI governance is a technology and policy problem. The reframe: Every voice in the room gets paid more when the answer is “keep going.” Nobody in the room is structurally positioned to say “not yet.” That is not a tooling gap. That is a vacant chair.
The companies that survived BYOD fastest stopped arguing about whether it was happening. They built governance for the world that already existed.
That is the move now.
Not “should we allow agents.” Your employees already answered that.
The question is who sits in the chair your current governance model has left empty. Someone with no stake in the answer. Someone paid the same whether the verdict is build, fix, pause, or walk away.
That is the function I run in my practice. I don’t build. I don’t staff. I don’t compete for the implementation work that follows. I get paid the same whether the answer is build, fix, pause, or walk away.
That function exists in every high-stakes industry except one.
AI is about to make the absence catastrophic.
The chair is vacant. The agents are running. Those two facts, in combination, are what your roadmap doesn’t account for.
3 minutes. One honest picture.
Before the board question. Before the audit. Before an agent does something your policy didn’t anticipate.
The Board-Ready AI Risk Snapshot benchmarks your exposure across governance, data privacy, vendor risk, access controls, and incident readiness — and delivers an immediate, board-ready report.
Free. No vendor on the other side of the answer.
Leave a Reply