Emerging AI Modality Classification and Governance Extension
Establish a process for detecting when new AI modalities — ambient AI, multimodal agents, brain-computer interfaces, always-on AI assistants, and other emerging capability types — enter the organization's environment, and for extending governance coverage to those modalities before they are widely deployed.
Objective
Prevent governance gaps that arise when new AI modality types enter the organization's environment before existing governance controls have been adapted to address their specific risk profile, by maintaining a modality detection and extension process as a standing function.
Maturity Levels
Initial
Governance controls were designed for specific AI modality types (typically text-based LLMs) and have not been updated as new modality types emerged. The organization has no process for detecting new modality types entering the environment.
Developing
The AI governance committee is aware of emerging AI modality types and may discuss them at a high level, but the governance framework has not been formally extended to cover them. Individual teams may deploy emerging modality types without adapted governance.
Defined
An emerging modality detection process reviews new AI capabilities at a defined cadence. When a new modality type is identified that is materially different from those covered by existing controls, a governance extension assessment is conducted to identify which controls require adaptation and what new controls may be needed.
Managed
Governance extension assessments produce documented updates to relevant controls and intake requirements. New modality types trigger an updated intake category and staged release requirement before broad deployment. Ambient AI deployments are subject to a registration requirement regardless of deployment scale.
Optimizing
Horizon scanning for emerging AI modalities is a proactive function rather than reactive detection. The organization participates in AI standards development processes to ensure emerging modality governance requirements are addressed before they become market norms. Governance extension assessments feed into the annual framework review cycle.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Modality scanning log documenting new AI capability types reviewed and any governance extension assessments triggered, for the past 12 months.
- —Governance extension assessment records for any new modality types that entered the environment without full coverage under existing controls.
- —Ambient AI registration records for all AI systems in the environment that collect data continuously or without explicit per-interaction activation.
- —AI governance framework update records showing controls updated following a modality extension assessment.
Implementation Notes
The modality governance gap
Most enterprise AI governance frameworks were designed around a specific modality type: text-based large language models accessed via API or SaaS interface. This design assumption was reasonable when the framework was built, but the AI capability landscape is evolving faster than governance frameworks can keep pace with.
The governance gap opens when a new modality type is deployed without the existing framework being adapted to its distinct risk profile. Current and near-term emerging modalities that require governance extension include:
Ambient AI: Always-on AI assistants that observe and process data from the environment continuously — meeting rooms, workstations, operational environments — without explicit user-initiated queries. Distinct risks: continuous data collection without individual consent events; audio/video data processing; persistent context accumulation; unclear off/pause semantics. Examples: Microsoft Copilot Recall, AI meeting assistants with continuous recording, smart speaker AI in workplace settings.
Multimodal agents: AI agents that accept and produce multiple content types (text, images, audio, video, structured data, code) and take actions across multiple tool types. Distinct risks: input classification complexity (MGV-005 must cover non-text inputs); output type governs different risk surfaces; tool call I/O covers a broader action space than text-only agents.
Browser-integrated and OS-integrated AI: AI capabilities built into the operating system, browser, or productivity suite that can observe screen content, clipboard, active applications, and user behavior without explicit activation. Distinct risks: ambient data collection from the full computing environment; no clear perimeter for data classification enforcement.
Real-time voice AI: AI systems conducting real-time voice conversations with employees or customers. Distinct risks: biometric data (voiceprint); real-time transcript generation; customer-facing interactions without typical text-based safeguards; regulatory implications for voice recording in various jurisdictions.
AI-generated code in production: AI systems generating code that is deployed to production without full human review. Distinct risks: security vulnerabilities in AI-generated code; license compliance issues; traceability of AI-generated code components.
The registration requirement for ambient AI
A registration requirement is a lightweight but effective first governance control for ambient AI deployments. Any AI system that collects data from the environment continuously or without explicit activation per interaction must be registered in the AI inventory with specific fields:
- What data does it collect? (audio, video, screen, text, behavioral)
- When is it active? (always-on vs. scheduled vs. user-activated)
- Where is collected data stored and for how long?
- Who has access to the collected data?
- What is the legal basis for data collection in each jurisdiction where it is deployed?
- Has employee notification been provided?
A registration requirement does not mean all ambient AI is prohibited. It means the organization knows what is deployed and has documented the answers to these questions before deployment proceeds.
Example Implementation
Emerging AI Modality Scan — Q2 2026
Cadence: Quarterly | Conducted by: AI Governance Team | Reviewed by: AI Governance Committee
Modalities observed entering or expanding in the environment this quarter:
| Modality | Source | Status | Governance extension required? | Action |
|---|---|---|---|---|
| AI meeting assistant with continuous recording (Teams + Copilot) | Microsoft 365 Copilot update | Deployed — 340 users | Yes — ambient data collection; no prior governance coverage | Governance extension assessment initiated (see EXT-2026-03) |
| Multimodal inputs (image + text) in existing LLM tool | Vendor feature update | Available but not yet enabled | Partial — intake form updated to require multimodal data classification assessment; MGV-005 extension drafted | Intake requirement updated before feature is enabled |
| AI code generation with auto-merge | Engineering team pilot | Pilot stage | Yes — AI-generated code in production is a new modality for us | Blocked pending governance extension assessment |
| Browser AI sidebar (Copilot in Edge) | Deployed on managed devices by IT | Deployed — all managed device users | Yes — OS-integrated ambient AI | Registered in AI inventory (ambient category); employee notification issued; screen data collection confirmed as disabled by policy |
Governance Extension Assessment EXT-2026-03 — AI Meeting Assistant:
- Data collected: meeting audio transcripts; participant identification; real-time summarization
- Legal basis: employee consent (confirmed); customer meeting participants — separate consent flow required
- Jurisdiction notes: Recording consent requirements vary; 12 jurisdictions require two-party consent. Legal review in progress.
- Controls requiring extension: MGV-005 (classify audio/transcript data), DGC-002 (PII handling for voiceprints), HOC-002 (human review of AI-generated meeting summaries before distribution)
- Status: Controls extended; awaiting legal review of two-party consent jurisdictions before enabling customer-facing meeting recording.