AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News

Four Corporate AI Governance Gaps Partnership on AI Says Organizations Must Close Now

What happened

The Partnership on AI published Corporate AI Governance Matters Now More Than Ever on May 30, 2025, identifying four structural deficiencies it argues are present in most corporate AI governance programs. The four domains cited are supply chain responsibility, end-user terms and conditions, AI assurance ecosystems, and real-time monitoring of autonomous AI agents. The publication is global in scope and directed at enterprises that develop, procure, or integrate third-party AI components at scale. While it carries no binding legal force, it draws on documented incident data and emerging regulatory convergence across frameworks including the EU AI Act, ISO 42001, and the NIST AI RMF Playbook. The Partnership on AI is a recognized multi-stakeholder body whose membership includes major technology deployers and civil society organizations, giving the guidance significant practitioner weight.

Why it matters

  • ·Regulatory exposure is elevated because the four gaps identified by the Partnership on AI align directly with conformity obligations under the EU AI Act, DORA, and sector-specific guidance from bodies such as the Financial Stability Board, meaning organizations that have not closed these gaps may face scrutiny as enforcement mechanisms mature.
  • ·Operational impact is immediate for enterprises running agentic AI systems, as the guidance explicitly states that static model documentation and periodic audits are structurally inadequate to govern autonomous agents that execute code, access external data, and initiate transactions without per-action human approval.
  • ·Organizational risk is compounded by AI supply chain complexity, because a single deployed model may incorporate components from multiple upstream providers with distinct training data provenance and update cadences, creating accountability gaps that traditional IT vendor risk management frameworks were not designed to address.

Governance controls affected

What to do now

  • Re-examine your existing AI system inventory to confirm it captures agentic systems and AI components embedded in third-party software, as these are the categories most likely to be absent from prior classification exercises.
  • Audit third-party AI vendor contracts against supply chain responsibility criteria, specifically verifying that agreements require disclosure of upstream model components, training data sourcing practices, and incident notification obligations.
  • Review your agentic AI monitoring controls for implementation completeness, with particular attention to any agents granted tool access, API permissions, or the ability to initiate transactions without per-action human approval.
  • Begin scoping a standing AI assurance function as a continuous organizational capability rather than a project-level activity, defining required tooling, staffing, and reporting cadence.
  • Prioritize agent monitoring and supply chain gap remediation for operations in regulated industries such as financial services, healthcare, and critical infrastructure, given convergent regulatory expectations from DORA and the EU AI Act.

What to watch next

Compliance teams should monitor enforcement guidance from EU AI Act supervisory authorities as they begin operationalizing conformity assessment requirements that align with the continuous assurance model the Partnership on AI describes. Sector-specific signals from the Financial Stability Board and healthcare regulators regarding agentic AI oversight are expected to intensify through late 2025 and should be tracked for additional specificity on real-time monitoring obligations. Organizations should also watch for updated playbooks from NIST and ISO working groups that may translate the assurance ecosystem concept into auditable control frameworks, which would give the Partnership on AI guidance stronger procedural grounding in formal compliance programs.

Related Coverage

Insight2026-06-27

Mythos 5 Partial Reinstatement Creates Government-Controlled AI Access Tiers With No Transparent Process

The US government on June 27 granted roughly 100 approved companies access to Claude Mythos 5, partially reversing a June 12 export control suspension, while Fable 5 and organizations outside the approved list remain locked out with no published selection criteria or recourse. The action is the first commercial enforcement under a new executive order framework requiring government pre-release review of frontier models, making tiered access structural rather than ad hoc.

Insight2026-06-26

OpenAI's GPT-5.6 Deferral Establishes Government Pre-Review as a Real Variable in Frontier AI Releases

OpenAI delayed the full public rollout of GPT-5.6 at the request of the U.S. government, limiting initial access to vetted partners under a June 2026 executive order that grants the government up to 30 days of advance access to covered frontier models. OpenAI complied while stating publicly it does not want this to become a permanent standard. For compliance teams, the headline is not the delay but what it signals: government pre-deployment review is now an operational fact in AI vendor release cycles.

Insight2026-06-13

Fable 5 and Mythos 5 Suspended by U.S. Export Control Directive: Three Governance Gaps Enterprise AI Programs Have Not Planned For

On June 12, 2026, a U.S. government export control directive required Anthropic to suspend all access to Fable 5 and Mythos 5 for foreign nationals, effectively disabling the models for all customers overnight. The immediate trigger was a narrow code-analysis jailbreak technique, but the directive exposes deeper gaps: most enterprise AI governance programs have no continuity plan for government-mandated model suspension, no process for nationality-based access controls, and no export control review in their AI vendor assessment workflow.