AI Governance Requires Integrated Privacy, Cybersecurity, and Legal Functions, ISACA Article Argues
What happened
ISACA, the global professional association focused on IT governance and audit, published Collaboration and the New Triad of AI Governance on December 31, 2025. The article argues that effective AI governance requires the formal integration of privacy, cybersecurity, and legal functions across the full AI life cycle, rather than allowing those functions to operate independently. It references the EU AI Act, the NIST AI Risk Management Framework, and multiple U.S. executive orders as converging regulatory frameworks that collectively make siloed governance approaches structurally inadequate. The piece identifies transparency and accountability as shared obligations that no single organizational function can satisfy alone. While the article does not introduce a new standard or impose binding obligations, it reflects ISACA's institutional position that enterprise AI governance programs must be organized around cross-functional accountability structures with defined decision rights and a shared risk register.
Why it matters
- ·Regulatory exposure: The EU AI Act simultaneously requires conformity assessments, data governance documentation, and cybersecurity robustness measures, meaning compliance programs built around a single function such as legal review or data protection will be structurally incomplete and potentially non-compliant.
- ·Operational impact: Organizations relying on ad hoc coordination between privacy, security, and legal teams will face gaps in AI risk coverage as frameworks like the NIST AI RMF demand integrated governance, mapping, measurement, and management activities that span organizational silos.
- ·Organizational risk: Without a formally chartered cross-functional AI governance committee, ownership of AI obligations that sit at the intersection of privacy, security, and legal risk will remain unclear, increasing the likelihood of accountability failures and delayed responses to incidents or regulatory inquiries.
Governance controls affected
What to do now
- ☐Audit current AI governance structures to determine whether clear ownership is assigned for obligations that span privacy, cybersecurity, and legal functions, and document any gaps.
- ☐Expand AI system inventories to capture not only the systems in use but also their risk classifications and the specific regulatory requirements triggered under the EU AI Act, NIST AI RMF, and applicable U.S. executive orders.
- ☐Establish or formalize a cross-functional AI governance committee with defined decision rights, documented escalation paths, and a shared risk register that consolidates inputs from privacy, security, and legal teams.
- ☐Use ISACA's triad model as an authoritative reference when building internal business cases for dedicated AI governance resources, particularly when presenting program investment proposals to executive leadership or boards.
- ☐Review whether existing incident response playbooks and escalation paths reflect multi-domain AI risk scenarios that require coordinated action across privacy, cybersecurity, and legal functions.
What to watch next
Compliance teams should monitor whether ISACA supplements this article with more prescriptive guidance, such as updated audit frameworks or certification requirements that operationalize the triad model. Teams operating under the EU AI Act should track the European AI Office's publication of implementing acts and conformity assessment guidelines, which will clarify how multi-domain obligations are expected to be satisfied in practice. Enforcement signals from EU data protection authorities and sector-specific regulators in financial services will also indicate how aggressively cross-functional compliance gaps are being scrutinized.