AI readiness is a balance, not a build.

In a recent discussion about AI governance, I found myself deep in the mechanics, working through controls and structures, when I had to stop and step back.  I realised I had started solving the how before I had properly looked at the what.  The irony was not lost on me ... governance is itself a discipline that rushes to mechanics and there I was doing exactly that!

Taking that step back surfaced the harder issue, we were not governing something settled.  With most things a board governs, the controls are mature even when the thing itself moves.  Capital, markets and talent all move but the mechanisms for governing them have been refined over decades and sit on solid ground.

AI is different on both counts:

• The technology is pervasive and constantly evolving, spreading into corners of the business faster than anyone maps it.

• The controls for governing it are still nascent.  They are maturing quickly in some areas but they are being built at the same time as the thing they are meant to govern is changing shape.

The controls you design today describe a thing that has already moved by the time they are signed off.

Then when we look at the ecosystem the company operates within, that evolving, half-known thing is not only being managed by the company doing the work, it is being watched by a board that oversees and by compliance and audit functions that enforce.  Both of those lenses are built to govern things that hold still.

So when the company says "we have it all under control", each lens decodes it differently:

• The board hears a steady state it can report upward.

• The auditors hear an evidence trail they can test.

• The company means something far more provisional than either.

The same four words, three different readings, none reconciled against what is actually happening.  That gap is the problem and not one you build your way out of, it is one you have to hold in balance.

Three groups hold three legitimate views of the same reality.

Any organisation running AI in any serious way is doing so across three groups with different relationships to the work.

• The board oversees and carries fiduciary accountability.  Its instinct runs toward caution, because the exposure of getting it wrong is high and the cost of moving slightly later is usually tolerable from where the board sits.

• The company runs the operating model.  Its instinct runs toward movement, because the cost of not adapting is felt in margin, capability and competitive position, week by week.  This is also where AI lands in people's actual work, reshaping roles, judgement and how teams are structured, long before any of that reaches a register. Standing still has a price the board does not pay directly.

• External entities enforce compliance (regulators, auditors, standards bodies, large customers) against frames that are themselves shifting.  Their instinct runs toward demonstrability.  They care less about whether the organisation is moving at the right pace than whether it can evidence what it has done.

Each view is rational from inside its own lens.  The work of AI readiness is not picking a winner between them, it is keeping the three views aligned closely enough that the organisation moves at one pace, with one story, evidenced once.

The mismatch grows faster than anything set up to catch it.

The failure mode in this shape of work does not look like a bad decision.  It looks like drift between the three views.  At any given point, the board's understanding of where the organisation stands on AI is one picture.  The company's actual operating reality is another. What can be evidenced to an external entity is a third.

No single lens can see the drift from where it sits.  Each group has its own meeting, its own reporting line, its own documentary trail. The board's picture comes through management reports prepared for board consumption. The company's operational reality lives inside teams whose reporting up has already filtered and summarised it. Auditors test what they are pointed at. None of these flows reconciles the three pictures against each other. Reconciliation is not a by-product of the normal operating rhythm. It has to be deliberately constructed and that construction is rarely anyone's standing job.

So what is the gap actually doing while it sits unseen?  It is growing and it grows at the speed AI moves rather than the speed governance moves.  That speed is what makes the drift dangerous rather than merely untidy.  A traditional governance gap widens slowly, because the thing underneath it changes slowly.  An AI governance gap widens fast, because the underlying activity is expanding and evolving week by week while the board reviews it quarterly and the auditors annually.  The exposure compounds in the space between those two clocks.  By the time a gap is large enough to notice, it has usually been accumulating for several cycles of the change and only one or two cycles of the oversight.

That speed difference is also why the gap tends to surface involuntarily rather than being caught.  A regulator asks a question that requires the documented position and the operational practice to be presented side by side.  The gap becomes visible because someone external has forced the comparison.  An incident produces a post-mortem that reveals what was being reported up was not what was happening on the ground.  A transition (new CEO, new chair, new audit firm, a transaction in due diligence) forces an inventory in which the three pictures are laid out together for the first time.  In each case the discovery is not the system catching itself.  It is an external pressure or shock catching the system, usually well after the exposure has matured.

Frameworks, registers, policies, controls all assume that the picture they capture is stable enough to be governed against.  In the AI case the underlying ground moves faster than the artefact describing it.  The artefact is accurate at the point of design and increasingly inaccurate from there.  The gap accumulates not because anyone is doing anything wrong but because the cadence of the documents has fallen behind the cadence of the change.

I want to be careful here. I am not describing concrete failures from named organisations.  I am describing a shape of failure that the framework predicts and that experienced practitioners will recognise from their own contexts. The framework's job is to make that shape visible early enough to act on, not to claim a single organisation's story.

The governance framework most organisations have is largely enough.

The implication of all this is more reassuring than the diagnosis suggests.  AI does not require a completely new governance framework.  The framework most organisations already operate is largely sufficient.  However, as AI reaches across the whole organisation, that framework now has to span more than risk and compliance.  It has to hold the operating model, the workforce, the way capability and judgement are built and kept.  What it needs is the recognition that the work running through it has changed shape from build-and-assess to ongoing balance.

That recognition affects three things.

• Cadence.  The work is more frequent and lighter-touch, less the annual review and more the standing watch.

• Lens.  The question is less "is this document correct" and more "are the three views still aligned".

• Literacy.  The directors and leaders holding the balance need to be able to read the instruments themselves, because balance is held in real time between meetings, not designed once at the meeting and then administered.

  
  

None of this is exotic.  Boards already know how to hold balance under uncertainty.  They do it on capital allocation, on succession, on strategic positioning, all of which move and none of which a board governs by standing still.  The difference with AI is not the balancing itself.  It is that the controls boards lean on for those other moving targets are mature and settled, where both the controls for AI and the capabilities of AI are still forming.  The language being used around AI governance is currently disguising the capability that is actually required, by describing it as build-and-assess when the work is closer to navigation.

The tools do the mapping, not the balancing.

There is a fair objection to all this as a whole market now exists to help.  By early 2026 there were many enterprise AI governance platforms, mapping controls to the EU AI Act, NIST and ISO 42001, discovering shadow AI, generating audit-ready evidence and scoring compliance across business units.  Some bring AI use cases into the same system of record a company already uses for financial and operational risk.  This is real, useful work and it closes the visibility gap that leaves many boards governing AI they cannot see.

The tools do the mapping.  What they cannot do is the balancing.  A platform can tell the board which controls exist and whether they trace to a regulation.  It cannot tell the board that "under control" means a settled state to them, an evidence trail to the auditors and something far more provisional to the team actually running the system.  That mismatch is interpretive, not computational.  No dashboard reconciles three groups reading the same words differently, because the gap lives in the reading, not in the data.

The balancing also reaches well past the parts a tool can see.  Mapping controls to regulations is the compliance-shaped corner of governance, the corner tools handle best. However, AI governance, done properly, also has to hold the operating model as it reshapes, the workforce as roles expand and atrophy, the judgement that has to keep pace with the speed of AI-assisted work.  Those are the facets where the balance is actually struck.  They are not mappable in the way a control register is.  What they ask of an organisation is adaptive capacity: the readiness of its people, processes and technology to flex as the ground keeps shifting.  No platform supplies that; an organisation has built it or it has not.

The evidence that the tools do not close the gap is in the adoption figures themselves.  

In a late-2025 survey of three hundred senior leaders at large companies, seventy per cent reported having AI risk committees and most reported infrastructure progress, yet only fourteen per cent said they were fully ready to deploy AI.  

A separate 2026 survey of around nine hundred and fifty business leaders found that more than three-quarters lacked strong confidence they could pass an independent AI governance audit within ninety days. The same study described something closer still to the problem here: inside many organisations the operating side was discovering governance gaps that finance was not funding and that technology leaders were not surfacing.  Three groups, three partial views, no reconciliation.

The structures are being bought and built but readiness is not arriving with them.  A tool can map the known.  It cannot hold the balance of the evolving and differently-perceived.  That is the part that determines whether an organisation is actually ready.

What this looks like for you on Monday.

The temptation, having seen the imbalance, is to commission something: a policy, an audit programme, a mapping exercise.  This is the most common failure of all and it is also the one a large consulting engagement is happy to feed: thick governance documents describing a programme that does not yet exist. The work feels like progress because it produces visible artefacts but it is governance theatre and it slows the real work down.  Audit and policy serve whichever direction is chosen, so building them before direction is set wastes the effort.

A smaller and harder move surfaces the imbalance instead.  It is a single question, put to the organisation without flinching:

Not AI in general.  One real risk, in one real part of the organisation.

Then test whether three things line up around it.

• What AI activity is actually happening operationally?

• What does the board believe is happening?

• What has actually been escalated or documented?

In a balanced organisation those three describe the same reality.  Where they diverge, the gap is the imbalance this whole piece has been describing, made concrete on one real risk rather than left as an abstraction.

That question needs no new committee, no framework rollout, no consulting engagement.  It can be asked at the next board meeting or inside a single function on Monday morning.  Its value is that it forces the comparison the normal operating rhythm never produces, deliberately, before a regulator or an incident forces it involuntarily.  It turns the involuntary discovery into a voluntary one.  That is the whole move and most of the rest is knowing how to read what it surfaces.

AI readiness is a balance held under uncertainty.  A board can treat AI as a portfolio of projects to be tracked, in which case it will produce documents or it can treat AI as a balance to be held, in which case it will produce decisions.  The framework for the second is mostly already in the building.  What tends to be missing is the naming and the willingness to ask the question that surfaces the drift.

Sources

This article draws on Mint Nimbus's thinking paper From Doing AI to Being AI-ready (May 2026).  The paper sets out the framework in full: the three-stakeholder and three-zone lenses, the six governance areas where the balancing work lands, the question worth a board's time in each and the risks of the AI-readiness effort itself.  Contact enquiries@mintnimbus.com for further information.

The article was prompted by the Australian Institute of Company Directors' coverage of its recent Tech Governance Forum, "Directors told to stop admiring the AI problem and start governing it" by Maja Garaca Djurdjevic, 15 May 2026.

Further reading

For readers wanting to go deeper into the points raised here, a few sources worth the time. These are shared because they are useful, not because Mint Nimbus has any affiliation with them.

On the gap between governance structures and actual readiness: "AI governance becomes a board mandate as operational reality lags", Sheryl Estrada, Fortune CFO Daily, 18 December 2025, drawing on Sedgwick's 2026 global risk report.  The fourteen-per-cent-ready figure cited above comes from here.

On the proof gap and cross-functional misalignment: Grant Thornton's 2026 AI Impact Survey of around nine hundred and fifty business leaders is the source for the audit-confidence figure above.  Its framing of an "AI proof gap" (organisations that cannot show how AI decisions are made or who is accountable) is close to the argument made here.  Its observation that operations, finance and technology each see a different part of the governance picture is worth the read.

On governance theatre, stated plainly by executives themselves: WRITER's 2026 AI Adoption in the Enterprise survey (conducted with Workplace Intelligence, December 2025 to January 2026) found that while ninety-seven per cent of executives had deployed AI agents in the past year, three-quarters admitted their AI strategy was "more for show" than actual guidance.  WRITER is an enterprise AI vendor, so read it with that lens, but the admission is striking coming from the C-suite directly.

On the state of the AI governance tooling market: Modulos's "AI governance tools: the 2026 enterprise buyer's guide" catalogues and segments the platforms by where they sit in the governance lifecycle.  It is a clear-eyed map of what the tools do and do not cover. Gartner Peer Insights also maintains a reviewed list of AI governance platforms for those comparing options.

On why visibility, the regulation-versus-governance distinction and AI literacy are the recurring gaps: the comments from Credo AI's Navrina Singh in the Fortune piece above are a useful practitioner view from inside the tooling market.

FAQ: AI readiness and board governance