Blog
A roadmap for developing an AI governance framework
AI is already here, but who is really in control? It has quietly made its way into organisations, often without IT knowing who, what or how. Here is your roadmap for practical AI governance: three concrete steps to help you gain control, reduce risks and unleash AI’s full potential.
AI has already transformed how organisations work. Not through major, centralised decisions, but through employees’ curiosity and their desire to make everyday tasks more efficient. Employees, developers and analysts use AI tools to become faster, more efficient and more creative.
At the same time, in‑house AI solutions, integrations and agent flows are being built that automate an increasing number of decisions. Add to this all the AI agents implemented in cloud services by providers such as Microsoft and Google.
This creates opportunities, but also a new governance challenge.
Good intentions can become a security risk
A large share of AI use today takes place outside established IT and security processes. This is what is often described as Shadow AI. Not primarily as a breach of rules, but as a result of the technology becoming accessible and useful before the organisation has had time to put structure in place.
To govern AI sustainably requires more than policies and guidelines. It requires a technical and organisational framework built on three interconnected steps: discover, detect and protect.
Discover: Understand AI use
Creating transparency. Which AI services are being used, by whom and with what data? Transparency is needed both for human interaction (for example the browser) and for automated use (APIs, AI agents). Logging and traceability ensure long‑term control.
→ Read more about Discover
Detect: Identify AI risks
Seeing AI use is not the same as understanding the risks. Assess when the use becomes risky, whether in content, decisions or behaviours. Context is key. Who is using AI, in what setting and with what data? Continuous validation provides the basis for prioritising actions.
→ Read more about Detect
Protect: AI governance with guardrails
Turning insight and risk understanding into practical AI governance. Central, architectural guardrails enable safe large‑scale AI use. Protection in the browser for human use, and in networks, identity and access control for automated AI. Integrate data protection and access control, without hindering innovation.
→ Read more about Protect
From Shadow AI to a business‑driven AI governance framework
Together, discover, detect and protect form a coherent framework for AI governance.
- Without transparency, the organisation is navigating blindly.
- Without an understanding of risks, it often protects the wrong things.
- Without central guardrails, control is lost as AI use scales.
When all three layers are in place, AI can be moved from the shadows into controlled environments. Not through prohibition, but through architecture, layers and clear structure. Only then can the organisation use AI as a strategic asset, rather than an uncontrolled risk.
From AI governance framework to reality
Building the capability to discover, detect and protect AI in practice requires a cohesive architecture. Not a single tool, but several technical layers working together for practical AI governance.
For organisations that want to take this from theory to reality, it often involves combining:
- network‑ and access‑based protection for AI traffic and AI services
- browser‑based security for human AI use
- central analysis and logging for traceability and follow‑up
- active validation of AI risks over time
Many organisations today use platforms from Cisco and Palo Alto to establish precisely these capabilities, from secure access and data protection to AI‑specific security and guardrails. For analysis, correlation and long‑term traceability in AI governance, solutions from Splunk often play a central role.
What matters most, however, is not which platforms are used, but how they are put together. When these technical capabilities are integrated into a unified architecture, it becomes possible to manage AI use consistently, even as the number of tools, models and agents continues to grow.
Observability
Complex IT environments multiply blind spots and widen the margin for error. Sometimes, all you need is a bird’s-eye view.
About the author
Octavio Harén
CISO & Business Area Manager Cybersecurity, Conscia Sweden
Octavio Harén is the Head of Cybersecurity and CISO at Conscia Sweden. He is responsible for Conscia Sweden's internal information security programme and for leading strategic cybersecurity initiatives, focusing on developing solutions and offerings that address customers' most complex security challenges. With over ten years of experience in IT infrastructure and cybersecurity, Octavio has established himself as a leading expert in the industry.
Related
