AI governance assessments consistently surface the same gaps across mid-market organisations in regulated sectors. The specifics vary by industry and organisational maturity, but the underlying patterns are remarkably consistent. Understanding these gaps is the first step toward addressing them — and in many cases, they are more manageable than they appear once properly mapped.
Gap 1: No AI system inventory
The most fundamental gap — and the one that makes every other governance activity harder — is the absence of a documented inventory of AI systems. Most organisations know about the AI systems their technology teams have built. Fewer know about the AI capabilities embedded in their SaaS platforms, enterprise software, HR systems, finance tools, and customer-facing applications. And almost none have a complete picture of AI features being used by individual employees through consumer tools or API access.
Without an inventory, you cannot classify your systems, cannot assign accountability, cannot monitor their performance, and cannot respond to regulatory enquiries with confidence. Building and maintaining a complete AI system inventory is the unglamorous prerequisite for everything else in AI governance.
Gap 2: Risk classification not completed
Even organisations that have an AI inventory often have not formally classified their systems against applicable regulatory frameworks. This is partly a resourcing issue — classification requires expertise in the frameworks — and partly a prioritisation issue, where AI governance has been on the to-do list without being treated as urgent.
The consequence of unclassified systems is that organisations are making implicit governance decisions without realising it. Deploying a system that has not been assessed against EU AI Act Annex III criteria is a classification decision by default: you are implicitly treating it as low-risk. If a regulator later determines it should have been classified as high-risk, the absence of a documented classification process is a significant aggravating factor.
Gap 3: No documented AI governance policy
Most mid-market organisations do not have a written AI governance policy. They have technology policies, information security policies, and data protection policies — but the specific governance requirements for AI systems, including acceptable use, risk appetite, accountability, and escalation procedures, are typically not documented.
This gap is particularly visible when something goes wrong. Without a policy, there is no baseline against which an incident can be evaluated, no clear process for escalation, and no documentation to demonstrate that the organisation took reasonable steps to govern its AI use responsibly.
Gap 4: Human oversight assumed rather than designed
Many organisations have human review processes that exist on paper but do not function as genuine oversight in practice. Reviewers lack the information, time, or authority to meaningfully evaluate AI outputs before they are acted upon. This is particularly common in high-volume automated decision-making contexts — credit decisions, claims processing, recruitment screening — where the volume of outputs makes thorough review practically impossible unless the process is specifically designed for it.
Effective human oversight requires designing the review process with the constraints of real operational environments in mind: what information do reviewers need, how much time do they have, and what authority do they have to override system outputs? Governance requirements that assume ideal conditions rather than real ones produce oversight that looks credible but is not.
Gap 5: Governance built once and not maintained
Many organisations that have invested in AI governance have done so in response to a specific event — a regulatory change, an audit finding, a client request — and have produced documentation and policies that accurately described their governance posture at that point in time. Six months later, the AI landscape has changed, new systems have been deployed, and the governance documentation no longer reflects reality.
AI governance requires maintenance. The regulatory environment is evolving. New AI capabilities are being deployed continuously. Risk assessments completed at one point in time become stale as systems are updated, training data changes, and the context in which systems operate shifts. Sustainable AI governance requires the same discipline applied to financial controls or information security — regular review, update processes, and continuous monitoring.
Book a discovery call to identify which of these gaps apply to your organisation and what the practical path to addressing them looks like.
About author
Sonia is a technology risk and AI governance leader with 12+ years of international consulting experience across PwC, EY, and KPMG, spanning London, East Africa, and the Middle East. She has led complex IT audit, controls testing, and data analytics engagements for major regulated institutions including Lloyds Banking Group, Prudential PLC, Shell, RELX Group, McDonald's, and Tesco. She founded VeridianTech Co. to make enterprise-quality AI governance accessible to mid-market organisations — the companies that need it most and have historically been priced out of it.
Sonia Kentaro
Founder & Principal AI Governance Advisor
Subscribe to our newsletter
Sign up to get the most recent blog articles in your email every week.
