A model goes into production. The data governance team reviews lineage and quality. The security team assesses the model's access controls. The privacy team checks for personal data in the training set. The compliance team maps it to applicable regulatory obligations. The vendor management team reviews the third-party components embedded in the pipeline.
Every domain does its job. Every domain issues a green rating.
And still, nobody can answer the question that matters most. What happens when this model fails across all of them at once?
That is not a hypothetical. It is the condition many enterprises are operating in right now. And it is why AI governance, despite years of frameworks, toolkits, and regulatory guidance, keeps producing blind spots instead of clarity.
The problem is structural. Most enterprise governance frameworks were designed to manage risks within domains first, and to coordinate between them second. AI systems reverse that order. Their risks often form across domains first, and only later appear within a single domain's control structure.
That is the architectural challenge AI governance now faces.
The Framework We Trust Most Does Not Have a Cell for This
COBIT is one of the most rigorous governance frameworks in the world. It has been refined across decades, adopted by thousands of organizations, and endorsed by regulators.
Look at how it is organized. Data governance has a column. Security management has a column. Vendor portfolio management has a column. Compliance and assurance have defined structures. AI strategy and technology governance appear in structured capability areas.
Each domain is distinct, structured, and internally coherent.
That design is not a flaw. It reflects a long tradition in enterprise governance. Complex organizations require clear accountability, and domains provide the structure for assigning ownership of controls, policies, and oversight responsibilities.
Within those boundaries, COBIT works extremely well.
But consider a different question. Where in the governance architecture do we track what happens when a data integrity issue in one domain triggers a regulatory exposure in another, while a vendor dependency in a third amplifies both?
Most frameworks assume that coordination between domains will address situations like this. Integration efforts, enterprise risk management functions, and cross-functional governance committees are intended to provide connective tissue.
Those mechanisms are valuable. They improve communication and oversight.
But they operate primarily at the level of information sharing. They do not always create architectural visibility into the risks that form in the intersections themselves.
This is an important distinction. Integration improves how domains talk to each other. Architecture determines what the governance system can see.
ISACA recognized this gap. Its 2025 guidance on leveraging COBIT for AI governance moves in the right direction. But even with those extensions, the way most organizations implement COBIT remains domain-centric. The framework is evolving. The implementation architecture, in most enterprises, largely is not.
That is the design gap modern organizations are beginning to encounter.
The 86 Percent Problem
This gap is not purely theoretical. Organizations feel it constantly.
A February 2025 MIT Sloan Management Review article, based on research from AuditBoard, found that more than 86 percent of audit and risk professionals say data silos affect their team's ability to manage risk effectively.
Eighty-six percent.
That statistic reflects a widespread operational experience. Risk signals often appear in one domain while the consequences surface in another.
But they assume that the existing domain structure is correct and that the primary problem is connectivity.
In practice, connectivity does not always resolve architectural blind spots. Even when every risk register feeds into a shared platform, the governance picture may still reflect the same domain boundaries that produced the original fragmentation.
Integration improves coordination. It does not necessarily reveal risks that form in the space between governance domains.
What AI Actually Touches
Consider a production AI model used in patient risk scoring at a large health system.
The data governance team owns data quality, lineage, and classification. The AI strategy or model governance team owns model development standards, deployment criteria, and performance monitoring. The privacy team owns personal health information handling and regulatory alignment. The security team owns access control and adversarial risk. The compliance team owns regulatory interpretation and examination readiness. The vendor management team owns third-party dependency and contractual oversight.
Six domains. Six ownership structures. Six legitimate areas of responsibility.
Each one necessary. Each one incomplete when viewed in isolation.
When a model failure occurs in practice, it rarely presents as a single domain event. It is more often a compound sequence. A signal appears in one domain, passes through a gap that sits between governance functions, and surfaces as a finding in another.
No single domain can reasonably see the full propagation path on its own. Not because the professionals in those domains lack expertise, but because the architecture of oversight distributes the signals across multiple functions.
Governing AI Requires a Different Field of View
The conversation about AI governance has largely focused on what to govern within domains. What data standards apply. Which regulatory frameworks control. How model decisions should be documented. What vendor controls must be established.
These are necessary questions. Every domain must continue strengthening its own governance practices.
But an additional structural question is now emerging. How does risk move between the domains that each claim partial responsibility for the same system?
The 2025 AI Governance Benchmark Report found that 58 percent of leaders cite disconnected systems as the top blocker preventing them from scaling AI responsibly. Only 14 percent enforce AI assurance at the enterprise level. These are findings about architectural gaps that domain governance alone cannot close.
It requires treating cross-domain risk scenarios as formal governance objects, defined before deployment, not discovered after a finding.
That is a structural change. It does not replace domain governance. It adds a layer of visibility that domain governance alone cannot provide.
Every domain green. And still, no one owns the picture no single domain can see.
The Institute for Cross-Domain Governance advances research focused on risks that form between governance domains. This article is part of an ongoing series examining AI governance as a cross-domain challenge within modern enterprises.