AI is no longer just being tested. It’s running, at scale, across the enterprise. The question now is whether governance is keeping pace
Most organisations have moved past the AI pilot stage. Users have access to the tools, security guardrails are in place, and data is being collected. But many firms are discovering that what worked in a controlled pilot bears little resemblance to what happens when real people use AI in their day-to-day work.
“AI is in full production now. Organisations have given users access to these tools, they’ve checked boxes on the security side, they’ve done some form of governance and guardrail implementation,” says Esteban Lopez, Senior Manager of Product & Technical Marketing at Theta Lake.
Why AI Pilots Don’t Prepare You For Production
The gap between a pilot and full production isn’t just about scale but also about behaviour. In a pilot, security teams do their best to anticipate how users will interact with AI. In production, they find out.
“You can only do so much in a pilot, and you’re only assuming how you think a user is going to use AI,” says Lopez. “In production, for the first time, you really understand how users are interacting with AI, how they’re trying to manipulate it, what it’s returning.”
As Dan Nadir, Chief Product Officer at Theta Lake, puts it: “With AI, we really are in new territory with respect to user behaviours. In the old world, there’s hardly anything new under the sun for most legacy platforms, like email. But AI is different. When you give a user a tool that has access to all your data, you just never really know what they’re going to do.”
The result is that risks which never appeared during testing start to surface. A user who crafts a question in just the right way can get AI to return information that is problematic from a compliance and governance perspective.
What AI Governance Needs To Look Like At Scale
Firms that are managing AI well tend to have followed a similar path. It starts with understanding where users are going and what tools they are using, moves through data hygiene and basic controls, and arrives at the harder question: How do you monitor what’s actually happening in those AI conversations?
“Monitoring AI interactions and communications becomes critically important,” says Lopez. “You need to know how users interact with their AI tools and what information these tools return. Behavioural visibility is the foundation for organizations to gain a deep understanding of their AI technology.”
The challenge is that traditional monitoring tools weren’t built for this. They look for known, structured risks such as data leakage of account numbers or social security numbers. Today’s AI risks are often subtle, behavioural, and can only become visible over time.
“Applying classifiers to prompts and responses to detect problematic content is important,” says Nadir. “But it’s the behavioural analysis over time that’s really critical. Repeated behaviours aren’t necessarily going to get detected if you look at just one record at a time. You need to be able to see patterns over time to really understand how users are actually behaving.” Read the full article.
