Opinion & Analysis

AI Governance and the CDO: Evolution to Enterprise Risk Operator

Written by: Kristina Podnar| Digital Policy & AI Governance Expert | Author | TEDx Speaker, Andreea Bulisache | Board Director & Operating Partner | EU AI Act Contributor

Updated 10:00 AM EDT, July 14, 2026

post detail image
Kristina Podnar| Digital Policy & AI Governance Expert | Author | TEDx Speaker Kristina Podnar is a digital policy and AI governance expert, TEDx speaker, and author of The Power of Digital Policy. She advises organizations on governance, privacy, and digital transformation.

The Chief Data Officer (CDO) role was designed for a different risk environment. Many organizations are still operating as though that environment exists. Legal teams manage compliance exposure; security teams oversee cyber risk; procurement manages vendors; data teams ensure information quality and access; AI teams evaluate models; and business units remain responsible for operational execution.

In the past, when enterprise systems operated within relatively contained, stable environments, this siloed approach could work. But AI has reshaped the operational risk landscape.

The modern global supply chain offers a useful analogy. For years, companies addressed suppliers, logistics, inventory systems, manufacturing, transportation, and sourcing decisions separately. Looked at in isolation, each area seemed more manageable. The vulnerabilities inherent in this approach became evident only when external shocks put the broader system under stress. Organizations realized they did not understand how interconnected dependencies had constrained operational resilience across the supply chain.

Enterprise AI creates a similar dynamic. Many organizations believe they are deploying individual AI capabilities when, in practice, they are creating interconnected intelligence environments.

For example, resolving a single customer complaint may require a customer service agent to retrieve customer data from a CRM, interpret company policy from an internal knowledge base, and rely on a third-party cloud model to process the request. The request may then pass through an orchestration layer that determines the next action, issues a refund through a payment system, and triggers an automated follow-up message. 

What appears to be one simple AI capability is actually a chain of systems, vendors, data sources, and automated decisions operating across the enterprise and with third parties.

Governance exposure no longer sits neatly inside individual technologies or functions but instead emerges between systems: how authority is transferred, data interpreted, decisions executed, and who remains accountable when the outcome is unsatisfactory or plain wrong.

This shift is quietly reshaping the role of the CDO. Historically, CDOs focused on data governance, quality, architecture, analytics, and regulatory alignment. But as AI collapses traditional governance boundaries, organizations increasingly need data leaders to become the connective tissue between technology operations, governance visibility, regulatory accountability, and enterprise coordination.

How AI Is Reshaping Enterprise Risk 

Interconnected intelligence systems do not respect traditional governance boundaries. Today, a customer interaction may trigger simultaneous downstream activity across recommendation engines, external data-enrichment providers, generative AI systems, analytics platforms, orchestration tools, and automated operational workflows. Decisions made inside one system can influence outputs elsewhere in ways that are difficult to trace or explain.

Consider a financial services company using a third-party large language model (LLM) for customer service. A customer inquiry comes in via an agent hosted inside the customer portal, which pulls information from internal knowledge repositories, credit reporting agencies, and recommendation systems before generating a response. If inaccurate information enters the system from any component, the results may impact more than customer communications and extend to compliance obligations, downstream operational decision-making systems, and vendor partners. While each system may perform as intended, tracing accountability becomes challenging because the decision chain spans multiple data sources, vendors, technologies, and governance silos. 

Enterprises increasingly operate as interconnected decision systems rather than the isolated tools most organizations are accustomed to governing. Consider a home improvement center that deploys an automated supplier onboarding process. A third-party risk platform evaluates the supplier, an AI-enabled procurement system recommends approval, the ERP system creates the vendor record, an accounts receivable platform processes invoices, and a payment platform authorizes transactions.

If the original risk assessment fails to identify a sanctions concern, that error can move through the workflow and trigger a series of automated decisions. Each system may function as designed, yet the enterprise can still produce the wrong outcome.

The risk lies not only within individual models or providers, but in the assumptions, decision thresholds, and transfers of authority connecting them.

Many organizations are experiencing a growing disconnect between individual AI deployments and enterprise transformation efforts. For example, the data team accelerates content production using generative AI while legal and governance teams struggle to review outputs at scale. Customer analytics systems optimize engagement while privacy, compliance, and risk teams work to understand the downstream implications of doing so. Procurement teams approve external AI-enabled services while security and data leaders attempt to mitigate newly introduced dependencies.

Organizations do not usually appreciate the extent to which critical business processes rely on external models, cloud infrastructure providers, orchestration platforms, or AI vendors. A model update, service outage, or governance failure that occurs outside the organization can create significant operational consequences internally, even if the enterprise did not contribute to the outcome.

None of these individual initiatives is necessarily problematic in isolation. The challenge emerges through their interaction, which introduces a far more dynamic and interconnected operational reality.

The CDO as enterprise coordinator

As these environments become more complex, organizations need someone with visibility across the operational system as a whole. That responsibility lands with CDOs and chief data and information officers (CDAIOs) because data, models, orchestration, lineage, governance, and operational accountability are now part of major enterprise AI initiatives. 

Consider an AI-enabled consumer goods pricing system. Historically, the CDO’s responsibility centered on ensuring that customer, inventory, and market data were well governed and accurate.

Today, the role also includes understanding which internal and third-party models influenced the price, how the orchestration layer reconciles competing recommendations, and which business constraints drive the decision. It also means knowing where human approval is required and whether the organization can reconstruct why a particular customer received a particular offer. 

The CDO’s role is shifting from stewarding enterprise data to participating in governing end-to-end decision-making systems that data powers.

As the role expands beyond traditional stewardship into operational coordination, CDOs increasingly need to form tighter partnerships – or in some cases assume responsibilities – that have traditionally belonged elsewhere in the organization. For example, this may include: 

  • AI inventory management with CTOs
  • Model and system traceability with CIOs
  • Vendor governance with procurement
  • Regulatory readiness with legal
  • Cross-functional risk reviews with internal audit

The role also increasingly requires tighter coordination with business leaders who own a portion of the AI lifecycle but lack visibility into the broader operational system.

As a result, new governance processes and accountability structures are also emerging. Organizations are creating cross-functional governance boards, AI dependency maps, decision chain documentation, and mechanisms for monitoring how intelligence flows across systems and vendors. 

For example, an AI dependency map for an automated customer refund process will identify the customer data retrieved from the CRM, the external model interpreting the request, the orchestration platform deciding whether the claim meets policy requirements, the payment system requesting human approval for refunds over a specified amount and then executing the refund, and the vendor infrastructure supporting each step. 

It would show where human validation, intervention, and approval are required, which policies and controls apply, who owns each decision point, and how the organization will trace the process if something goes wrong. 

Often the CDO is the executive responsible for connecting these activities and creating a coherent governance model. This work increasingly extends beyond AI governance to encompass enterprise risk visibility, vendor dependencies, observability, policy enforcement, and cross-functional accountability.

The governance perimeter now extends beyond the enterprise

The EU AI Act is being implemented in phases, and the earliest requirements are already in effect. The ban on prohibited practices took effect in February 2025, and the obligations on providers of general-purpose AI models followed in August 2025. Some practices are prohibited outright, regardless of how carefully they are governed, including social scoring, the untargeted scraping of facial images to build recognition databases, and emotion recognition in the workplace.

The obligations that reach the decision chains described here are the ones for high-risk systems, and the Act names those systems directly. Annex III identifies high-risk use cases including credit scoring and creditworthiness assessment, risk assessment and pricing for life and health insurance, and recruitment and worker management, which are among the processes enterprises are more actively automating. Those obligations were originally scheduled to take effect in August 2026. Proposed changes under the Digital Omnibus would extend that timeline to December 2027, although those amendments have not yet been formally adopted. In each case, accountability for the outcome does not stop at the enterprise boundary.

The longer timeline offers less relief than it appears, because of what the Act actually requires. A high-risk system must operate under a documented risk-management process, draw on governed data, build in defined points of human oversight, and carry technical documentation a regulator can examine. It must also keep records detailed enough to reconstruct how a given decision was reached, and that reconstruction cannot stop at the organization’s own systems. 

Where a third-party model sits in the chain, its provider is now obliged to pass down technical documentation and a summary of the data the model was trained on. Traceability is becoming a shared obligation that moves up the chain, rather than a control any single organization can satisfy on its own. Building that capability takes longer than the deadline that was just moved.

This is where many CDOs are exposed. When a regulator raises the question, it will not be about how good the model is but about whether the organization can show traceability, oversight, and accountability across every system and vendor involved in the decision. For most organizations, that visibility ends at their own door.

The exposure tends to surface at a particular moment. A regulator, an auditor, or a board asks why a particular customer was declined, flagged, or charged a particular price, and the organization can account for its own model but not for the external data that fed it, the vendor’s decision logic that scored it, or the orchestration layer that made the call. The decision moved across systems the CDO does not fully control, yet the accountability remains with the enterprise. A CDO who cannot trace decisions across vendors, orchestration layers, and third-party providers is not facing a governance gap so much as a regulatory exposure the board may not yet realize it carries. 

The next phase of AI governance will be operational

Many organizations still measure AI maturity using deployment metrics. But the number of copilots or the level of AI deployment reveal very little about whether organizations can coordinate interconnected intelligence environments responsibly and at scale.

The next maturity phase will depend on whether an organization can govern AI systems as part of a coordinated operational environment. For CDOs, that shift creates some immediate priorities.

Create visibility into AI dependencies 

Map how internal and external systems exchange data, models, prompts, APIs, and decision inputs. Identify where changes, failures, or policy violations in one system could affect downstream decisions. Prioritize high-impact use cases and document the systems, vendors, data flows, and business decisions involved. 

Establish accountability across decision chains

Define who is responsible for approving AI use cases, validating data and model inputs, monitoring outcomes, responding to incidents, and authorizing changes. Where responsibilities are shared, document escalation paths and identify the executive accountable for final decisions. 

Strengthen traceability

Document how data, models, and decisions move through the organization and across upstream and downstream partners.

Partner across the enterprise

Work closely with procurement, legal, security, and compliance teams to understand third-party risk and governance responsibilities.

Develop an accountability framework

Clarify ownership when decisions span multiple systems, vendors, and business functions.

Prepare for regulatory oversight

Maintain documentation, oversight mechanisms, and explainability that can support regulatory inquiries.

Organizations that succeed in the next phase of AI adoption will not be those that deploy the largest number of systems. It will be the ones that can demonstrate operational control across interconnected intelligence ecosystems. 

As AI operates across data sources, business functions, vendors, and third parties, and decision chains, legacy weaknesses will become harder to ignore. Informal coordination does not scale when systems act independently and across the enterprise. 

Moving forward, organizations will measure AI maturity by how effectively they connect, govern, and operate these systems, and whether they can account for the decisions intelligent systems shape.

Related Stories

August 27, 2026  |  In Person

Dallas CDO Forum

Omni Las Colinas

Similar Topics
Artificial Intelligence
Data Management
Diversity
Testimonials
background imagebackground image
Community Network

Join Our Community

starElevate Your Personal Brand

starShape the Data Leadership Agenda

starBuild a Lasting Network

starExchange Knowledge & Experience

starStay Updated & Future-Ready

logo
Social media icon
Social media icon
Social media icon
Social media icon
About