Opinion & Analysis
Written by: Joseph Wallace | Director, Data and AI Governance, Adobe
Updated 10:00 AM EDT, July 15, 2026

Let me tell you something that governance practitioners rarely say out loud: almost nobody in a large enterprise is actually incentivized to do governance. Nobody will say “no” to data governance, but as soon as you ask them to do something, they tune out in favor of revenue-generating projects.
Product managers are measured on features shipped and roadmaps delivered. Engineers are measured on velocity, uptime, and code quality. Executives are measured on revenue, growth, and market position. Data scientists are measured on model performance and research output.
Nobody’s annual review has ever included a line item for “governed responsibly.”
That’s not a criticism of the people or leadership, but a reality of the system as designed. Until you understand it, you can’t change it.
For CDOs specifically, this incentive problem is both the central challenge and the central opportunity. You are often the only person in the organization whose job description explicitly includes governance accountability, which means you are also the only person positioned to change the incentive structure from the inside.
Here’s how governance decisions actually get made inside most organizations.
A product team wants to ship a feature. The feature uses customer data in a way that’s technically permitted, but probably should be reviewed. The governance team flags it. The review takes three weeks. The roadmap slips. The product manager misses their OKR.
Nobody got fired for the data decision. Somebody got a bad review for the delay.
That math plays out thousands of times a day across every large enterprise. And every time it does, the organization learns the same lesson: governance is a cost, not an asset. Something to minimize, route around, or defer to future-them.
The governance team isn’t wrong. The product team isn’t wrong. The incentive structure is wrong.
This is the deeper reason most governance functions end up advisory rather than authoritative. It’s not merely organizational design; it’s that giving governance real authority means giving someone the power to slow things down, and nobody with a revenue target wants that person in the room.
So governance gets a seat at the table, but not a vote.
They can flag. They can recommend. They can escalate to a committee that will schedule a meeting for next quarter. But the person who can actually say no — the one who can walk into a product review and stop a launch — usually doesn’t exist. Or if they do, they report into the same chain that benefits from shipping.
The incentive structure produces exactly the governance you’d expect: visible, documented, and largely decorative.
Here’s where it gets interesting.
The EU AI Act is now in force (Regulation (EU) 2024/1689, officially published July 12, 2024, with high-risk AI system requirements phasing in through 2026), and it doesn’t ask whether you have a governance program. It asks whether you can demonstrate documented decision-making, clear accountability, and the ability to show — after the fact — who made a consequential choice about an AI system and why.
When regulators come asking those questions, “we had a committee” is not an answer. They want a name.
Personal liability is arriving. Directors and Officers (D&O) insurers have begun evaluating AI governance posture as part of underwriting assessments, with several major providers signaling that AI risk management will increasingly factor into premium pricing. Boards are adding AI governance as a standing agenda item. The calculus is changing — slowly, then all at once.
The companies that built governance before the incentive structure demanded it will have a head start. They’ll have the documentation, the accountability structures, and the muscle memory for making hard calls before anyone is forcing them to. The companies that waited will be building it under duress, at speed, with regulators watching.
Incentives don’t change by lecturing people. They change when the consequences of ignoring governance become more visible than the consequences of slowing down a roadmap. As a CDO, you have more levers than most to begin shifting that balance — even before the regulatory pressure becomes unavoidable.
Three places to start:
First, propose named AI ownership as a governance metric tied to performance. Work with your CHRO and business leaders to include AI governance accountability in role descriptions and performance reviews for product managers, engineers, and data scientists who deploy AI. When governance has a line on the scorecard, it stops being optional.
Second, build a governance scorecard that goes to the board quarterly. Boards pay attention to what gets reported to them. A simple metric — total AI systems deployed versus total AI systems governed — forces the conversation about coverage that most organizations are not having. The gap between those two numbers is your governance debt, and making it visible to the board changes the organizational calculus around funding and prioritizing governance.
Third, get ahead of enforcement with one proof of concept. Pick your highest-risk AI system and document it end to end — who made each decision, what data it uses, what guardrails are in place, who is accountable if something goes wrong. Do it before a regulator asks. That documentation becomes your template for everything else, and the exercise will surface gaps you didn’t know existed.
Most of these can be started without a formal budget increase or executive approval, though implementation will vary by organization. They require a CDO who decides that the incentive problem is worth solving and begins solving it.
In my view, there is a window right now – likely 12 to 18 months – where organizations can still build governance proactively, before regulatory enforcement and legal consequences begin arriving in force. This is a practitioner’s assessment based on the current pace of EU AI Act enforcement ramp-up and the trajectory of board and regulatory scrutiny, not a published forecast.
After that window closes, the companies that didn’t build it will be building it reactively. It will be expensive, rushed, and under scrutiny.
Nobody is incentivized to do governance yet.
They will be. And the CDOs who moved before that moment will be the ones the board calls when the regulators arrive.