Field notes · Case F-09 · AI governance

Govern the pipeline, not the model

A model is an artifact of the controls you had, or did not have, while it was built. AI governance that starts at deployment starts too late to matter.

Most AI governance programs are deployment-shaped: review the model before release, red-team the endpoint, publish a policy. Necessary, and structurally late. By the time a model reaches review, its training data has been chosen, its pipeline has run on shared infrastructure with a long dependency tail, and its weights have been copied to places the review will never see. Whatever happened upstream is now baked in and largely unauditable.

You cannot certify an artifact you could not observe being made. Governance is a property of the pipeline.

The stack is the attack surface

Three upstream exposures deserve board attention. Data poisoning: training corpora assembled from the open web can be seeded cheaply by an adversary months in advance, and detection after the fact borders on impossible. Pipeline compromise: training runs on the same software supply chain as everything else, plus GPU drivers and orchestration layers that patch on their own slow cadence. And endpoint exposure: inference APIs are internet-facing production systems that accept untrusted input by design, and when models gain tools and agency, a prompt becomes an instruction with blast radius. Each of these is a controls question, not a model question.

The regulators arrived first

The EU AI Act’s obligations for general-purpose models are in force and phasing in; NIST’s AI Risk Management Framework is the de facto vocabulary in North America. The distinction that matters in a boardroom is the enforcement layer. The AI Act is law: binding obligations with deadlines, supervised by national authorities and the EU AI Office, with penalties defined in percentages of global turnover. The NIST framework is exactly what its name says, a voluntary framework: no regulator, no fine, yet increasingly the standard of care that customers, insurers and courts reach for. Europe regulates first and lets practice follow; North America publishes the framework and lets the market and liability harden it. Both instruments share the pipeline view: documentation of data provenance, evaluation processes, incident reporting and risk management. Which means the compliance artifact and the security artifact are converging into the same thing: evidence that you controlled the making, not just the shipping.

What board-level governance buys

We build AI governance that survives auditors. If the pipeline is yours, the evidence can be too.