Developing the Right Team

Artificial intelligence (AI) success is impossible without strong data governance, and behind every effective governance framework is the right team. The evolution from policy to practice depends on clear ownership, accountability, and alignment across the organisation. As AI adoption accelerates, companies must evolve from ad hoc governance to integrated operational governance that connects data, security, and legal functions.

In this second part of our series, we focus on three critical pillars for operationalising AI data governance: clearly defined roles and responsibilities for Data Owners and Stewards, strategic alignment with Security Operations, and partnership with Legal for Data Breach and Incident Response preparedness.

Clearly Defined Roles and Responsibilities for Data Owners and Stewards

AI systems are only as reliable as the data that fuels them. Yet in many organisations, the lines between who owns data and who manages it are blurred. This is where formalising data ownership and stewardship becomes a strategic necessity.

Data Owners are accountable for the quality, integrity, and appropriate use of the data within their domain. They make key decisions regarding classification, retention, and authorised use, which is particularly critical when datasets are used to train or inform AI models.

Data Stewards operationalise those decisions by maintaining metadata accuracy, monitoring for compliance drift, and ensuring that policies translate into daily data management practices.

Defining these roles creates a clear chain of custody for every dataset. When an AI model produces biased, inaccurate, or noncompliant results, the organisation can trace the lineage back to its source and take corrective action. Without these defined responsibilities, accountability weakens, and remediation becomes guesswork.

Effective AI data governance teams establish data domain councils or cross-functional working groups to ensure that every dataset, structured or unstructured, has a designated owner and steward. This clarity forms the foundation for trustworthy, transparent, and auditable AI operations.

How Roles Are Assigned and Who Assigns Them

Roles for Data Owners and Stewards are typically established through a structured governance process led by the organisation's Data Governance Council, chaired by the Chief Data Officer or Chief Information Security Officer. The council designates Data Owners across business domains such as Finance, HR, or Operations, while departmental leaders appoint Data Stewards who manage day-to-day data quality and compliance activities.

Assignments are documented in the organisation's data governance catalogue or platform (for example, Microsoft Purview or Collibra) to ensure visibility, accountability, and traceability. Each role includes defined responsibilities, escalation paths, and authority levels aligned with enterprise data and AI governance policies.

Once assigned, Owners and Stewards receive governance and compliance training, with roles reviewed periodically to ensure they remain aligned with organisational structure, system changes, and regulatory requirements.

Strategic Alignment with Security Operations

AI governance cannot exist in isolation. It must be strategically aligned with Security Operations (SecOps). Security teams are the enforcers of data control and must collaborate with governance teams to protect the entire data lifecycle, including ingestion, transformation, training, and output.

AI models can serve as both targets and vectors of attack. Whether through prompt injection, data poisoning, or model exfiltration, the intersection of data and AI demands a robust and layered defence strategy. Data governance teams must ensure that AI data pipelines are classified, monitored, and protected with the same rigor applied to sensitive enterprise systems.

Integrating AI data governance with SecOps processes involves:

• Embedding data classification policies into DLP and SIEM tools.
• Monitoring LLM requests and completions to detect unauthorised data exposure, policy violations, or anomalous prompt behaviours.
• Leveraging identity and access management controls to restrict model access to authorised users.
• Incorporating AI-specific data flows into vulnerability assessments and threat modelling exercises.

This alignment ensures that data is not only governed but also actively defended. It transforms AI governance from a static compliance function into a real-time operational control mechanism that enhances both resilience and trust.

Legal and Compliance Partnership for Incident Response

AI governance must also integrate seamlessly with Legal and Incident Response functions. Data incidents in AI environments carry unique risks, as model outputs can inadvertently expose personally identifiable information (PII), intellectual property, or confidential business data, sometimes in ways that traditional breach detection systems cannot easily identify.

Legal teams should collaborate with data and security leaders to define AI-specific incident response procedures that include:

• Escalation protocols for data exposures resulting from AI model misuse or misconfiguration.
• Criteria for determining when AI model behaviour constitutes a data breach under privacy laws such as GDPR, CPRA, or emerging AI regulations.
• Evidence collection standards for AI-generated outputs or decision logs to ensure legal defensibility.

Attorney-Client Privilege and Protected Communications

When involving legal counsel during AI-related incidents, it is essential to ensure that all communications, analyses, and findings remain protected under attorney-client privilege and, where applicable, the attorney work product doctrine. This protection safeguards sensitive discussions about breach details, root cause analyses, and remediation strategies from external disclosure or discovery.

In complex AI incidents involving regulated or cross-border data, maintaining privilege not only limits exposure but also enables candid assessment of legal risks and potential liabilities.

A well-prepared organisation treats AI-related incidents as foreseeable risks rather than afterthoughts. Legal and compliance teams should be embedded within governance committees to interpret emerging laws and translate them into actionable playbooks for security and data operations.

Building the Cross-Functional AI Governance Team

Organisations that lead in responsible AI integrate data, security, and legal governance into one cohesive framework. This structure should:

• Establish an AI Governance Council that meets regularly to review data usage, model risk, and compliance posture.
• Define clear escalation paths between data stewards, security analysts, and legal counsel.
• Provide ongoing training for all stakeholders to stay aligned with evolving regulations and emerging threats.

The success of AI depends not only on model performance or the speed of innovation but also on trust. Trust begins with governance, collaboration, and shared accountability across the enterprise.

The Bottom Line

AI governance is not just a policy document; it is a living system of accountability. By defining clear data ownership, aligning with security operations, and embedding legal expertise into your incident response framework, organisations can navigate the AI frontier with confidence.

In Part 3, we will explore how to operationalise your AI data governance framework through practical methods supported by measurable performance metrics that demonstrate governance is not only effective but also driving tangible business value.

In case you missed it: Here's the link to Part 1 – "Why AI Success Depends on Data Governance" (October 2024).