"AI Governance" Means Five Different Things. That's the Problem.

I just published Memorandum No. 8 in the AI Governance in Education Series. It's called The Fractured Application of AI Governance: A Classification Failure Across Five Frameworks, and the Case for Holistic AI GRC.

This one goes wider than education. The argument is straightforward: the phrase "AI governance" is being used across five major international frameworks to describe five fundamentally different things. ISO 42001 means a certifiable management system. NIST means a voluntary risk culture. The EU AI Act means a legally binding enforcement architecture with penalties in the tens of millions. The OECD means norms for national governments. Singapore means practical business processes for responsible deployment.

Same words. Different meanings. And inside every organization, the same fragmentation plays out between legal, IT, procurement, HR, and compliance, each defining "AI governance" through their own lens, each correct within their scope, and each incomplete on their own.

The paper traces four consequences of this classification failure that most governance writing treats separately.

The human behavior problem. 75% of knowledge workers are using generative AI. Over 80% are using unapproved tools. 38% are sharing confidential data with AI platforms without employer approval. The technology is not failing. The people using it are operating outside every governance boundary their organizations have built.

The insurance market as canary. Verisk's generative AI exclusions took effect January 1, 2026. W.R. Berkley introduced an absolute AI exclusion across D&O, E&O, and Fiduciary Liability. At the same time, Armilla launched affirmative AI coverage through Lloyd's. The market is bifurcating: organizations that can document AI governance are accessing coverage. Organizations that cannot are losing it. Governance that is not documented did not happen, in the eyes of an underwriter.

Regulatory velocity. State AI legislation grew from under 200 bills in 2023 to 1,561 by March 2026. The EU AI Act's AI literacy obligation took effect February 2, 2025 and has been in force for over a year, largely unaddressed. The White House released a National Policy Framework for AI on March 20, 2026. The governance floor is rising faster than most organizations can build.

The physical threat surface nobody is mapping. This is where the paper goes somewhere most governance writing does not. Shadow AI literature stops at software. It asks which apps employees are using. It does not ask about the fitness tracker on their wrist, the voice assistant in the conference room, the 28,000 sensors in a smart building, or the AI features embedded in every new phone that enterprise MDM cannot control on personal devices. The Strava fitness app has been exposing military base locations for eight years. The same vulnerability. The same human behavior. If the most security-conscious organizations on earth cannot govern one fitness app, the challenge facing everyone else is orders of magnitude harder.

The paper proposes that the response is not better AI governance alone. It is holistic AI GRC: the integration of governance, risk management, and compliance into a unified approach that spans regulatory domains, organizational functions, and the full physical-digital-behavioral threat surface.

The full paper is available here: https://doi.org/10.5281/zenodo.19297350

Also on SSRN and Academia.

What comes next

The physical device argument in Section 5 is, by a wide margin, the part of this paper that nobody else is writing about. The wearable layer, the smart building layer, and the emerging agentic AI layer are examples of a pattern that will keep repeating. Each new category of AI-capable technology follows the same trajectory: consumer adoption, workplace penetration, organizational exposure, governance response. The next category does not have a name yet.

The next paper in this series will lead with that argument. Working title: Beyond Shadow AI: The Ungoverned Physical Threat Surface in AI-Enabled Environments. It will make the case that holistic AI GRC must be designed with adaptive capacity for risk categories that do not yet exist, built around capability-based classification rather than static inventories of known threats. Think of it as extending horizon scanning from "what's coming" to "what we cannot yet see but must be structurally prepared for."

If you're working in AI governance, risk management, insurance, compliance, physical security, or IoT and this resonates with you, I'd welcome the conversation. These problems are too large for any single practitioner or sector to solve alone. Reach me at jamespurdy624@gmail.com.