The promise of artificial intelligence in business is compelling. Increased efficiency, sharper insights, and products that adapt intelligently to customer needs are now part of the narrative in every boardroom. Yet beneath the enthusiasm lies a more uncomfortable reality. The technology is evolving faster than the structures designed to manage it, and companies are already facing challenges that expose just how fragile governance can be when it comes to AI.
Three issues in particular have become recurring themes: model drift, shadow AI, and what might be described as spaghetti machine learning. Each undermines governance in a different way, and each is no longer hypothetical. Recent events already show what happens when policies are not backed by evidence and oversight.
Model drift occurs when an AI model trained on one dataset begins to deviate in accuracy or fairness once deployed in the real world. It is inevitable, as the data environment in production rarely stands still. Unmanaged, drift can lead to poor outcomes, biased decisions, or even regulatory breaches. In 2025, financial institutions have been a case in point. Models used for credit scoring and fraud detection have struggled to adapt to volatile economic conditions, exposing how fragile systems can be when they are not monitored continuously. Researchers have also highlighted the phenomenon of “model collapse”, where systems retrained on their own outputs degrade rapidly, losing accuracy and diversity with each iteration. From a governance perspective, this means policies must not only exist but be evidenced through monitoring dashboards, audit trails, and clear escalation paths when drift is detected.
Shadow AI refers to systems deployed outside of the official technology function. It is the natural extension of shadow IT, with staff now able to access and experiment with powerful AI services in ways that bypass formal governance. This has moved from theory to practice. A 2025 industry study found that a significant proportion of firms already have employees using unsanctioned AI tools beyond the scope of corporate security controls. An IBM report warned that while many organisations claim to have AI policies, only a third actually audit for misuse, leaving boards exposed to risks they cannot even see. In this context, written policies mean very little unless backed by evidence such as usage reports, integration inventories, and periodic reviews that demonstrate genuine oversight.
The third problem, spaghetti ML, arises when multiple machine learning models are built piecemeal across the organisation. Each may solve a discrete business problem, but collectively they form a tangled mess of dependencies, opaque logic, and undocumented processes. When no single party can explain how decisions are being made, governance breaks down entirely. The risks of opacity were highlighted this year when scrutiny of model benchmarking practices at major technology firms showed that the versions tested in public did not always match those deployed more widely, leaving outsiders unable to judge performance fairly. Elsewhere, the rise of agentic systems that contribute to their own future development illustrates just how difficult it is becoming to map model lineage and responsibility. Without proper inventories and dependency mapping, businesses risk building decision-making systems that even their own leaders cannot fully explain.
The good news is that executives and boards already have access to emerging tools and frameworks designed to bring visibility. Model monitoring platforms can track drift in real time, providing both technical and business alerts. AI inventory systems can catalogue all deployed and experimental models, ensuring shadow projects are surfaced. Audit software can automatically log datasets, training processes, and decision-making steps, creating the evidence trail regulators are beginning to demand.
Equally, external frameworks such as ISO 42001 for AI management, and the UK’s AI Assurance Roadmap, provide practical benchmarks against which governance can be measured. For boards, these are not merely technical artefacts but instruments of accountability. They allow directors to ask the right questions and, crucially, to insist on seeing the evidence rather than simply accepting policy statements at face value.
Tools and evidence Boards should expect to see
| Area of risk | What tools exist | What evidence boards should demand |
|---|---|---|
| Model drift | Monitoring platforms with real-time alerts | Metrics over time, retraining logs, records of escalation |
| Shadow AI | Discovery tools that identify unsanctioned usage | Central inventory of AI systems, audit reports, flagged exceptions |
| Spaghetti ML | Lineage and dependency mapping software | Model catalogues showing ownership, dependencies, and provenance |
| Policy enforcement | Governance dashboards and compliance trackers | Logs of approvals, violations, remediation actions |