Responsible Gen AI Use Is a Governance Problem, Not a Policy Problem
Most organizations are writing Gen AI policies. Fewer are building Gen AI governance. These are not the same thing.
Three Takeaways
- 1
A policy tells employees what they can and cannot do. Governance determines who decides when the policy fails.
- 2
Gen AI governance requires accountability structures that most organizations do not have.
- 3
The organizations that will get this right treat responsible AI as an operating discipline, not a compliance checkbox.
KPMG identifies guiding the responsible use of Gen AI as the third area where HR creates value. This framing is correct. But "guiding" is doing a lot of work in that sentence.
The Policy vs. Governance Distinction
A policy tells employees what they can and cannot do with Gen AI. It sets boundaries. It establishes acceptable use. It can be written in a week.
Governance is different. Governance is the system of accountability that determines: Who decides when the policy is unclear? Who reviews Gen AI outputs for accuracy and fairness? Who is responsible when something goes wrong? How are decisions appealed?
Policy is a document. Governance is an operating system.
Where Most Organizations Are
Most organizations have policies. Some have detailed policies. Very few have governance systems.
The evidence is straightforward: When something goes wrong with a Gen AI output in your organization, can you name the person accountable? Can you describe the review process? Does an appeal mechanism exist?
If you cannot answer these questions, you have a policy. You do not have governance.
Why HR Is the Right Owner
KPMG is correct that HR is the right function to lead this. HR already owns accountability frameworks, performance systems, and employee relations processes. These are the organizational muscles that governance requires.
But HR needs to build new infrastructure. Not just apply existing frameworks to a new technology.
The Operating Model Implication
Responsible Gen AI governance requires embedding oversight into workflows, not bolting it on afterward. This means designing accountability into the operating model from the start.
Organizations that treat governance as a compliance exercise will write policies. Organizations that treat it as an operating discipline will build systems.
The difference will show in the outcomes.
Source: KPMG, "HR holds the keys to creating value from generative AI," 2024
Copyright Notice: This article is the intellectual property of GeneralArc. All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form without prior written permission. For permissions or inquiries, contact hello@generalarc.com.
Disclaimer: The views and opinions expressed in this article are for informational purposes only and do not constitute professional advice. Readers should consult with qualified professionals before making any decisions based on this content.
About GeneralArc
GeneralArc is operating model architecture for the AI transition. Its methodology was built across more than two decades inside the operating models of JPMorgan Chase, McKinsey & Company, Nomura, and Deutsche Bank — leading change across 100,000+ employees.
More from AI Transition
The Productivity Paradox: Workers Adopt AI Faster Than Organizations Can Scale It
Workers are adopting AI tools faster than their organizations can absorb the change. The gap between individual adoption and organizational scaling is where ROI goes to die.
AI Psychosis: When Leaders Overestimate What Agents Can Do
The further you are from the work, the more capable AI appears. That distance is creating a dangerous gap between executive expectations and operational reality.
GeneralArc works on the problems these essays describe — diagnosing and redesigning how organizations actually run. If this is the conversation you're having internally, it's worth thirty minutes.
Talk to GeneralArc