AI Governance Is Not AI Ethics

Somewhere in the last two years, the terms "AI governance" and "AI ethics" became interchangeable. They shouldn't be. They describe different activities, owned by different people, producing different outcomes. Conflating them is causing real problems in organizations trying to get AI right.

I notice this in almost every conversation. A CISO tells me they have AI governance in place. I ask what it looks like. They describe an ethics review board that meets quarterly to evaluate new use cases for bias and fairness. That's valuable work. It's not governance.

A head of data science tells me they don't need governance because their team follows responsible AI guidelines. Those guidelines say nothing about what happens when an agent exceeds its budget at 2 AM on a Saturday. That's the governance problem.

The distinction

AI ethics asks: should we build this? Is this use case appropriate? Does the model exhibit bias? Are we being fair to the people affected? Is this consistent with our values?

AI governance asks: is this system operating within its authorized boundaries right now? Can we prove it? What happens when it doesn't?

Ethics is about intent and design. Governance is about operation and evidence.

The ethics board decides that a claims processing agent should not make final determinations on claim denials without human review. That's an ethics decision. Governance ensures that the agent actually pauses for human review before every denial, logs the human's decision, and records the entire chain for audit. If the agent somehow bypasses that control, governance detects it.

One decides the rules. The other enforces them.

Why the conflation is dangerous

When organizations treat ethics as governance, three things go wrong.

First, there's a false sense of coverage. The board-level report says "AI governance is in place" because an ethics committee exists. Meanwhile, twenty AI agents are running in production with no monitoring, no policy enforcement, and no audit trail. The ethics committee doesn't know they exist. This is not a hypothetical. I've seen it at multiple organizations.

Second, the CISO is left without a mandate. If governance is the ethics board's responsibility, the security team has no clear charter for AI oversight. They sense the risk but lack the organizational authority to address it. The ethics board owns "AI governance" and the ethics board does not operate production systems. The gap between ethics review and production enforcement belongs to nobody.

Third, regulatory requirements go unmet. The EU AI Act doesn't ask whether your AI is ethical. It asks whether you can demonstrate continuous monitoring (Article 9), automatic logging (Article 12), and human oversight capability (Article 14). These are operational requirements. An ethics board that meets quarterly cannot satisfy them. A runtime governance system can.

Different owners, different cadence

The ownership question matters more than it might seem.

Ethics review is inherently deliberative. It requires diverse perspectives, careful consideration of edge cases, and judgment calls about values. This is slow work and it should be slow. Rushing ethical evaluation produces bad outcomes.

Governance is inherently operational. It runs at the speed of the system it governs. An agent making 100 API calls per minute needs governance that operates at that frequency. A policy violation at 3 PM cannot wait for the next quarterly review to be addressed.

Different cadence means different teams. The people who are good at careful ethical deliberation are rarely the same people who are good at building and operating real-time security systems. And that's fine. Both roles are necessary. The problem is when one role is expected to cover both.

In practice, the split should look like this:

The ethics board defines the principles and evaluates new use cases. They answer: should this agent exist, and under what conditions? Their output is policy: this agent may process claims data but must not make final denial decisions. This agent may access customer records but must not retain them beyond the session.

The security and compliance team implements those policies as operational controls. They answer: is this agent complying with its conditions right now? Their output is evidence: audit logs showing that the agent paused for human review on every denial, that customer records were not persisted, that the session stayed within its authorized scope.

The ethics board consumes the governance team's evidence to validate that their policies are being followed. The governance team consumes the ethics board's policies to know what to enforce. The relationship is circular, but the roles are distinct.

What regulators actually want

It's worth noting that the EU AI Act explicitly separates these concerns.

Article 9 requires a "risk management system" that operates "throughout the entire lifecycle" of the AI system. This is governance: continuous, operational, lifecycle-spanning.

Article 10 addresses data governance: the quality and representativeness of training data. This has ethical dimensions (is the training data biased?) but the requirement is operational (can you demonstrate that you tested for it?).

Article 14 requires human oversight: the ability to monitor, understand, and intervene. This is governance infrastructure, not an ethics committee.

Recital 47 mentions that high-risk AI systems should "be developed in such a way that natural persons can oversee their functioning." Functioning. Not design principles. Not value alignment. Functioning.

The regulation wants evidence that the system operates correctly. It does not ask whether the development team had good intentions. This is not a criticism of ethics work. It's an observation that compliance requires something different.

A practical test

Here's a quick diagnostic. Can your organization answer these questions?

Ethics questions (your ethics board should own these):

• What AI use cases have we approved, and under what conditions?
• Have we evaluated our models for bias in the populations they affect?
• Do affected individuals know that AI is being used in decisions about them?

Governance questions (your CISO should own these):

• How many AI agents are running in production right now?
• Which ones processed personal data in the last 24 hours?
• Were there any policy violations this week, and were they blocked?
• Can we reconstruct what a specific agent did on a specific date?
• If an agent is compromised, how quickly can we revoke its access?

If you can answer the ethics questions but not the governance questions, you have an ethics program without governance. If you can answer the governance questions but not the ethics questions, you have governance without ethical direction. You need both. But you need to know which one you're missing.

The distinction between ethics and governance is not academic. It determines who is responsible, what tools are needed, and whether the organization can actually demonstrate compliance when asked. Ethics sets the direction. Governance provides the evidence. Organizations that conflate them end up with neither done well.