Governance Theater
Why the most dangerous AI governance is the kind that passes every audit.
Most organizations that believe they govern their AI have built the performance of governance, not the fact of it. The two are nearly indistinguishable from the outside, and often from the inside as well. They diverge at exactly one moment: when a deployed system produces an outcome someone has to answer for. At that moment, the published principles, the ethics committee, and the policy on file do none of the work. What does the work is a named owner, a record of the decision, and the authority to have stopped it. Most organizations have invested in the first set and assumed it produced the second. It does not.
This is worth naming precisely, because the naming is the part that has been missing. Governance theater is governance optimized for the appearance of control rather than the fact of it. It is not fraud. It is rarely even cynical. It is the predictable result of asking an organization to demonstrate governance on a timeline faster than governance can actually be installed, in a market that rewards the demonstration and does not yet test the substance. The artifacts that signal governance are cheap and fast to produce. The architecture that exercises governance is slow, expensive, and invisible until it is needed. Under those incentives, organizations build what they are rewarded for building.
The pattern is not anecdotal. It shows up in the academic record, in the corporate record, in the survey data, and in the case law, and it shows up the same way in each.
The principle is the easy part
In 2019, researchers at ETH Zurich published a study in Nature Machine Intelligence that catalogued the global landscape of AI ethics guidelines. They found 84 separate sets of principles issued by companies, governments, and institutions worldwide. The striking finding was not the volume. It was the shape of the agreement. The documents converged on a small set of high-level principles, transparency, justice and fairness, non-maleficence, responsibility, and privacy, with remarkable consistency. And they diverged, sharply, on the question that determines whether a principle governs anything at all: how it should be implemented, by whom, and with what consequence for noncompliance. The field had reached consensus on what to value and no consensus on how to enforce it.
That same year, Brent Mittelstadt of the Oxford Internet Institute published a companion critique, also in Nature Machine Intelligence, arguing that principles alone cannot guarantee ethical AI. His reasoning is the load-bearing point for everything that follows. Medicine has principles that work, he noted, because medicine also has the infrastructure that makes principles bind: fiduciary duties, professional norms developed over generations, proven methods for translating principle into practice, and robust legal and professional accountability mechanisms. AI development has the principles and almost none of the infrastructure. Borrowing medicine’s four principles without medicine’s enforcement apparatus produces the vocabulary of governance without its function.
There is direct empirical support for the proposition that a principle without enforcement changes nothing. A controlled study presented at a major software engineering conference in 2018 tested whether showing practitioners a formal code of ethics altered their decisions. The researchers ran 63 students and 105 professional developers through a series of real-world ethical vignettes. Half were explicitly directed to consider the relevant code of ethics; half were not. The result was no statistically significant difference between the two groups, for any vignette, for either population. The code was present. The behavior did not move. The authors were careful about the limits of a single study, and the caution is warranted, but the finding is a clean illustration of the mechanism: the existence of the document and the change in the outcome are two different things, and the first does not produce the second on its own.
The corporate record tracks the same divide
If principles are the cheap part and enforcement is the expensive part, you would expect that under cost pressure, organizations cut the expensive part and keep the cheap one. That is what the record shows.
In March 2023, Microsoft eliminated its Ethics and Society team during a broader round of layoffs. The team’s specific function was to translate the company’s published AI principles into product-level practice, the connective tissue between the values statement and the shipped feature, and it was cut in the same period the company was accelerating the integration of generative AI across its products. Microsoft’s published principles remained in place. Its Office of Responsible AI and other governance bodies remained in place, and the company has stated, accurately, that it continues to invest substantially in responsible AI. That response is true, and it is also the cleanest possible illustration of the thesis. When the organization had to choose, the principles survived and the team that operationalized them was the line item that did not. The performance layer is more durable under pressure than the function layer, because the performance layer is what the outside world can see.
This is not unique to one company, and it is not evidence of bad actors. The broader transparency picture has moved in the same direction. Stanford’s Foundation Model Transparency Index, which scores major AI developers on disclosure, found persistent and systemic opacity precisely in the areas that matter most for governance: the effectiveness of guardrails, the handling of data, and downstream impact. The areas where companies disclose least are the areas where governance would actually be tested.
The survey data shows the same gap at scale
The 2025 McKinsey State of AI survey provides the clearest quantitative picture. Seventy-eight percent of organizations reported using AI. Against that near-universal adoption, the governance figures are strikingly thin. Twenty-eight percent reported that their CEO was involved in overseeing AI governance. Seventeen percent reported board-level oversight. Twenty-seven percent said all generative-AI output was reviewed before use. McKinsey’s own analysis found that CEO-level oversight of governance was the factor most correlated with bottom-line impact from AI, which means the element most predictive of value is also among the least common.
Read those numbers together and the shape is unmistakable. Adoption is everywhere. Senior ownership of the consequences is rare. The same survey found that roughly one percent of leaders described their AI rollouts as mature. The governance that exists is, overwhelmingly, the part that can be documented and published. The part that requires a named human to own a consequential decision and answer for it is the part that most organizations have not built.
None of this means the principles are worthless or the ethics statements are a con. Principles are necessary. They set direction, they signal intent, and they give the eventual enforcement architecture something to enforce. The error is not in having them. The error is in treating their existence as the finished state, when they are the first and easiest step of a much longer build.
The gap becomes concrete the moment a system fails
Theater holds right up until something tests it. Then the missing layer becomes the only layer that matters.
In February 2024, the British Columbia Civil Resolution Tribunal decided Moffatt v. Air Canada. The airline’s customer-service chatbot had given a passenger false information about bereavement fares, and the airline refused to honor it. Air Canada’s defense is the detail worth remembering: it argued that the chatbot was, in effect, a separate legal entity responsible for its own actions. The tribunal rejected that argument completely and held the airline responsible for everything its website told a customer, whether the words came from a static page or an AI. The monetary award was small, just over 800 Canadian dollars. The principle it established is not small. “The system did it” is not a defense. The output has an owner whether or not the organization ever decided who that owner is.
The same logic is now arriving through regulators, aimed at the claims themselves. In March 2024, the U.S. Securities and Exchange Commission settled its first enforcement actions for “AI washing,” charging two investment advisers with overstating their use of artificial intelligence and imposing penalties totaling 400,000 dollars. In September 2024, the Federal Trade Commission announced Operation AI Comply, a coordinated sweep against companies making deceptive AI claims. The through line is that the performance of AI capability is no longer costless. Regulators have begun testing claims against reality, and the performance of governance sits in the same category of claim.
The test that separates the two
Because governance theater is built from real artifacts, you cannot detect it by looking at the artifacts. A published principle looks like a published principle whether or not anyone is accountable to it. The only reliable test is to run a real case through the system and see what comes out.
Take one consequential decision your organization made in the last quarter in which an AI output played a part. Then try to answer three questions from a record rather than from memory. Who owned that decision. What AI output influenced it, and was that output validated before it became action. And who held the authority to stop it before it shipped, if stopping it had been correct. If those answers exist as a record, you have governance. If they exist only as a policy asserting that such answers ought to exist somewhere, you have documentation. The distance between those two states is not a documentation gap that better paperwork closes. It is the entire exposure, and it does not close on its own.
This is the failure mode that should concern competent, well-run organizations the most, precisely because it does not feel like failure while it is happening. Nothing breaks during the performance. The committee meets, the principles are published, the policy is cited in the audit response, and every external signal reports that AI is governed here. The failure surfaces only at the one moment the structure exists for: when an output causes harm and the organization reaches for the owner, the record, and the authority to have intervened, and discovers it built the parts that demonstrate governance and skipped the parts that exercise it.
The work is not to publish a better principle. The principle is already there. The work is to install the layer underneath it that the principle has been standing in for: defined ownership, a decision record, and real escalation authority, calibrated to the consequence of the decision rather than to the appearance of control. That layer is unglamorous, it does not photograph well in a board deck, and it is the only part of AI governance that does anything when it is finally needed.
The Evolving Mindset publishes weekly on AI governance and organizational accountability. If this raised a question about your own organization, the question of whether you have governance or its appearance is a specific and answerable one. Reach out through the link in the profile.
Sources and notes
AI ethics guidelines convergence on principles and divergence on implementation: Jobin, Ienca and Vayena, “The global landscape of AI ethics guidelines,” Nature Machine Intelligence, 2019 (84 documents identified).
Principles cannot guarantee ethical AI without enforcement infrastructure: Mittelstadt, “Principles alone cannot guarantee ethical AI,” Nature Machine Intelligence, 2019.
Code of ethics produced no measurable behavioral change: McNamara, Smith and Murphy-Hill, “Does ACM’s Code of Ethics Change Ethical Decision Making in Software Development?”, ESEC/FSE 2018 (63 students, 105 professionals).
Microsoft Ethics and Society team eliminated March 2023: first reported by Platformer; widely corroborated (TechCrunch, The Register, Washington Post). Microsoft’s continued responsible-AI investment via the Office of Responsible AI is per the company’s own statements.
Foundation model transparency gaps: Stanford HAI/CRFM Foundation Model Transparency Index (2023 and 2024 editions).
Adoption and governance-ownership figures (78% AI use; 28% CEO oversight; 17% board oversight; 27% review all gen-AI output; ~1% mature rollouts): McKinsey, “The State of AI,” 2025.
Moffatt v. Air Canada, 2024 BCCRT 149, decided February 14, 2024 (total award CA$812.02; “separate legal entity” defense rejected).
SEC AI-washing settlements (Delphia and Global Predictions, penalties totaling $400,000), March 2024; SEC primary release 2024-36.
FTC Operation AI Comply announced September 25, 2024.
All figures above were verified against primary or top-tier sources during research. Where reporting traces to a single original outlet, that origin is noted. Nothing in this piece constitutes legal advice.