AI Governance Needs People and Accountability Infrastructure

In a piece published by the IAPP on June 3, Joseph Wallace — Director of Data and AI Governance at Adobe — opened with a confession: "I have wasted my life." A decade spent building data governance programs, cataloguing metadata, chasing engineers to label datasets properly, and watching compliance go sideways anyway. His diagnosis of why that happened is the most honest thing a governance practitioner has published in print this year. His prescription — people, proximity, persuasion — is mostly right. The gap between mostly right and fully right is where enterprise AI governance programs break down at scale, and that gap is worth examining.

Wallace's piece is worth reading in full before engaging with it, because the argument is more considered than the provocative framing suggests. He isn't arguing that frameworks don't matter. He's arguing that frameworks deployed from a distance, without operational presence in the rooms where decisions get made, fail regardless of how well-designed they are.

What Wallace Gets Right

The core of Wallace's argument is that most enterprise governance programs are structured around the wrong moment in the development process. They arrive at review, at audit, at the point where a feature is ready to ship — which is also the point where changing anything is maximally expensive and minimally likely. By then, the data engineer has already labeled the dataset "asdf" at 11 p.m. because the pipeline wouldn't wait. The product manager has already committed to the timeline. The governance function shows up with a checklist and a confused look.

"Something shifts when governance is present at the inception rather than wagging my finger and arriving after the fact. Engineers start asking governance questions themselves. Not because they're required to, but because a trusted colleague is standing next to them who makes it easier to do the right thing than to skip it."

Joseph Wallace

Director of Data and AI Governance — Adobe, IAPP

June 3, 2026

That observation deserves to be taken seriously rather than just cited and moved past. Wallace is describing something that most governance literature misses entirely: the difference between governance as a control function and governance as a working relationship. A control function can be bypassed, ignored, appealed to legal, or simply scheduled around. A working relationship is harder to avoid because the person is already in the room. The product manager who would have waved off a governance checklist will ask a different question when there's a colleague who has been in every sprint review for three months and knows the product as well as they do.

His metaphor for the end state is the best compressed version of what functional governance produces that this publication has encountered in writing about this subject: governance is the thumb on the hose. Water moving through a constrained channel moves faster and farther than water that just spills. The organizations that have built this aren't running slower because of governance. They're running faster because approvals follow a defined process rather than getting negotiated from scratch every time.

"Governance is not a control function. It is a product. It accelerates innovation by channeling efforts with guardrails."

Joseph Wallace

Director of Data and AI Governance Adobe, IAPP

June 3, 2026

What the Argument Misses Though

We agree that Wallace's model does works at human scale. One practitioner, embedded across an organization, building relationships with engineers and product managers one conversation at a time. That model works because it's built around a single person who knows the full landscape — who knows which team is shipping what, which dataset has a problem, which product manager will need a governance conversation before they realize it. The model depends on that person being able to hold the whole picture in their head and show up in the right places.

However, the model starts bending when an organization runs 30 production AI systems. It breaks when the number reaches 50, or 100, or when the systems themselves stop waiting for human review cycles before making consequential decisions. A governance practitioner embedded in sprint reviews cannot be in 20 sprint reviews simultaneously. Persuasion that works one-on-one across a single product team doesn't transmit through an autonomous agent processing thousands of decisions while the building is empty.

The Scale Problem in Numbers

HiddenLayer's 2026 AI Threat Landscape Report, based on a survey of 250 IT and security leaders, found that one in eight reported AI security breaches is now linked to agentic systems. These are systems operating at machine speed, between human review cycles, across data the deployer is responsible for governing. The proximity model Wallace describes assumes a human can be present at the critical moment. Agentic systems remove that assumption entirely.

A separate finding from the same report: 31% of organizations didn't know whether they had experienced an AI breach in the preceding 12 months. That's the organizational visibility problem that people-based governance doesn't solve, because it's an infrastructure problem — you need systems that generate evidence automatically, independent of whether the right person happened to be watching.

This isn't a criticism of Wallace's approach. We're just describing what happens when the approach succeeds and the organization grows through it. Adobe has scaled. The team Wallace built presumably has more than one practitioner in it now. The question for governance programs at that stage — and for the organizations using AI at the scale that most enterprises are now deploying it — is what the people layer is operating through. Proximity is the relationship. Accountability infrastructure is the system that makes proximity scalable when the person isn't in the room.

The distinction matters most when something goes wrong. Wallace describes what functional governance looks like in motion. The harder question is what happens when a system that everyone trusted produces an adverse outcome at 2 a.m. and the governance practitioner isn't available. Who owns that system? What were they responsible for reviewing? What evidence exists that governance ran when it was supposed to? Those questions need answers that live in a system, not in a relationship — because the relationship isn't there at 2 a.m.

Workday learned this in litigation. The monitoring existed. The logs existed. A bias audit had been conducted. What was missing when the accountability question arrived through a lawsuit covering 1.1 billion screening decisions was the infrastructure layer: named owners, documented response obligations, an audit methodology that could answer questions about specific decisions on specific dates. The people doing the work cared. The program had governance practitioners. The accountability layer that would have made their work legible under legal scrutiny didn't exist. That's what Wallace's model doesn't fully address.