GenIA without governance? The risk is certain—and the bill falls on IT's lap

1. Introduction 

In many companies, generative AI tools are already in use before even passing through IT's scrutiny. This reality reflects the speed with which GenAI has gained traction, driven by the legitimate pursuit of productivity, but often without the necessary support to ensure security, efficiency, and strategic alignment.

A study by RSM shows that 91% of mid-sized companies already use generative AI at some level of their operations. Still, 41% report difficulties with data quality, and 39% point to a lack of internal capabilities to effectively exploit these solutions.

These numbers don't point to a problem with the technology itself, but rather with the way it's implemented. When there are no clear usage criteria , defined responsibilities, or visibility into processes, generative AI can end up delivering less than promised, even with significant investment.

IT governance, in this context, takes center stage. Not as a barrier to innovation, but as a framework consistently adopt, scale, and control these tools .

In this article, we will explore how this governance can be built, what practices support its application, and how Skyone contributes to a more prepared and secure environment for GenAI.

Enjoy the read!

2. Why IT governance needs to be at the heart of AI adoption

It's not uncommon for a new generative AI tool to enter a company's routine sideways, whether through a curious marketing What starts small, however, quickly becomes fundamental. And when IT is called upon, the solution is often already in production, integrated (or not), and with data circulating.

This new organizational behavior—decentralized, experimental, and accelerated—demands a different response. IT governance becomes less about control and more about orchestration : ensuring that GenAI adoption is connected to systems architecture, security policies, compliance standards, and the company's real objectives.

A survey by AuditBoard helps to gauge this urgency: over 90% of companies already use GenAI, but only 25% have a formal AI governance program . Most are improvising, and then it's not the AI ​​that fails, it's the environment that doesn't support it.

With governance, IT moves from a reactive stance to clearly leading the transformation. It can create criteria, avoid redundancies, anticipate risks, and ensure that AI serves the business—and not the other way around.

This starting point leads us to the next topic: what needs to be defined before putting GenAI into production? Because when the foundation is well-designed, AI's impact ceases to be ad hoc and becomes strategic.

3. What needs to be defined before AI enters the production environment

generative AI tool in everyday life isn't limited to technical approval: it involves responsibility . Governance is what transforms this responsibility into clarity about who uses it, for what purpose, under what conditions, and based on what data.

More than imposing rules, governance creates the conditions for AI to generate real value . Without it, use may occur, but it tends to be isolated, inconsistent, and difficult to sustain over time.

Below, we list the key elements that need to be defined for GenAI's entry into the production environment to be safe, strategic, and scalable:

• Applicable, not just formal, guidelines : Governance begins with practical criteria, not generic manuals. Establishing when AI can be used, with what restrictions, and by which profiles helps avoid misunderstandings and brings autonomy and accountability to teams;
• Contextualized, not theoretical, risks : Assessing risks doesn't mean blocking innovation, but rather anticipating where it might encounter limitations and addressing them proactively. Sensitive data, critical integrations, and vendor dependency are points that require attention from the outset;
• Visibility as an ally of evolution : having usage records, logs , and alerts helps you understand how AI is being used in practice and allows you to adjust routes based on facts, not assumptions;
• People prepared to handle interpretive technology : GenAI depends on the user's intention. Therefore, training isn't a detail. When people understand what they're doing and what the tool can and can't deliver, use becomes more efficient, ethical, and reliable;
• Metrics connected to business reality : governance isn't about controlling for the sake of controlling. It's about knowing whether technology is truly contributing. Therefore, defining clear indicators from the outset allows you to assess real impact and adjust without wasting time or resources.

With these points clear, IT can ensure that GenAI is implemented solidly, without improvisation, and with room to scale. And it's from this foundation that the benefits begin to appear, as we'll see in the next section.

4. What does IT gain from a clear GenAI strategy?

When GenAI enters without planning, IT becomes a bystander. When it enters with strategy, IT assumes the role of transformation architect. And this difference changes everything : impact, scale, and the perception of technology as an asset, not a risk.

With governance, GenAI ceases to be an isolated experiment and becomes part of the company's fabric. This allows productivity to occur safely , data use to respect integrity standards , and automated workflows to be traceable, auditable, and replicable with quality.

IT also begins to operate with greater cost intelligence. Instead of multiple fragmented tools, disconnected initiatives, and constant rework, there is rationalization . Common use cases are identified, solutions are standardized, integrations are reused, and the adoption cycle becomes more consistent.

But perhaps the biggest gain lies in decision-making . With well-managed data, models operating within defined limits, and reliable results, GenAI ceases to be a gamble and becomes a true support for business choices. IT stops putting out fires and starts anticipating scenarios. In practical terms, the most obvious benefits of this strategy include:

• Productivity with security : the automation of operational tasks is consolidated, but without making exceptions to security protocols. This avoids rework, reduces response time, and enables more sustainable progress;
• Data handled responsibly : IT now controls how data is entered, processed, and used by AI tools, ensuring compliance , privacy, and greater confidence in the results generated;
• Structural cost reduction : by standardizing tools and avoiding duplication, the organization reduces expenses on licenses, technical support and time wasted on improvised integrations;
• Faster, more informed decisions : With outputs , GenAI enhances the quality of analyses and reduces reliance on subjective judgments, accelerating action with lower risk;
• Visibility and control over the entire AI cycle : from data entry to generated results, IT can monitor, correct, and evolve the use of technology based on evidence, not trial and error.

With a clear strategy, IT moves from being a support line to becoming the center of transformation with GenAI. But leadership isn't based on improvisation. To transform guidelines into practice and a reliable routine, structure is essential .

That's where governance frameworks : not as rigid models, but as tools that help transform technical decisions into organizational alignment. Let's see how to apply this in practice.

5. Frameworks that help structure this governance

Adopting generative AI requires more than good intentions: it requires structure . And IT governance can rely on widely recognized frameworks accelerate this solid foundation.

Models such as ITIL ( Information Technology Infrastructure Library) and COBIT ( for Information and Related Technologies) remain important references:

• ITIL, for organizing IT services with a focus on continuous value and operational visibility;
• COBIT, on the other hand, offers a bridge between technology and strategy, connecting technical decisions to business direction.

However, when it comes to GenIA, one of the most relevant guidelines is ISO/IEC 38500, precisely because of its ability to align ethics, responsibility, and leadership with the use of technology.

ISO/IEC 38500 is the international standard that defines principles for corporate governance of information technology. Unlike other frameworks , it doesn't detail processes, but rather guides leadership (boards of directors, boards, committees) on how IT should be governed to fulfill its ethical, strategic, and social role within the organization.

In the case of generative AI, this takes on a new layer of relevance . After all, we're talking about tools that produce content, interact with audiences, make automated decisions, and learn from business data. This requires clear policies on what can and cannot be done, who is responsible for each use, and how to ensure transparency and traceability.

ISO/IEC 38500 helps companies define these guidelines institutionally. It reinforces principles such as responsibility, transparency, strategic alignment, compliance, and ethical behavior. By following this framework, the organization demonstrates maturity —not only technical but also organizational—in adopting GenAI, with governance that goes beyond IT and permeates the entire leadership .

But, as we know, not every company starts there. And when GenAI enters without this minimum structure, what seemed like progress can become rework or risk. This is what we explore in the next section: the main points of attention and how to avoid them before they become problems. Stay tuned!

6. Common challenges and how to overcome them

Not every failure stems from poor technology. Many stem from poorly implemented good intentions. And in the case of generative AI, this gap between expectations and reality can be costly.

MIT survey , published by Fortune , indicates that 95% of executives who have adopted GenAI in their companies have already faced some technology-related incident. Even more alarming: only 2% of organizations meet the minimum standards for responsible use.

Common challenges include:

• Tools contracted by different areas, without coordination with IT;
• Sensitive data used without criteria, with risk of leaks or violations;
• Content generated without traceability , making audits and corrections difficult;
• Automated processes that get out of control, compromising consistency .

The problem rarely appears all at once. It builds up until it becomes too big to ignore. When IT tries to intervene, it finds a fragmented environment , resistance to standardization, disorganized data, and high costs to "put things in order."

To avoid this scenario, governance needs to be present from the start . Not to curb the use of AI, but to ensure it is used intelligently. This means:

• Include IT in early decisions about GenAI;
• Prioritize use cases with potential for scale and low risk ;
• Establish minimum standards of security, integration and traceability;
• Empower users based on the business context ;
• Monitor usage with indicators that make sense for the company's strategy.

Without these premises, GenAI's potential is lost in disconnected attempts. With them, each step taken becomes a value creation rather than a course correction.

Now that we've covered what can "go wrong," let's look at what can go right. Let's see how Skyone works to make generative AI governance viable, simple, and scalable within the realm of enterprises.

7. How Skyone Enables Generative AI Governance

Skyone operates where theory meets practice. We know that most companies don't start from scratch. They already have legacy systems, scattered data, teams with varying levels of maturity, and pressure to innovate quickly. Therefore, our proposal is not to reinvent the wheel, but to help make generative AI work with what the company already has , in a coordinated, traceable, and scalable way.

We work to ensure that IT can:

• Have real visibility into where and how AI is being used;
• Establish policies that make sense for the business, not just for compliance ;
• Integrate GenAI into existing systems , with control and security;
• Connect data and automation with end-to-end traceability
• Support business areas without sacrificing technical consistency .

We do this through a platform that combines infrastructure, security, governance, and cloud , with an approach that respects the realities and urgency of each organization. In practice, this means removing the burden of IT as the "innovation police" and placing it as a strategic partner in transformation.

If you want to understand how to apply this vision to your company, speak with one of our experts! At Skyone, we're ready to help your company move beyond improvisation and deliver true value.

8. Conclusion: AI with value requires governance with direction

Governance isn't synonymous with excessive control. It's what gives technology direction when it gains autonomy. In the case of GenAI, where decisions are automated, content is generated en masse, and sensitive data flows without permission, this direction is what separates advancement from exposure .

What we want to make clear in this article is that IT can no longer operate on the sidelines of AI decisions. It needs to be at the core . Not to centralize, but to articulate . Only then can the organization create consistent criteria, operate with traceability, integrate solutions securely, and prevent innovation from becoming a sequence of improvised and unsustainable solutions.

But there's a second, equally critical point: governance can't be sustained without a prepared infrastructure . And that's where the cloud comes in, not as a destination, but as a foundation. It's in the cloud that data is organized, integrations are enabled, and control becomes possible without hindering the business.

If your IT team wants to lead GenAI adoption with impact and legitimacy, the next step is to ensure the foundation is ready. To do this, we recommend reading the article "Digital Transformation: From the Cloud to Artificial Intelligence ." It shows how the cloud becomes a direct ally of governance and how to prepare your company so that AI becomes more than a fad, but a real evolution.

FAQ: Frequently Asked Questions about IT Governance and Generative AI

Governing generative AI goes beyond understanding the technology. It's about structuring the environment so it operates with purpose, security, and real impact. And along the way, some questions always arise.

In this section, we answer the most frequently asked questions about the role of IT, cloud, and governance in the responsible and strategic adoption of GenAI.

1) How should IT prepare to receive generative AI tools?

IT needs to anticipate AI use, rather than react to it. This starts with clear roles, defining practical (not just formal) policies, and providing visibility into the flows involving data and automation. It's also important to create adoption criteria, establish minimum security controls, and empower users based on real business risks and objectives. Preparation isn't about blocking use, but about making it safe and viable at scale.

2) What is the role of the cloud in the governance of generative AI?

The cloud is the foundation that makes governance possible without hindering innovation. It's where companies can securely connect data, automate with traceability, and apply controls that actually work in the production environment. With the cloud, IT can integrate GenAI into the existing ecosystem, monitor usage with consistent metrics, and adapt scale based on business maturity.

3) Does IT need to be involved in choosing GenAI tools?

Yes, it does. Not to impose barriers, but to ensure that the choice is aligned with the company's architecture, security standards, and real needs. When decisions are made in isolation, the organization risks creating a fragmented, expensive, and difficult-to-control environment. With IT as the driving force, it's possible to transform isolated initiatives into integrated, secure, and scalable solutions.