AI vendors are trying to bridge the governance gap: For adopters, this is a risk

2026-05-13 · Source: Thoughtworks Insights · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Emerging Technologies & Innovation · Depth: Advanced, medium

Summary

AI vendors are increasingly positioning themselves as both deployers and primary governance sources for enterprise AI, creating a structural tension and dependency. Recent announcements from Anthropic and OpenAI, including their new enterprise ventures backed by firms like Goldman Sachs, Blackstone, and Hellman & Friedman, highlight this trend, with OpenAI's Deployment Company valued at \$10 billion. UiPath's CMO Michael Atalla noted 70 to 80 percent of agentic AI pilots fail to reach production due to integration and orchestration gaps, not model failure. This vendor-centric approach extends to governance infrastructure, as seen with Anthropic shipping managed agents and Google pursuing similar market strategies. The independence of the governance layer is compromised, exemplified by a remote code execution vulnerability in Anthropic's MCP protocol and a breach at AI evaluation platform Braintrust, exposing customer API keys.

Key takeaway

For AI Architects or Directors of AI/ML evaluating new enterprise AI deployments, recognize that vendor-provided governance solutions inherently create structural dependencies and may not align with your specific risk profile or regulatory obligations. You must prioritize developing genuine architectural judgment and internal capabilities to independently evaluate, select, and govern AI systems. This proactive approach is crucial to mitigate risks associated with vendor lock-in and ensure robust, accountable AI adoption within your organization.

Key insights

AI governance independence is structurally constrained when vendors provide both capability and governance.

Principles

• Vendors cannot credibly provide governance frameworks recommending against their own products.
• Operational control and organizational learning for AI are not rentable from vendors.
• Governance frameworks must reflect specific enterprise risk profiles and regulatory obligations.

In practice

• Develop internal architectural judgment for AI evaluation.
• Build organizational structures for independent AI governance.
• Evaluate AI capabilities independently of vendor offerings.

Topics

• AI Governance
• Enterprise AI
• Vendor Dependency
• AI Risk Management
• AI Security
• Agentic AI
• Architectural Judgment

Best for: CTO, VP of Engineering/Data, Executive, Director of AI/ML, AI Architect, Consultant

Related on AIssential

• CHAI’s framework divides governance into eight practical areas: AI policy, organizational structures, organizational resources, responsible lifecycle management, risk and impact assessments,... — AI governance must be an operational system embedded in workflows, not just abstract policies.
• GPT-5.4: The real issue is whether this level of AI penetration and permeation into a legislature creates the preconditions for a softer form of capture in which policy formation, ... — AI integration into government workflows risks a "soft coup" by shifting agenda-setting power to private platform firms.
• Anthropic Doubles Down On Agentic For The Enterprise — Enterprise agentic AI success depends on governance, integration, and trust, not just speed or task completion.
• AI Governance Challenges: How to Scale Responsibly - Cohere — Scaling AI adoption requires adaptive governance with continuous visibility, clear ownership, and risk-aligned controls.
• ​Building trustworthy AI: A practical framework for adaptive governance — Modern AI agent governance requires adaptive, risk-based models enforced by platforms, not outdated manual processes.
• I Grew Up Under a Dictatorship. Now I Build AI. The Patterns Are the Same. — The AI industry's structural evolution mirrors dictatorial power consolidation by eliminating alternatives and insulating beneficiaries from consequences.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Thoughtworks Insights.