Enterprise AI governance is an attribution problem. Every cost surprise, data exposure, and compliance gap traces to the same root: nobody can say who used which model, when, with what data, at what cost.
The layers between an employee and a frontier model exist to answer that question. Most enterprises are missing most of them.
What the failure looks like
A team gets an API key to a frontier model. Other teams ask to share it. Fourteen teams are now billing through one key. The invoice arrives and nobody can allocate cost to a project, a department, or a person. The key works. The governance doesn't exist.
The worse version. An HR team builds a resume screener that sends candidate data to a model endpoint. Names, addresses, disability disclosures. The provider's standard API terms include a 30-day data retention window for abuse monitoring and safety review. (OpenAI's standard API data usage policy, for example, specifies this retention period; enterprise agreements with Zero Data Retention terms must be negotiated separately.) Nobody in HR read the terms. Nobody in security was consulted.
These have real precedent. In 2023, Samsung engineers pasted proprietary source code into ChatGPT three separate times in twenty days. No gateway caught it. The company found out through internal reporting and banned the tool entirely. In 2025, an xAI employee leaked an API key on GitHub that unlocked access to over 60 private models. The key stayed valid for two months after being flagged. A few months later, a DOGE staffer with access to federal databases leaked another xAI key the same way. The repo was deleted. The key was not revoked.
(Both xAI incidents sourced from Brian Krebs, whose reporting involves direct verification of exposed credentials with the affected parties and independent confirmation from GitGuardian. These are not estimates.)
In each case, the same question went unanswered: who accessed what, when, and what did they send?
Six layers, one question
Between an employee and a model sit six governance layers. Each one answers a piece of the attribution problem.
Discovery asks the most basic question: what AI is even being used here? A 2025 survey from Larridin (a governance vendor, so calibrate accordingly) found only 38% of organizations maintain a comprehensive AI inventory. Nearly half of AI adoption happens outside procurement. You cannot govern what you have not found.
Gateway proxies AI traffic through a single enforcement point for policy, logging, and routing. Without one, every API call is a direct, unmonitored connection to the provider. The question it answers: what's passing between our people and the model?
Identity is where attribution either gets solved or gets papered over. Which specific person, in which role, with which authorization, made this request. API keys and service accounts can't answer that. Per-user identity threading through AI calls isn't tracked as a discrete governance metric in the major surveys covering this space. Neither the IBM breach study nor the FinOps Foundation's annual survey measures it. That absence tells you something about how few organizations have implemented it.
Cost governance handles token-level allocation and chargeback. What did this cost, and who pays? The FinOps Foundation (an industry body, not a vendor) reports 63% of respondents now actively manage AI spending, up from 31% the prior year. That kind of jump usually means a lot of people got a bill they couldn't explain.
Data governance covers DLP for prompts, retention enforcement, classification of outbound content. An analysis of GenAI prompt and file uploads across more than 300 AI-powered applications found 22% of uploaded files contained sensitive information: source code, credentials, customer records. (The underlying research is cited by Help Net Security but the originating firm and full methodology are not disclosed in the published report. Treat the figure as directionally illustrative.)
Observability closes the loop: logging, evaluation, anomaly detection. What actually happened, end to end? A 2025 survey from Cleanlab (an AI quality vendor, N=95) found fewer than one in three production teams are satisfied with their current observability tooling.
Remove any single layer and you get a gap. The gap shows up as an incident.
Why the layers arrive late
The pattern is structural. Organizations adopt governance reactively. Samsung banned ChatGPT after three leaks, not before the first. Amazon, Walmart, Verizon, and JPMorgan Chase issued restrictions in the same window, responding to the same fear.
The 2025 IBM Cost of a Data Breach Report puts numbers on the gap: 13% of the 600 organizations studied had experienced breaches involving AI models or applications. Of those breached organizations, 97% lacked proper AI access controls. One in five reported a breach from shadow AI. Only 37% had policies to detect it. (IBM's study, conducted by Ponemon Institute, covers 600 organizations globally. It's the most cited breach cost study in the field, which means it gets both the most scrutiny and the most misapplication. The AI-specific findings are new to this year's edition.)
Each governance layer gets funded by the incident that proved its absence. Discovery after shadow AI proliferates. A gateway after data leaks. Cost governance after the invoice nobody can explain. The sequence is predictable. The timing is always too late.
In identity federation, the trust relationship between your organization and a relying party is scoped, time-bounded, and revocable. The closest AI equivalent is the enterprise-to-model-provider relationship. It diverges here: the provider retains your prompts by default and may inspect them for abuse monitoring. A Zero Data Retention agreement changes the contract, but data that has influenced model weights cannot be "unlearned" the way a cached assertion can be purged. Your federation instinct says the relying party is stateless. The model provider remembers.
In OAuth 2.0, scopes enforce least privilege — email.read means read, not write. The closest AI equivalent is scoping an agent's API token. It diverges here: an agent with email.read and calendar.write can read all emails, extract context, and create calendar events based on that context. The combination creates an effective capability no individual scope anticipated. OAuth scopes govern what the agent can reach. What the agent decides to do with what it finds — combining email content with calendar write access to take actions nobody requested — lives outside the scope model entirely.
What comes next
The pieces that follow take each layer in turn: discovery, gateway architecture, identity attribution, cost governance, data governance, and observability. Each connects the layer back to the attribution question and marks where your existing knowledge carries you and where it stops.
The goal is to make sure that when a buyer describes a governance gap, you recognize which layer is missing and why that specific absence hurts.
Things to follow up on...
- Shadow AI breach premium: IBM's 2025 Cost of a Data Breach Report found that organizations with high levels of shadow AI paid $670,000 more per breach on average than those without it, making shadow AI one of the top three costliest breach factors this year.
- FinOps Foundation's AI certification: The Foundation launched FinOps for AI as a dedicated education and certification track, responding to the jump from 31% to 63% of practitioners now managing AI spend and the volatility of token-based cost models.
- OpenTelemetry GenAI conventions: The OTel GenAI Special Interest Group has been developing semantic conventions for LLM observability since April 2024, with Datadog and Grafana already shipping native support, though the spec remains in experimental status as of early 2026.
- Agentic governance maturity gap: Deloitte's 2026 State of AI in the Enterprise survey of 3,235 organizations found that only one in five companies has a mature governance model for autonomous AI agents, even as agentic usage is projected to rise sharply in the next two years.