70% of marketers have had an AI incident. 35% plan to do anything about it.

Every organization with an AI policy thinks they have AI governance. They have the document. It's been signed off by legal, reviewed by the board, published on the intranet. It covers principles - fairness, transparency, accountability, responsible use. It reads well. It says the right things.

And then the AI does something wrong. A chatbot makes a promise the company can't keep. An automated workflow suppresses a segment that should have been contacted. A scoring model routes the wrong leads to sales for three months before anyone notices. An AI feature activated during a platform upgrade starts making decisions nobody approved.

That's when organizations discover whether they have governance or just a document. In most cases, it's the document. Because the document describes what AI should do. Governance is what happens when AI doesn't do it - and most organizations have no process for detecting, escalating, or fixing AI failures in their marketing operations.

The failures are already happening

This isn't theoretical. Real organizations have already learned what ungoverned AI costs.

Air Canada's customer service chatbot told a passenger he was eligible for a bereavement discount that didn't exist. The passenger booked the fare based on the chatbot's advice. When Air Canada refused to honour the discount, the case went to tribunal. Air Canada's defence was that the chatbot was "a separate legal entity responsible for its own actions." The tribunal rejected that argument and ruled that Air Canada is responsible for everything its AI tells customers. The precedent is clear: your AI's mistakes are your mistakes.

DPD, the delivery company, had to shut down its AI chatbot after a system update caused it to swear at customers, write poems mocking the company, and describe itself as "the worst delivery firm in the world." A customer's screenshot of the conversation went viral - 800,000 views in 24 hours. The chatbot couldn't even perform its basic function of tracking a parcel, but it was very good at damaging the brand.

And Salesforce's Agentforce had serious security disclosures in 2025, with hackers claiming over one billion Salesforce records were stolen across coordinated attacks. Major brands including Google, Adidas, Workday, and Coca-Cola were affected.

These are the visible failures - the ones that made headlines. The invisible ones are happening inside marketing automation platforms every day. Scoring models drifting without anyone checking. Consent records being acted on by AI features that were never audited. Suppression rules being applied by agents that nobody monitors. The damage from these failures doesn't make the news. It shows up as declining performance, compliance exposure, and pipeline problems that nobody can diagnose.

Why policies fail when AI fails

The gap between AI policy and AI governance is the gap between intention and operations.

A policy says "AI should be used responsibly." Governance says "when the scoring model produces leads that sales rejects at a rate above 40%, this person gets notified, this process kicks in, and this review happens within 48 hours."

A policy says "AI outputs should be accurate." Governance says "every AI-generated customer communication is logged, a random sample of 5% is reviewed weekly, and any inaccuracy triggers a root cause analysis."

A policy says "AI should be transparent." Governance says "every AI feature active in our MAP is listed in a register with a named owner, a documented purpose, and a review date."

Most organizations have the first version. Almost none have the second. The policy tells people what to believe. Governance tells the organisation what to do. When the AI fails, belief doesn't help. Process does.

What operational AI governance actually looks like

Governance that works in practice - not just in a document - has four components.

An AI inventory. You can't govern what you can't see. Every AI feature, automation, and agent running inside your marketing stack needs to be catalogued: what it does, what data it uses, who activated it, and who's responsible for it. Most organisations can't produce this list because nobody's tried. AI features get activated during platform upgrades, by individual team members experimenting, or by vendors enabling capabilities during onboarding. Without an inventory, governance has no foundation.

Named ownership. Every AI feature needs a person - not a committee - who can answer two questions: "what is this doing?" and "is it still doing what we intended?" When a scoring model drifts, someone needs to notice. When a consent record gets acted on incorrectly, someone needs to be accountable. When an agent makes a decision that doesn't make sense, someone needs to investigate. Ownership without a name is no ownership at all.

Monitoring and alerting. AI doesn't fail loudly. It fails by making confident decisions that are subtly wrong. A scoring model that's drifting won't throw an error - it'll just route progressively worse leads to sales over weeks. A consent management issue won't crash the system - it'll just process contacts in ways that aren't compliant. Governance needs monitoring that catches these slow failures: conversion rate tracking on AI-scored leads, regular consent audits, output sampling on AI-generated content, and engagement pattern analysis on AI-driven campaigns.

An incident response process. When the monitoring catches something - or when a customer complains, sales raises an alarm, or a regulator asks questions - what happens next? Who gets notified? What's the escalation path? How quickly does the AI feature get paused or reviewed? Most organisations have incident response for security breaches. Almost none have it for AI failures, even though the regulatory and reputational risk is increasingly comparable.

The 76% problem

According to the Association of National Advertisers, 76.6% of marketers now have AI policies in place - up from 55.3% a year earlier. Investment is surging. Nearly 89% plan to increase AI spending.

But over 70% of marketers have encountered an AI-related incident - hallucinations, bias, or off-brand content - according to the IAB. And less than 35% plan to increase investment in AI governance.

The numbers tell a clear story: organisations are writing policies, spending money, encountering problems, and not investing in the governance that would prevent those problems from recurring. The policy creates the illusion of control. The incidents prove the illusion is exactly that.

Governance isn't overhead. It's operational infrastructure.

The resistance to building operational AI governance usually comes from the same place: it feels like bureaucracy. Another process, another checklist, another layer between the team and the work.

But governance isn't about slowing things down. It's about knowing what's running, who owns it, whether it's working, and what to do when it isn't. That's not bureaucracy. That's basic operational hygiene - the same standard every organisation applies to its financial systems, its security infrastructure, and its legal compliance.

AI in marketing operations is making decisions that affect real people, real data, and real revenue. The organisations that govern it properly will move faster than the ones that don't - because they'll catch problems early, fix them quickly, and maintain the trust of their customers, their regulators, and their own leadership.

The ones that don't will keep writing policy documents and hoping for the best. Until the next incident proves that hope isn't a governance strategy.