Everyone has an AI policy. Nobody has AI discipline.

Your company has an AI policy. It went through legal, got presented at an all-hands, and it's sitting on the intranet right now saying all the right things about responsible use, data protection, and human oversight.

Meanwhile, someone on the marketing team activated a predictive scoring feature during last quarter's platform upgrade because it looked useful. It's been running ever since - deciding which leads get prioritized and which get buried - and nobody logged it, nobody checked what data it's feeding on, and nobody was asked to own it. The policy on the intranet has no idea it exists.

That gap - between the policy and what's actually happening - is the difference between having AI governance and having AI discipline. One is a document. The other is a daily practice. Almost every company has the document. Almost none have the practice.

The policy-to-practice gap

There's a reason AI policies don't translate into AI governance, and it's not laziness or incompetence. It's structural.

AI policies are written by legal, compliance, or senior leadership teams. They're written at the principle level - "use AI responsibly," "ensure transparency," "maintain human oversight." These principles are correct and necessary. They're also too abstract to guide the person in marketing ops who just got asked to activate an AI feature in the MAP.

What does "ensure transparency" mean when you're configuring a predictive scoring model? Document it? Tell someone? Write it down somewhere? Where? In what format? Who needs to know? The policy doesn't say, because the policy was written for the board deck, not for the platform administrator.

The result is a two-tier system. At the top, the policy describes how AI should be governed. At the operational level, AI gets deployed however the team sees fit - because nobody translated the principles into procedures that apply to the actual work. The policy says "human oversight." In practice, nobody is overseeing anything because nobody was told that oversight was their job.

Five things organizations get wrong

These patterns show up repeatedly. They're not edge cases - they're the norm.

Writing the policy and calling it done. The most common failure. The policy gets published and the organization treats governance as complete. Nobody builds the operational layer underneath - the inventory, the ownership assignments, the monitoring, the review cadence. The policy becomes a compliance artifact rather than an operational tool. When something goes wrong, the organization can point to the policy and say "we had governance." But the policy didn't prevent anything because it was never connected to the systems it was supposed to govern.

Governing the AI they chose but not the AI that arrived. Most governance frameworks cover deliberate AI deployments - the chatbot the team decided to build, the model the data science team trained. They don't cover the AI that showed up without anyone asking for it: the predictive features that came with a platform upgrade, the AI-assisted tools that a vendor enabled during onboarding, the smart capabilities that an individual team member activated because they saw them in a release note. In most enterprise marketing automation environments, more AI features are running by accident than by design. Governance that only covers intentional deployments misses most of the AI that's actually operating.

Assigning governance to a committee instead of an owner. Committees review, discuss, and advise. They don't operate. When AI governance is owned by a committee that meets monthly, the AI features running inside the MAP get reviewed 12 times a year at most - and only if someone remembers to add them to the agenda. Operational governance needs named individuals with specific accountability: this person owns this AI feature, this person reviews its output, this person gets notified when something changes. A committee can oversee the programme. It can't run it.

Monitoring inputs but not outputs. Many organizations focus their governance on what goes into AI - data quality, training data provenance, consent records. That's important. But it's only half the picture. The outputs matter just as much: what decisions is the AI making? Are the leads it scores converting? Are the contacts it suppresses the right ones? Is the content it recommends relevant? Output monitoring is where you catch drift, degradation, and failure. Without it, you're trusting the AI because you trust the inputs - and as we've covered elsewhere, those inputs may not be as reliable as you think.

Treating governance as a one-time exercise. AI doesn't stay static. Models drift as data changes. Platform features get updated. Business conditions evolve. A governance framework built for the AI environment that existed six months ago may not cover the AI environment that exists today. Governance needs a review cadence - quarterly at minimum - that checks whether the inventory is current, the owners are still in role, the monitoring is still catching what it should, and the AI features are still producing the outcomes they were activated for.

What discipline looks like in practice

AI discipline isn't a framework or a programme. It's a set of habits built into how the team operates.

When someone activates an AI feature, it gets logged - what it does, what data it uses, who turned it on, who owns it. That takes five minutes and it's the difference between a governed environment and a mystery.

When the platform ships an update that includes new AI capabilities, someone reviews what changed and documents whether any new features were activated. That's a quarterly task, timed to release cycles.

When AI-scored leads are handed to sales, someone checks monthly whether the scores correlate with actual conversion. If they don't, the model gets reviewed. That's not a project - it's a standing agenda item.

When consent data changes - new regulations, updated processing purposes, revised preference categories - someone checks whether the AI features that consume consent data are still operating within the updated boundaries. That's an annual task at minimum.

None of this requires new technology. None of it requires a dedicated governance team. It requires the same operational discipline that the best marketing ops teams already apply to their platforms - extended to cover the AI features running inside them.

The discipline gap is the real governance gap

The industry has reached a point where most organizations have policies and most organizations have AI running in production. The gap between those two facts is discipline - the operational habits that connect what the policy says to what the AI actually does.

Closing that gap isn't expensive, complicated, or time-consuming. It's the kind of work that gets skipped because it's not urgent, not visible, and not rewarded - until something goes wrong and everyone wishes it had been done.

The organizations that build AI discipline now will operate with a level of confidence and control that their competitors - the ones relying on policy documents and hope - simply won't have. And when the regulatory questions arrive, and the compliance audits happen, and the customer incidents occur, the disciplined organizations won't need to scramble. They'll already have the answers.

The policy is the starting line. Discipline is the race. Most organisations are still standing at the start.