Practical governance of next-gen AI

Cooking with a blowtorch and no smoke alarm is exciting, until it isn’t. That’s what using powerful AI without sufficient controls is like. Practical governance of next-gen AI is not red tape. It is how you keep up the heat without burning down the kitchen. AI is moving from handy autocomplete to systems that see, speak, plan and act. Adoption is racing ahead, but governance has not caught up. Boards, clients and regulators want proof that you are in control, including clear roles, concise policies, an AI register, training records and sensible monitoring. This article explains what ‘next-gen’ AI is, how it differs from current AI, and why practical governance of next-gen AI is the safest way to unlock value quickly. You will leave with a simple programme you can launch this quarter and a few concrete next steps.

What ‘next-gen’ AI means, and why it changes the risk picture

Today’s ‘current’ AI is narrow and mostly passive. You feed it structured data, it predicts the most likely response, and a human usually makes the final decision based on it. Even early large language models mainly just produce text. The risks are real, but the systems were bounded and visible.

‘Next-gen’ AI is different in three ways:

• First, it is multimodal. The same system can read text, parse images, listen to audio, and generate any of those in return. That widens the attack surface and the scope for error. A photo, a voice note or a PDF can all carry sensitive data or subtle prompts that change outcomes.
• Second, it is interactive and tool-using. Modern models can do more than merely reply. They can call functions, browse internal systems, trigger workflows, update records and draft code. In practice, that means they can take actions in your environment. A helpful assistant can also, if misconfigured, send an email to the wrong list, change a price, or post inaccurate content at scale.
• Third, it is persistent and orchestrated. Long context windows, vector memory and agent frameworks let AI keep track of goals across many steps, hand tasks between specialised agents and operate in the background. That raises questions about accountability, logging, human oversight and the line between assistance and autonomy.

These capabilities could bring immense benefits. However, they also change your risk calculus. A single prompt can affect thousands of customers at once. A subtle configuration error can leak confidential information across channels. Outputs that seem plausible may still be wrong or biased. And because models are often delivered ‘as-a-service’, your exposure includes vendor lock-in, opaque updates and cross-border data flows. This is why practical governance of next-gen AI is essential. The systems are faster, broader and more connected than the ones you governed before.

Why practical governance of next-gen AI matters now

Governance starts with clarity about who does what, what the rules are, and how you show that those rules work. In next-gen AI, that clarity has to extend to tool use, autonomy limits, audit trails, and training across the whole organisation. You cannot rely on one expert or one policy. You need specific, well-defined procedures that people will actually follow.

Regulators are moving in the same direction. Europe’s risk-based approach expects organisations to train the people who build, deploy or use AI and to manage risks proportionately. The UK’s principles-led model relies on active regulators and demonstrable accountability. Across sectors, existing privacy, cybersecurity and product-safety duties still apply. In other words, Practical governance of next-gen AI is simply good governance applied to a sharper tool.

Practical governance of next-gen AI: the do-now programme

Start small. Prove it works. Improve it every month. The point is momentum, not perfection. Here’s a suggested plan:

1. Mandate and brief the board by setting the ground rules. Write down your risk appetite, the principles you will apply and the lines you will not cross. For example, ‘no high-stakes decisions without human review’, or ‘no confidential inputs into public tools’. Give directors a short briefing on how modern AI works and fails, recent incidents in your sector, and the plan you will implement. Name a senior sponsor and agree on how often you will report. This turns a general aspiration into specific authority.
2. Name the accountable owners by asking an AI Officer to drive value and adoption, and an AI Governance Officer to set rules, check compliance and provide assurance. In smaller teams, one person may wear both hats. In that case, establish a cross-functional committee to address challenges and balance. Use a simple RACI to ensure everyone knows who proposes, approves, builds, and audits. Clear handovers cut delays and prevent the blame game when things go wrong.
3. Surface the estate with an AI register by creating a simple record-keeping document. Even a spreadsheet will do. Send a three-question survey to help find shadow AI use, asking what tools your personnel are using, what purpose they’re using them for, and what data they’re processing with those tools. Triage the results. Anything that touches people, money or safety should get your attention quickly. Require a short intake form for new ideas so you can guide them early. Over time, you can automate discovery, but at the start, you just need visibility. You cannot govern what you cannot see.
4. Ship a short, usable policy pack including a one-page acceptable-use policy for generative AI. Tell people what they must do, such as verify facts, disclose AI help where required, keep a human in the loop for consequential outputs, and what they must not do, such as no confidential prompts and no copying outputs into public channels. Add procurement and vendor terms for security, privacy, model risk, audit rights, incident duties and exit routes. Clarify data handling for prompts, outputs and logs. Decide what evidence you will keep, such as decision notes and approvals, so that you can show your working.
5. Train for AI literacy by giving staff, managers and technical teams short, practical sessions that fit their jobs. Build verification habits, such as checking sources, testing claims, and escalating when stakes are high. Where appropriate, turn off training on your organisation’s inputs and separate personal from work accounts. Training is not a single workshop. It is a routine you refresh as the tools and risks change. Teach roles, not buzzwords.
6. Assess, monitor, and escalate using a short risk checklist for priority use cases, and expand the depth of assessment as risk rises. Enable logging and sample outputs to catch bias, drift or misuse. Prepare simple playbooks for incidents and fairness concerns and test them with table-top drills. Report quarterly to the board on the inventory, risk status, incidents, training coverage and improvements. These habits demonstrate control and make improvement natural.
7. Establish roles, structure, and rhythm by adopting a two-stream system, where the AI Officer drives adoption and the AI Governance Officer oversees safety and compliance. In a small organisation, the same person can do both jobs, but you should still have a small committee to challenge them. Write clear terms of reference that cover both systems you’ve bought and those you’ve built, data used for training, approvals, documentation, and evidence. Short cycles are better than no cycles, and a 30-minute weekly stand-up is all it takes to move decisions along and keep tidy records.

What good looks like in practice

When Practical governance of next-gen AI is working, people know the rules and feel able to innovate. New use cases enter through a simple intake form. Higher-risk ideas get fast, proportionate review. Policies are short and readable. The register reflects reality. Training is brief, regular and role-based. Monitoring catches problems early. Incidents are handled calmly because the steps are clear. Most importantly, leadership sees a steady flow of value with fewer surprises.

Actions you can take next

Next-gen AI is not just more intelligent autocomplete. It is multimodal, tool-using and persistent, with the power to act in your systems and across your channels. That power raises the stakes. Practical governance of next-gen AI lets you use that power safely. Start small, show evidence and iterate by learning, planning, implementing and sustaining your efforts. You do not need perfect rules or expensive platforms to begin. You need ownership, visibility and good habits that everyone can follow. You can:

• Get fast visibility by launching an AI register and a three-question survey this week. Have a look at the free template from the Australian Government’s Department of Industry, Science and Resources.
• Sharpen accountability by appointing an AI Officer and an AI Governance Officer. We wrote an article on the skills to look for and foster in an AI Officer.
• Better decisions by issuing version one of your acceptable-use of AI policy. We’ve even got a simple version that you can download for free to get you started.
• Strive towards compliance by mapping your AI controls to privacy, cybersecurity and sector frameworks you already use.
• Lower operational risk by enabling basic logging, sampling outputs and testing an incident playbook.
• Develop a stronger culture of AI governance by scheduling short, role-based AI literacy sessions and refreshing them each quarter. We can help you with this through our Trustworthy AI programme.