A few weeks ago, I was invited onto SBS Australia for a radio interview about AI governance. I said yes before I had finished reading the email.

What made me pause came later, in the studio. I have spent a long time talking about this subject to boards, risk teams, and people who already live in the world of compliance. This was different. I was speaking to a general audience, the people listening on their commute or while making dinner. And that changed how I had to think about every answer. AI governance is not a tech-team topic. It touches anyone whose job application, loan, medical decision, or government payment might one day pass through an automated system. I wanted that to land for a listener who had never heard the term before.
I was not alone in the studio. Joining me was Dr Chandrika Subramaniyan, a lawyer, writer, and AI assessor, who took the legal questions. We were interviewed by Executive Producer Selvaraj Raymond, who has a gift for asking the simple question that turns out to be the hard one.
Here is what they asked me, and how I answered. I have kept the questions in the order they came, so you can follow the conversation the way it actually unfolded.
Can you explain AI governance in simple terms?
This was the opener, and it is the question I think about most. So I reached for a picture rather than a definition.
I asked them to think about the things that keep you safe in a car. Lane markings. Speed limits. The seatbelt. The brakes. None of them stop you from reaching your destination. They simply keep you safe on the way. AI governance is that same layer of safety, applied to the way an organization builds and uses AI. You set the rules early, before the system is designed.
Then I explained why it matters, because that is where it gets real. AI now makes decisions, and it guides the people who make them. Who gets the loan. Who gets the interview. Whose file gets flagged. When a system like that runs with no checks and gets it wrong, the cost is high. The organization loses trust. It can face a legal claim. It can lose real money. Governance does not block AI. It helps an organization use AI in a way that customers, regulators, and the public can rely on. That trust, I told them, is the whole point.
Is this a technology problem, a legal one, or a management one?
My answer was that it is all three at once, and the work falls apart if you have only one of them. Technology without legal misses the compliance traps. Legal without management cannot change how the business runs. Management without the other two is deciding blind.
I have watched the most common mistake play out many times: treating governance as the IT department’s problem. Engineers can build the tools. Lawyers can weigh the risk. But one decision belongs to leadership and the board, and that is the decision about which AI to use, where to use it, and what limits to set. This is exactly the principle ISO/IEC 42001, the international standard for managing AI, is built on. Accountability starts at the top and works down.
If staff use tools like ChatGPT or Copilot without rules, what can go wrong?
I told them there is even a name for this: shadow AI. It is when staff use AI tools the organization knows nothing about. Two cases tend to stay with people, because the companies are household names.
Samsung learned this the hard way in 2023, when some of its engineers pasted confidential source code into a public chatbot to fix a bug. The code left the company’s control, and the business had to restrict the tool. The other case goes back further. Amazon spent years building an AI hiring tool to screen applicants, then scrapped it in 2018. The tool had learned from a decade of resumes, most of them from men, so it taught itself that men were preferable and began marking down CVs that mentioned women.
Both stories share the same cause. Feed AI the wrong thing, with no rules around it, and it repeats the mistake faster than any human could. What I most wanted listeners to take away is that this risk does not sit with the engineers. It sits in every department. A staff member drops a client’s personal details or a draft financial report into a free tool, and privacy is breached in one click. Another person trusts a confident answer the AI simply made up, and never checks it. With no policy, everyone is left to guess, and guessing is where the damage starts.
When an AI decision is wrong or unfair, who is responsible?
This is the question that matters most to the person on the receiving end, because when the output is wrong, a person gets hurt. A loan is refused. An online exam is failed.
So I was direct. The law and basic fairness point the same way: the organization that deployed the AI carries the responsibility. Not the vendor. Not the algorithm. A company cannot escape by saying “the computer decided.” That excuse does not hold. The space where responsibility quietly disappears even has a name. We call it the accountability gap, and closing it is the core job of governance.
Where that accountability actually sits depends on the size of the organization. In a small business it is the CEO. In a mid-sized organization it is usually the technology or IT lead. In a large enterprise it sits with senior risk owners, such as the Chief Risk Officer or Chief Information Security Officer. The vendor still answers for the tool it sold, but the decision belongs to whoever put it to work.
This is why a human has to stay in any big decision, whether it is a loan, a job, or a course of treatment. A named person must stand behind the final answer. The EU AI Act writes this into law for high-risk systems, and people sum it up as keeping a human in the loop. That same law goes further. It bans some uses outright, including AI that preys on vulnerable people, certain kinds of profiling and crime prediction, and the scraping of images off the internet to build facial recognition databases.
From a legal standpoint, what should organizations watch most closely?
Here I handed over to Dr Chandrika, and her point was blunt: the penalties are real, so handle this with care. Four areas do most of the work.
Privacy comes first. A customer’s or employee’s personal data may go into a tool, and you have to know whether that breaches the Privacy Act in Australia or the GDPR in Europe. If there is no lawful basis, the data should not go in. Confidential information is the quieter risk, because anything typed into a public AI tool can travel beyond your control, so trade secrets and client records should never touch a tool you have not checked. Copyright sits in murkier territory, since AI-generated content may lean on someone else’s protected work, and who owns the output is often unclear.
Discrimination is the subtle one, and also the most harmful. AI learns from old data, and if that data carries bias, the AI brings it back out, bigger and at scale. A hiring tool that quietly filters out women can break anti-discrimination law. Testing your systems for bias is not optional.
What does it take to avoid another Robodebt?
This question hit close to home, because Australia already has the cautionary tale. I did not have to reach for a foreign example.
Robodebt used an automated process to send incorrect welfare debt notices. Hundreds of thousands of people received them. The maths at the heart of it was wrong. People were seriously harmed, some lives were lost, the government repaid billions, and the whole thing ended in a Royal Commission.
What I find sobering is that every failure lines up against a governance step that was missing. Nobody checked whether the automated logic was correct, and that check is called validation. The people who received the notices had almost no way to question or appeal them, and that right to push back is called contestability. Nobody would own the outcome, because “the system did it” was easier. And the warnings staff raised inside were ignored. Validation. Contestability. Human oversight. A clear owner. Any one of them might have caught the problem. Together, they would have stopped it.
What practical steps can an organization actually take?
I liked this question because it let me end on something useful. You can start today, and first I wanted to kill one myth: good governance does not need a giant budget.
I gave them five steps. Write an AI policy that says which tools are allowed and which data must never go in, then actually share it with staff, because a policy nobody reads protects nobody. Build an AI inventory, because most organizations cannot tell you where AI is already running inside their walls, and you cannot govern what you cannot see. Assess risk by use, since drafting a marketing email and approving a loan are not the same gamble. Keep a human in the high-stakes calls, with one named person accountable for the result. And train your people, because the best policy on paper still fails the moment staff do not understand it.
For anyone who wants to build this properly, I pointed to ISO/IEC 42001 as the international standard to follow. It lays the whole structure out, step by step. If you are not sure which path fits your role, the GAICC AI career quiz points you to the right starting certification in about two minutes.
Can you have both, safety and the benefits of AI?
The last question was the one I most wanted to answer, because so many people assume governance and innovation pull against each other. My answer was yes, you can have both, and in fact the benefits of AI are the reason the guardrails exist in the first place.
I went back to the car. Nobody drives fast in a car with no brakes. The brakes are what let you carry speed into a corner without fear. Think of a highway barrier, too: that strip of steel along the edge is what makes 100 to 110 km/h feel normal. Take it away, and the same driver slows right down. Governance is the brake and the barrier for AI.
The balance comes from matching the rules to the level of risk. Low-risk uses, like internal brainstorming or a first draft, are where you let people experiment and move quickly. The heavy oversight belongs on the decisions that change someone’s life. Run it that way, and fairness, privacy, accountability, and human judgment all hold, while the speed and reach of AI stay fully available. You do not have to pick one or the other.
Leaving the studio
Walking out of SBS afterward, what stayed with me was not any single answer. It was how naturally a roomful of everyday questions cut to the heart of this work. My thanks to SBS Australia, to Executive Producer Selvaraj Raymond, and to Dr Chandrika Subramaniyan for a conversation that reminded me who all of this is really for. As AI becomes part of everyday business, governance is what keeps that progress tied to trust, transparency, and human judgment.
If this sparked something for you: explore GAICC’s ISO/IEC 42001 certifications, or join a free ISO/IEC 42001 masterclass. Two minutes to find your starting point: take the AI career quiz.
Dr Latha Karthigaa is Head of AI Governance and Director at the Global AI Certification Council (GAICC), and one of the most active educators shaping how the world learns to govern AI responsibly. She holds a PhD in Software Engineering and brings senior corporate leadership experience, including a Chief Marketing Officer role, to a mission focused on building the professional infrastructure that trustworthy AI depends on.
GAICC, which she leads, is one of the earliest dedicated AI governance certification bodies. It has trained 6,000+ professionals across 38 countries in ISO/IEC 42001, ISO/IEC 27001, and specialist AI governance and AI law credentials, spanning Australia, New Zealand, the US, UK, EU, Singapore, Malaysia, and the UAE. She also co-founded Govern365.ai, a platform that turns regulatory frameworks into everyday operational practice, completing a vertically integrated “train, certify, govern” model.
Latha is a leading public voice on responsible AI, reaching a combined audience of more than 40,000 people. She publishes AI Governance Weekly, a newsletter with 20,500+ subscribers growing by around 1,000 each week, and educates a global community through 19,500+ followers on LinkedIn, her AI governance YouTube channel, and a growing Instagram presence. She hosts a live ISO/IEC 42001 masterclass three times weekly across time zones, has featured on broadcast media including SBS Australia, and is currently writing a book on AI governance.
Her philosophy is simple: governance should be practical, accessible, and trusted, equipping people everywhere to use AI with accountability and confidence.

