Who can say no to AI in a company?

AI For Business


This question becomes increasingly difficult to answer as artificial intelligence moves from experimentation to enterprise operational machinery. Business units may view new AI tools as a competitive necessity. Product teams may think this is a faster route to market. Cybersecurity teams may encounter new attack surfaces. Legal teams may consider regulatory enforcement. Risk personnel may determine that controls are inadequate. The board may move in an upward direction strategically, but only until the first major incident occurs and requires another discussion.

This is the real AI conflict within large corporations. It’s not man versus machine. It’s speed vs. caution, growth vs. control, innovation vs. evidence.

There’s a lot of pressure to say yes. AI is no longer a new trend that business owners can afford to sit on the sidelines. According to McKinsey’s 2025 State of AI Study, 88% of respondents say their organization regularly uses AI in at least one business function. Agent AI is also advancing rapidly. 23% of respondents said their organization is already expanding AI agents somewhere within the enterprise, and another 39% are experimenting with AI agents.

This level of adoption changes the internal politics of the technology. When AI becomes a topic of revenue, productivity, cost, and talent, it’s easy for those who want restraint to look like a nuisance. Security leaders are told not to slow down innovation. Legal leaders need to be realistic. Risk teams are expected to support the business. Boards want management to move quickly enough to remain competitive. But the downside persists because the business case is strong.

IBM’s June 2026 study found that two-thirds of CIOs and CTOs surveyed are responsible for AI systems that they don’t fully control. The same study found that while 70% say technology is being deployed across the business faster than IT departments can track it, only 11% feel fully prepared for the scale of AI agent deployment expected in the next year.

This is a question of governance in its most practical form. Responsibility is concentrated at the top, while deployment authority is spread across the business.

It may be manageable if the technology cycle is slow. With AI, this gap is dangerous, as systems can now quickly make decisions, interact with data, workflows, and customers. Marketing teams using AI in campaign copy is a level of risk. This includes product teams integrating AI agents into customer operations. This includes finance capabilities that automate the analysis that influences forecasts. This includes security teams deploying autonomous response capabilities. Each use case requires different criteria for review, testing, and escalation.

The difficult question is not whether we should approve or reject AI. Who decides under what conditions?

Companies often answer that question informally. A senior sponsor drives the project. Negotiations are delayed over security concerns. Legal reviews become checkpoints rather than design inputs. There are risks involved when a system is already close to deployment. Boards consider the strategic story, but not the underlying evidence of control.

This model may have worked with early digital tools. That’s not enough for AI.

This risk is particularly acute because boards are already approving AI investments faster than they can define oversight expectations. Grant Thornton’s 2026 AI Impact Study found that three out of four boards approved large-scale AI investments, but only 52% had set clear AI governance expectations. Less than half have made AI risk a permanent topic of board or committee oversight.

This creates an imbalance in the company. Boards want the upside of AI, but many have not yet institutionalized the issue of determining whether the upside is defensible. Who owns AI risk at the executive level? Which use cases require escalation? What level of autonomy is acceptable? Which systems require red teaming? What evidence must be presented before deployment? Who has the authority to suspend or reject use cases?

In other words, who can say no?

EC-Council’s own Adopt. protect. govern. AI frameworks (ADG) are useful because they address that question through structure rather than emotion. EC-Council, founder of the Certified Ethical Hacker certification and a global authority on cybersecurity education and workforce development, launched ADG as an integrated operating model for AI governance, built around three pillars, 12 minimum controls, and nine governance surfaces. According to the EC-Council launch announcement, the framework was developed with input from practitioners and advisory board members across organizations including Citi, JPMorgan Chase, Microsoft, KPMG, Deloitte, NTT Data, GE Healthcare, GlobalLogic, Prudential, and Salesforce.

The part of ADG that is most relevant to this discussion is not the framework language. It’s the intermediary layer.

The ADG framework introduces an AI Governance Council comprised of product, security, legal, and risk leaders. Its role is to mediate the tension between the implementation of speed, the protection of vigilance, and the governance of surveillance. That’s exactly the tension that most companies struggle to manage.

Adapt represents the pressure to deliver business value. Ask yourself which use cases are important, what features are needed, and how can you move AI into production without cutting corners? Defend represents the obligation to test and protect systems before they cause harm, including threat modeling, red teaming, runtime guardrails, detection, and incident response. Governance represents policy, decision rights, regulatory coordination, assurance, auditing, and the need for board-level evidence.

The council’s job is not to make every decision made by AI a bureaucracy. It’s about making sure both “yes” and “no” are controlled decisions.

That distinction is important. Companies that say yes to every AI use case are not innovative. It’s not controlled. A company that says “no” to everything is not responsible. It is strategically frozen. Mature AI governance requires a third path: conditional approval based on risk, evidence, control, and accountability.

This is also where AI governance becomes more than just a compliance issue, it becomes a values ​​issue. Gartner found that organizations that regularly audit and assess the performance and compliance of their AI systems are more than three times more likely to achieve high GenAI value than those that do not. In other words, disciplined evaluation doesn’t just prevent failure; This could be part of how companies can more reliably derive value from AI.

The implications for CEOs and boards of directors are significant. AI governance cannot be reduced to policies, committee names, or quarterly updates. Authority must be defined. It should be clear who can approve, who can object, who can suspend, who can escalate, and who can defend the final decision.

EC-Council’s ADG ecosystem extends that logic beyond governance design. The AI-enabled self-assessment tool helps organizations examine maturity across 12 ADG controls and prioritize gaps through 30-day, 60-day, and 90-day roadmaps. Three ADG-aligned certifications, Certified AI Program Manager, Certified Offensive AI Security Professional, and Certified Responsible AI Governance and Ethics Professional, address the workforce competencies needed to manage AI programs, adversarially test systems, and translate governance into operational practice.

This is where the conversation around enterprise AI is headed. Companies that lead aren’t just those that say “yes” right away. They are the ones who know when a yes can be defended, when a no is necessary, and when a decision needs to be escalated before the business crosses the line, there is no easy way back. The future of AI in the enterprise is not only determined by model performance and automation potential. It is determined by power, authority and responsibility.

Who can say no to AI may be one of the most important governance issues in modern enterprises.



Source link