We Stopped Watching AI. Now We Have to Govern It.
I spent the first week of May in Las Vegas at ServiceNow Knowledge 2026. I got on the plane half-believing the AI conversation in our industry had changed. I got off it certain. We are done arguing about whether AI belongs in compliance. That fight is over. The new question is harder and a lot more interesting: can compliance keep up with AI? That is what I want to talk about this month.
The room is different now
Walk into a GRC event two years ago and the AI talk was mostly hand-waving. Pilots that never shipped. A lot of “someday.” This year had a different temperature, and the money backs it up. Gartner has GRC tool spend growing roughly 50 percent into 2026, because regulatory complexity has flat outrun what teams can do by hand. When budgets move like that, the someday phase is finished.
And here is the part that makes this genuinely hard. The same AI that can take a certification from months down to weeks is the exact thing your regulators, your auditors, and your board now want you to prove you control. AI is the tool and the risk at the same time. You are being told to use it to move faster while also proving you have your hands on every model running inside your walls. Both. At once. That contradiction was sitting underneath everything I saw at Knowledge.
ServiceNow’s bet, and why it should get your attention
ServiceNow used the show to plant a flag. CEO Bill McDermott called the company the “AI Control Tower for business reinvention.” The headline was a much bigger AI Control Tower, built to find, govern, watch, secure, and measure every AI agent, model, and workflow running across a company, no matter where it came from. Twenty-five thousand people in the room. Their biggest agentic AI push to date.
Strip away the keynote polish and here is the claim that matters to us. ServiceNow argued that the frontier models are turning into commodities. Prices are falling. The benchmarks are bunching up. So the scarce, valuable thing is not raw intelligence anymore. It is governed execution. Making sure the AI you turn loose does what it was supposed to do, that you can prove it later, and that it does not quietly wander off the script when nobody is looking.
Now read that back as a compliance person. “Governed execution” is our entire job wearing a software badge. The biggest enterprise tech conference of the year was, underneath all of it, making a compliance argument. Sit with that for a second, because it tells you exactly where this is going.
Agents are the new thing we have to control
The piece actually moving the ground is agentic AI. Not a chatbot answering questions. Agents that act. They kick off workflows, make calls, and move on their own with almost no human hand on the wheel. ServiceNow widened its Autonomous Workforce across functions and rolled out Autonomous Security and Risk to govern agent identities, permissions, and the assets they touch.
For us, an agent is a brand new kind of thing to keep on a leash. The industry is even calling it “agentic compliance” now: systems that monitor controls, spot the gaps, and fix them on their own. That is impressive. It is also a governance problem none of our frameworks were actually built to handle.
Here is the thing nobody really wants to say out loud. The three frameworks everyone is reaching for on AI governance, the EU AI Act, the NIST AI Risk Management Framework, and ISO 42001, not one of them was designed for autonomous agents. They give us solid ground on risk, accountability, documented controls, and monitoring. But the questions agents actually raise, what happens when one failure cascades, when an agent quietly creeps past its scope, who is on the hook when it goes wrong, those are mostly questions the standards have not answered yet. We are policing next year’s technology with last decade’s rulebook. Closing that gap is the work.
The clock is real
None of this is theoretical. Under the EU AI Act, the obligations for high-risk AI, think credit scoring, hiring, critical infrastructure, essential services, were set to bite on August 2, 2026. Lawmakers have since cut a provisional deal on a “Digital Omnibus” that could move the high-risk dates back, but the original deadline stands unless that package is formally adopted, and the outright bans and transparency rules are not affected either way. The destination has not changed. And the fines are not a rounding error: up to 15 million euros or 3 percent of worldwide turnover, whichever hurts more.
I would not treat a possible extension as permission to coast. The smarter read, and the one I kept hearing in Vegas, is that AI governance in 2026 is bigger than compliance. It is becoming table stakes for running a serious business. The companies that build governance into how they ship AI are going to win deals and dodge lawsuits the slow ones walk straight into. The deadline is just the thing forcing the issue. The real prize is being trusted.
Here is the quiet part: it all comes back to mapping
Pull on the thread connecting ServiceNow’s control tower, the agentic compliance noise, and the three-framework scramble, and you land on the exact problem this industry has been working for over a decade. None of it functions without mapping. You cannot govern one AI system against the EU AI Act, NIST, and ISO 42001 as if they are three separate fire drills. The good news is they share a spine. Build a real governance program against one and you have already covered big chunks of the other two. The crosswalks are sitting right there. NIST has mapped its AI RMF functions straight onto ISO 42001 clauses, so evidence you collect once can answer for several requirements. Teams doing this well are cutting out a serious amount of duplicate work.
That is the whole thing we were built on, pointed at a new kind of risk. Take a pile of overlapping authority documents, harmonize them into one defensible set of controls. That is the muscle the AI moment is demanding, and most organizations are out of shape. The ones treating regulatory mapping as a living process instead of a once-a-year project are the ones walking into audits with the advantage.
This is the part I am proud of. While everyone in Vegas was talking control towers and governed execution, the actual work, connecting what a company writes for itself to the outside frameworks it answers to, is the problem we have been quietly solving for years. It is also the problem our newest capability, ControlFoundry, was built to take into customer-owned content. Our CEO has the full write-up on that elsewhere in this issue, so I will let him take it. I will just say the timing is not luck. The market is finally yelling the question we have spent years answering.
What I brought home
Three things stuck with me on the flight back to Florida.
The AI debate in compliance is settled. It is here, it is running in production, and the spending says so. If your program still files AI under “someday,” the market already lapped you.
Governance is the product now. The most valuable thing in enterprise AI is not the smartest model. It is being able to prove you have control of whatever model you are running. That is our work, and it just put this discipline closer to the center of the business than it has ever been.
The foundation did not move, even though everything stacked on top of it did. Governing a 2005 framework or an agent you deployed last Tuesday, the job is the same. Know what you owe, map it to your controls, prove it when somebody asks. The tech got a lot more interesting. The fundamentals did not budge an inch.
That should leave every compliance person reading this a little more confident than when they started. The ground we have been standing on for years turns out to be the exact spot the whole industry is now scrambling to build on.
See you next issue.