09 June 2026
Artificial intelligence has arrived in most organisations long before the organisation has had a chance to govern it. AI governance and information intelligence have therefore become inseparable disciplines. Before an organisation can manage AI risk, it must first understand what information it possesses, where that information resides and who can access it. AI governance depends on information intelligence.
Many organisations have responded to the rise of AI by drafting policies, forming committees and creating governance frameworks. These activities have value, but they often start in the wrong place. They begin with the technology rather than the information.
Consider a simple question: does your organisation use AI?
Many managers confidently answer no. Yet a short conversation often reveals a different reality. Staff use ChatGPT to draft correspondence. Microsoft Copilot summarises meetings and searches documents. Grammarly rewrites content. Canva generates marketing material. Zoom creates meeting summaries. Adobe products generate images and text. AI appears throughout modern software, often without a deliberate decision to adopt it.
The challenge does not end with identifying these tools. Once an organisation knows which AI systems are in use, a more important question emerges: what can those systems see?
This question shifts the discussion from technology to information.
Suppose an organisation discovers that employees use ChatGPT. Is that a risk? The answer depends entirely on the information being entered into it. If employees use it to improve public marketing content, the risk may be minimal. If employees use it to analyse confidential client reports, financial forecasts or proprietary source code, the situation changes dramatically.
The same principle applies to Microsoft Copilot. Copilot itself is not the risk. The critical question concerns the information to which Copilot has access. If it can search email, Teams conversations, SharePoint repositories, OneDrive folders and internal reports, then understanding those information assets becomes essential.
This creates a challenge for many small and medium organisations. Some often possess a reasonable understanding of their technology environment but a much weaker understanding of their information environment. Others know which systems they operate, but they do not always know which systems contain sensitive information. They sometimes know who owns a server, but not where intellectual property resides or which documents contain commercially sensitive information.
As a result, discussions about AI risk often become speculative. Organisations attempt to assess the risk of AI without first understanding the thing that AI may expose.
You can’t manage AI if you don’t manage your information
This situation mirrors a broader problem in cybersecurity. Organisations frequently focus on the systems that store information rather than the information itself. Security controls protect servers, applications and networks. Yet attackers rarely care about the infrastructure. They care about the information that infrastructure contains. AI introduces the same challenge from a different direction.
An organisation that understands its information assets can make informed decisions about AI. It can identify which information may be used with public AI services and which information must remain within controlled environments. It knows which repositories require additional protections. This allows for a decision whether an AI system should ever access a particular dataset. Most importantly, it can evaluate risk using evidence rather than assumptions.
This is why an AI inventory represents only the beginning of the process. An inventory may reveal that the organisation uses ChatGPT, Copilot, Grammarly and several other AI-enabled services. Useful as that information may be, it does not answer the central question. To understand risk, the organisation must know what information those systems can access, influence or expose.
Information intelligence is the prerequisite
In practice, this often means that information intelligence becomes a prerequisite for effective AI governance. Organisations need visibility of their information landscape. They need to understand which information assets they hold, how sensitive those assets are, where they reside and who can access them. Without this knowledge, AI governance becomes little more than guesswork.
The organisations that will manage AI most effectively are unlikely to be those with the longest AI policies or the largest governance committees. They will be the organisations that understand their information. They will know which information matters most, where it lives and how it flows through the business. Once that foundation exists, decisions about AI become considerably easier.
Before asking how to govern AI, organisations should ask a simpler question.
Do we actually understand our information assets?
The answer to that question often reveals far more about AI risk than any inventory of AI tools ever could.
