Perspectives

Field notes from our work.

Thinking out loud on governance, structure, and what it takes to stay in control. Where AI is used without governance, organizations don't just take on risk. They lose control of what they are becoming.

Featured | Continuity

The quiet end of one-and-done governance.

NIST published a mathematical proof that no fixed set of AI guardrails can ever be complete. Read as governance, it ends the static policy binder as a matter of fact, not opinion.

NIST just did something rare. It published a mathematical proof. Apostol Vassilev, a senior scientist at NIST, took Kurt Gödel's incompleteness theorems, the 1931 result that ended the dream of a complete and consistent system of mathematics, and applied the same logic to AI guardrails. The conclusion, peer-reviewed in IEEE Security and Privacy: there is no finite set of guardrails that is universally robust against adversarial prompts. For any fixed set of rules, a prompt that defeats them exists. It is only a matter of finding it.

Read that as a security finding and it tells you to keep red-teaming. Read it as a governance finding and it is bigger. It means a rule set you approve once cannot, even in principle, be complete. The static policy, written, signed, and filed in a binder, is not incomplete because someone was lazy. It is incomplete by proof. You cannot finish it. You can only keep working it.

That is the quiet end of one-and-done governance. Not a best practice anymore, a mathematical fact. A control that can never be complete cannot be approved and forgotten. It has to be owned, continuously, by someone whose job is the loop that never closes.

NIST's framing is Sisyphean, and it means that as a warning. I would read it as a job description. The rock does not stay at the top. The only question the proof leaves you is who is assigned to keep pushing it.

First shared on LinkedIn →
Accountability & liability

I Swear, Your Honor. The Algorithm Did It.

Running a decision through an AI does not make it the AI's decision. Two regulators have proven it, with a bill attached. Decision-laundering has no legal standing.

Read more →

AI Wrote It. AI Checked It. You Bought It.

The fastest-growing governance risk isn't the AI your team adopted. It's AI-written code no human read, shipping inside what you buy, into your regulated environment.

Read more →

The AI That Needs a Human

A large share of what's sold as AI is performance, backstopped by people. At Presto, "human in the loop" wasn't a safeguard, it was the labor that hid the gap. The buyer inherits it.

Read more →
The control layer

You Bought the Whole Stack. Who Owns the Decision?

Every layer of AI security limits what the agent can do or watches what it did. None governs whether the action was right. That gap is not a missing control. It is a missing owner.

Read more →

You Can't Fix AI Slop With a Checklist

A 2,000-word case for AI governance that never used the word. Its four fixes are inputs to a governance system. They are not a governance system.

Read more →

The Governance Question Just Changed

AI governance has been framed as harm reduction. If the firm's learning loop is its new IP, governance is the precondition for owning it.

Read more →
Ownership, competence & records

If IT, Legal, and a Committee Own Your AI Governance, No One Does

Governance without an owner is documentation. Ownership is a function with three requirements, revision authority, exception visibility, and standing. Most organizations have assigned none.

Read more →

Literacy Is Not Competence

The training market can certify who can use AI. It cannot certify who is accountable for the outcome. Literacy has exams; competence has consequences.

Read more →

Inventory Is the First Act of Governance

If your board asked this afternoon for a list of every place AI is used in your firm, who owns each one by name, does that list exist? Not the policy. The inventory.

Read more →

The Audit Trail You Don't Have

Your AI systems are being logged. Your AI decisions are not. IT's system log tells you what the system did; only a decision audit trail tells you who owned the call.

Read more →
Dependency & autonomy

Did You Lose a Tool, or the Decision?

When a model goes dark, redundancy lets you switch providers. It does not restore the judgment you outsourced. You cannot fail over to judgment that is no longer in the building.

Read more →

The Governance Gap Nobody Is Pricing In

Your AI vendors are counterparties, not just products. Their financial durability is a risk most governance frameworks don't assign to anyone.

Read more →

Who Decides What's Critical?

Every autonomous system promises a human in the loop. But if the system decides what escalates, the checkpoint is a feed with a nicer font. Real governance means a named human owns the threshold.

Read more →

When a Single Click Decides Your AI Policy

Vendor-side agents arrive shipped as a feature and switched on with a click. The scope you clicked yes to becomes your de facto policy, unless a named human decided otherwise.

Read more →
Adoption, data & the gap

The US AI Adoption Gap Is Structural, Not Cultural

The US leads the world on AI capability and ranks 21st in the capacity to use it. The countries ahead didn't out-culture us. They built governance infrastructure first.

Read more →

Consent Is One Screen Deeper Than the Button

A free-AI-models offer showed a reassuring data promise on the screen everyone sees, and a very different one on the screen almost no one opens.

Read more →

When the Map Can't Keep Up With the Territory

Frontier AI features ship faster than the docs that describe them. You cannot anchor policy to a moving target, so the control has to live in the decision, not the documentation.

Read more →

The Missing Institution

Business-critical tech used to arrive through procurement, legal, and a named owner. AI bypasses all three. The problem was never the contract, it is the missing gateway around it.

Read more →

Your Organization Is Learning the Wrong Things

AI doesn't just help your organization work. It teaches it how to work. Without control over what it reinforces, the org learns to accept the familiar as correct, not the accurate.

Read more →
From The Evolving Mindset

The Architecture of a Governed AI System

Most organizations govern AI at the tool level. The risk lives at the decision level. Here's the architecture that governs the space in between.

Read more →

The Audit Trail That Drifts

Installing governance is not the same as maintaining it. What governance drift is, why tighter enforcement is the wrong response, and what a maintenance architecture actually requires.

Read more →

The System You're Already Running

Most organizations believe they are still figuring out AI. They are not, and the system already shaping their decisions is either defined or running on its own.

Read more →

Visibility Is Not Governance

A registry tells you what AI exists. It does not tell you who owns the decisions it is already making, and that is the question that carries risk.

Read more →
The Evolving Mindset

A briefing on AI governance

Accountability, and the control structures organizations need before AI starts making decisions they didn't authorize. Every edition raises a question worth pressure-testing. If it surfaces something you're navigating inside your own organization, or you see it differently, write back at mindset@fellowshipintelligence.com.

Subscribe at evolvingmindsetai.com
Also on LinkedIn, Spotify, and Substack.