The Accountability Paradox: When Everyone is Accountable, No One Is. And Nothing Happens.

Picture the scene. A mid-market firm, growing fast. AI is creeping into operations: a chatbot here, some automated decisioning there, generative tools across the marketing team. Ask who's accountable if something goes wrong, and you'll get one of several responses. Someone points to the IT director who "deals with all the tech stuff." Or there's a pause before someone mentions the CFO who got voluntold because AI is "really about operational efficiency and cost reduction." What you'll hardly ever hear is the CEO taking accountability. That's not necessarily a bad thing: CEOs delegate, it's what they do. But with something as strategic as AI, they might be missing a trick.

Because accountability isn't just about risk. It's about opportunity. And when AI risks crystallise, when something goes visibly wrong, the opportunity disappears too. The organisation gets spooked, locks down, and loses the upside. The CEO who delegated AI to "whoever deals with tech" now finds their competitors pulling ahead while their own firm is stuck in remediation mode. Clear accountability for AI isn't defensive. It's what makes confident innovation possible.

In many firms, governance is simply out of the window. AI tools arrive through the side door: staff sign up for services, teams build automations, vendors bundle AI into existing products. Nobody planned for this. Nobody governs it. The question of accountability doesn't arise because nobody's asking.

At the other end of the spectrum, some organisations respond to AI with governance hyperactivity: frameworks, committees, policies, sign-offs. The logic seems sound. Powerful technology demands robust oversight. Yet all this activity produces a perverse outcome. Despite the governance apparatus, accountability gets diffused until it effectively disappears. Everyone is responsible. No one is accountable.

This is the accountability paradox. And resolving it doesn't require more governance or less governance. It requires appropriate governance, built on a principle that sounds obvious but is rarely followed: give named accountability, with supportive executive and board oversight, to a person who is capable, passionate, and neither conflicted nor disincentivised. That's the best way to manage AI risk and capture AI opportunity. Everything else is detail.

The Governance Spectrum: Where Does Your Organisation Sit?

Before diving into solutions, it's worth acknowledging the reality of how organisations actually approach AI governance. There's no single model, and pretending otherwise helps no one.

But here's a more fundamental question: does your organisation have proper investment governance for anything? Is there a design authority that reviews technology decisions? Do projects require a business case, or does money get allocated on a whim? AI governance doesn't exist in isolation. If your firm lacks basic disciplines around investment decisions, bolting on "AI governance" won't fix the underlying problem. It'll just add another layer of theatre.

With that caveat, here's how organisations typically approach AI specifically:

No governance at all. This is more common than anyone admits publicly. AI tools proliferate, risks accumulate, and nobody's minding the shop. Sometimes this reflects conscious risk appetite ("we'll deal with problems if they arise"). More often it reflects the fact that AI arrived faster than governance thinking could keep up.

AI bolted onto existing governance. The pragmatic choice for many. AI risks get discussed in existing risk committees, AI projects go through existing approval processes and business case disciplines, AI policies become annexes to existing frameworks. This works reasonably well when AI is incremental and when your existing governance actually functions. It struggles when AI is transformational or when existing governance is already weak.

Standalone AI governance. Dedicated AI committees, specific AI policies, separate oversight structures. This signals seriousness and can provide focus. The risk is creating a governance silo that doesn't connect to how the business actually operates or to normal investment disciplines.

Temporary standalone while working it out. Perhaps the most honest approach. Recognising that AI governance is genuinely new territory, some organisations create dedicated structures with an explicit mandate to learn, adapt, and eventually integrate into business-as-usual governance. This buys time without pretending to have all the answers.

None of these is inherently right or wrong. The choice depends on your organisation's risk profile, AI maturity, and existing governance capability. What matters is making a conscious choice rather than drifting into a position by default.

Accountability vs Responsibility

Whatever governance model you choose, one distinction matters enormously. Accountability and responsibility are not synonyms, and treating them as such creates precisely the confusion that governance frameworks are meant to resolve.

Accountability means owning the outcome. The accountable person answers for results, good or bad. They cannot delegate this away. When things go wrong, they face the consequences. When things go right, they ensure credit flows to those who did the work.

Responsibility means executing the work. Responsible people carry out tasks, manage processes, and deliver outputs. Responsibility can be shared across teams and delegated down hierarchies.

This maps directly onto the leadership-management distinction. Accountability is fundamentally a leadership function: setting direction, making decisions about risk appetite, and standing behind outcomes. Responsibility is fundamentally a management function: organising resources, monitoring progress, and ensuring delivery.

In mid-market firms, accountability often gets pushed to whoever seems closest to "technology" or "operations," regardless of whether they have the standing to make real decisions. In larger organisations, the problem multiplies: accountability gets lost in committee structures where "everyone is accountable," which means no one is.

To be clear: committees aren't the enemy. An AI committee with a clear terms of reference, supporting an accountable leader and aligned to strategic objectives, can be genuinely valuable. The problem is when committees work against the leader, protect functional silos, or become forums for self-interested obstruction dressed up as "governance concerns." A good terms of reference helps. But a leader who can call out the nonsense when people are protecting their patch rather than serving the organisation? That's priceless.

Regulators understand this distinction clearly. The UK's Senior Managers and Certification Regime (SM&CR) exists precisely because collective accountability had failed in financial services. Named individuals must now certify their accountability for specific outcomes. The lesson generalises beyond banking.

Three Questions That Cut Through Complexity

Whether you have elaborate governance or none at all, these three questions provide a useful sense-check for any AI system in your organisation.

First: Who is ultimately accountable for this system's outcomes? Not "the AI committee" or "the technology function." A named individual who will answer for results. This person doesn't need to understand the technical details. They need genuine authority to make decisions and the standing to face consequences.

Second: How is that accountability documented and communicated? If it exists only in the accountable person's head, or is buried in paragraph 47 of a policy nobody reads, it doesn't count. Accountability needs to be visible: to the accountable individual, to those with responsibilities that flow from it, and to those who might need to invoke it.

Third: What checks and balances make accountability real in practice? Paper accountability is worthless if there's no mechanism to surface problems, escalate concerns, or trigger consequences. This is where the risk-to-policy pipeline becomes essential.

Most organisations struggle with at least one of these questions. They have informal accountability that isn't documented. They have documented accountability that isn't communicated. They have communicated accountability without the mechanisms to make it real. Getting all three right is the foundation of effective governance, whatever structural model you choose.

The Risk-to-Policy Pipeline: Getting Governance Right

Here's where experienced risk and audit professionals have an advantage over those approaching AI governance from a technology or compliance background. They understand that good governance, and leadership flows from risk, not the other way around.

The sequence matters. 

Risk informs Control.

Control shapes Policy.

Policy anchors Accountability.

Accountability drives Strategy.

Start by identifying what your AI systems create: both the risks and the opportunities. Not abstract categories from a framework, but concrete outcomes that could materialise. On the risk side: customer detriment from biased decisions, financial loss from model failures, regulatory breach from unexplainable outcomes, reputational damage from public AI incidents, staff over-reliance on tools they don't understand. On the opportunity side: efficiency gains, better customer experiences, new products, competitive advantage. Both need accountability. Risk accountability without opportunity accountability produces defensive, slow-moving organisations. Opportunity accountability without risk accountability produces reckless ones.

Then design controls that address those risks proportionately. A customer service chatbot and an automated lending decision engine present different risk profiles and demand different controls. One-size-fits-all AI policies typically fail because they ignore this reality.

Only then do you write policies. These should be short, clear statements of what the controls require and who must implement them. Policy documents should be readable by their intended audience in under fifteen minutes. If your AI policy requires a training programme to understand, it's probably too complex to be effective.

Finally, anchor accountability. For each significant risk, there should be a named individual who will answer for the effectiveness of controls. Not a committee. Not a function. A person.

Organisations that reverse this sequence, starting with policy templates or governance frameworks and working backwards, consistently produce accountability theatre rather than genuine oversight.

Leadership Style as Governance Infrastructure

Accountability structures only work if people can actually discharge their responsibilities. This is where leadership style becomes governance infrastructure, and where many organisations get it badly wrong.

Consider two leadership approaches and their effects on AI adoption.

Directive leadership tells people what to do. The leader decides, communicates, and expects compliance. In an AI context, this creates reactive organisations. People wait to be told which tools to use, how to use them, and what's permitted. Innovation stalls because nobody has permission to experiment. Problems go unreported because the culture rewards following instructions, not raising concerns. Staff become skilled at implementing what they're told, but not at thinking critically about whether it makes sense.

Servant leadership inverts this. Leaders see their primary role as enabling their teams: providing clarity, tools, psychological safety and permission to act. In an AI context, this creates innovative organisations. People experiment because they have permission. They raise concerns because it's safe to do so. They develop judgment about when to trust AI outputs and when to question them. Staff become skilled at navigating uncertainty, not just following rules.

The practical difference is stark. A customer service representative under directive leadership waits to be told how to handle AI recommendations. Under servant leadership, they have the confidence to override the AI when their judgment says it's wrong, and the safety to escalate when they're unsure. A marketing team under directive leadership uses only approved tools in approved ways. Under servant leadership, they experiment with new approaches while understanding the boundaries.

The best-designed accountability structure fails if the people operating within it fear the consequences of honesty or lack permission to act. Servant leadership creates the conditions for accountability to function and for innovation to flourish. Directive leadership creates compliance at the cost of both.

When Accountability Fails: Lessons from History

The corporate failures that led to today's regulatory environment share a common pattern: structures that created the appearance of accountability while preventing its reality.

Enron had a board, audit committee, risk management function, and external auditors. On paper, accountability was clear. In practice, the structures had been designed to obscure rather than illuminate. Complexity became a feature, not a bug. If no one could understand what was happening, no one could be held accountable for it.

The financial crisis revealed similar patterns. Banks had elaborate risk frameworks, chief risk officers, and board-level oversight. Yet when supervisors asked who was accountable for specific portfolios of risk, the answers were evasive. Committees had approved decisions that no individual would defend.

The regulatory response, SM&CR in the UK and similar regimes elsewhere, was to cut through this by requiring named individuals to certify accountability for specific outcomes. The regulation didn't create new accountability; it made existing accountability visible and enforceable.

The lesson for AI governance is clear. Organisations that build committee structures without individual accountability, that write policies without clear ownership, or that create complexity as a defence against scrutiny, are repeating the mistakes that led to SM&CR. They're building the accountability gaps that future regulations will be designed to close.

When Accountability Works: The Oz Principle in Practice

There's a useful framework from organisational psychology that captures how effective accountability actually works. The Oz Principle, developed by Roger Connors and Tom Smith, uses the Wizard of Oz as a metaphor for the difference between waiting for external solutions and taking personal ownership.

The characters in the story, seeking brains, heart, courage and a way home, already possess what they need. They're waiting for a wizard to grant what they could claim for themselves. Many organisations approach AI governance the same way, waiting for external frameworks, regulatory guidance, or industry standards to tell them what to do.

The Oz Principle's alternative is a four-step cycle: See It, Own It, Solve It, Do It. Applied to AI risk, this means: acknowledge the risks your systems create (without minimisation or denial), accept personal accountability for managing them (without hiding behind committees), develop practical controls (without waiting for perfect solutions), and implement them (without endless pilot phases).

Organisations that operate this way handle AI challenges far more effectively than those waiting for a central AI committee to tell them what to do. They respond faster because accountability is local. They innovate more confidently because decision rights are clear. They manage risks better because ownership isn't diffused.

This isn't about eliminating central governance functions. They have essential roles in standard-setting, coordination, and assurance. It's about ensuring that central functions enable rather than replace individual accountability.

What Should You Actually Do?

Strategy documents are easy. Implementation is hard. Here's a practical checklist for leaders who want to move from accountability theatre (or accountability absence) to genuine governance.

Name an accountable individual for AI and digital risk. Someone with genuine authority, not a volunteer or conscript who happened to have "digital" in their background or "efficiency" in their remit. The CEO will almost certainly delegate this, which is fine, but they need to delegate to someone with real standing: the authority to make decisions about risk appetite, the power to enforce standards, and visibility to the board. And post importantly: One who empowers rather than dictates.

Choose your governance model consciously. Decide whether AI governance is standalone, integrated, temporary, or (if you're honest) non-existent. Any of these can work depending on your circumstances. What doesn't work is drifting into a position without thinking it through.

Map responsibilities beneath the accountability. Data, technology, product, compliance, internal audit, and HR all have roles in AI risk management. Clarify what each function is responsible for delivering, and how they support the accountable individual's oversight.

Build the risk-to-policy pipeline. Start with a simple log that identifies concrete AI-related risks and opportunities, not abstract categories. For each significant item, document the control (for risks) or enabler (for opportunities), the policy requirement, and the accountable individual. Keep it to one page per major system.

Embed the three accountability questions. Use them in project approvals, risk discussions, product sign-offs, and audit planning. Make them routine enough that people stop noticing they're answering them.

Adopt servant leadership behaviours. If you want innovation, enable it. Give people clarity, permission and safety. If you lead directively, expect reactive compliance and missed opportunities. The leadership team sets the tone, and the organisation follows.

Keep governance documentation short. If your AI policy runs beyond ten pages, it's probably too long to be effective. If your governance framework requires external consultants to interpret, it's probably too complex to work.

The Secret of AI Governance

The accountability paradox resolves when you follow a simple logic chain. You cannot write effective policy until you understand the risks you're trying to manage. You cannot write effective strategy until you have policy to guide it. And blanket statements, "we won't do AI" or "no generative tools," made without genuinely understanding the risks, don't protect the organisation. They stifle opportunity while providing false comfort.

This is where accountability becomes essential. Someone needs to own this chain: understanding risks properly, translating them into proportionate policy, and shaping strategy that captures opportunity while managing genuine threats. That's not a job for a committee. It's not something that happens by default. It requires a named individual with the authority, standing, and incentive to get it right.

Without that accountability, organisations default to one of two failure modes. They either adopt AI recklessly, with no one answering for the consequences when risks crystallise. Or they lock down defensively, with no one answering for the opportunities lost. Both are accountability failures. Both destroy value.

Clear accountability is enabling responsibility. It gives people permission to pursue opportunities because someone owns the risk decisions. It gives people confidence to flag concerns because someone will act on them. It creates the conditions for both innovation and prudence.

The organisations that thrive with AI won't be those with the best models or the most sophisticated technologies. They'll be the ones where someone, a real person with real authority, owns the whole picture: the risks to manage, the policies to guide action, and the opportunities to capture.

I've said many times before, and I'll say many times again: AI is not a technology challenge. It's a leadership one.