AI Exposes the Governance Shortcuts Organizations Normalized for Years

Generative AI does not introduce new governance problems to most organizations. It exposes the ones they have been deferring for years. Supply chain visibility, lifecycle management, data governance, onboarding capacity: these are conversations that IT departments absorb on behalf of leadership, telling the business not to worry about it. Now employees show up with AI tools they see at a conference, asking why they cannot use something that is cheap, sometimes free, and obviously useful. And the answer requires explaining a decade of infrastructure and policy work that is never prioritized because it never had to be.

Ralph Hogaboom, CISO at the Washington State Department of Natural Resources, leads information security strategy and operations for a state agency with over 2,200 employees. His team handles governance, risk management, incident response, compliance, and cybersecurity architecture across an agency that manages wildland fire preparation and response, along with stewarding Washington’s public lands and waters, with technology that ranges from LIDAR and heavy GIS use to technologies for mapping landslides and tsunami risk, wildfire simulations, aviation, and a state-wide durable and resilient radio communications network. Before his current role, Hogaboom spent over 15 years in systems administration, network security, and IT leadership across higher education and government.

"LLMs didn't create governance problems. They exposed the shortcuts organizations normalized for years. Suddenly, everybody wants AI tools, but now we're forced to talk about supply chain management, lifecycle management, and data governance because those conversations were ignored until the technology made them unavoidable," says Hogaboom.

The tools arrive before the decisions

Hogaboom describes a pattern playing out across state government and enterprise environments. Employees discover AI tools that solve a specific problem and want to bring them in. They do not think about the broader implications. "They see one aspect of what a vendor offers. There are all these other implications and they don't focus on that." The result is AI being smuggled in on the side without governance, without lifecycle planning, and without leadership making explicit decisions about what the organization is willing to accept.

He reserves particular skepticism for organizations claiming to deploy agentic AI. "I would ask some pretty serious questions about the maturity of your organization before you jump in bed with agentic AI. It's a force multiplier, not only of the things they're trying to do, but of the mistakes they already have. It blows those things up real fast."

The deeper issue, Hogaboom argues, is that leadership sees AI as a technology problem rather than a decision that enabled business functions, but requires preferences, alternatives, and information from across the organization. "I see state government leaders saying, this AI thing is complicated … Just do the technology things you do. I don't know that government understands the ramifications of delegating those decisions."

Uncertainty at scale

Hogaboom sees a second problem compounding the governance gap. LLMs make risk analysis cheap to produce, and the quality drops accordingly. "I'm seeing my peers generate more sophisticated risk reports and I'm excited. But they're doing it faster, and I'm not sure they've done the homework to know when the BS machine is giving them BS and when it's onto something." He draws a hard line between what he calls generic uncertainty, the kind AI can produce at a massive scale, and specific uncertainty, where a human operator can tell management with calibrated confidence where the gaps actually are.

His team has been practicing calibrated estimation for two years through weekly exercises. Each week, someone poses a question with a verifiable answer: How many tires are manufactured in Washington State annually? What is the world record for the highest kite ever flown? Team members estimate ranges, and Hogaboom scores them on accuracy and precision.

The goal is to build the same skill that meteorologists develop when they produce forecasts tracked by Brier scores. "There's going to be some version of a Brier score for how effective a person is when they use LLMs to produce work product. And I think that's going to come down to your ability to identify when AI is giving you confident nonsense versus credible signal."

Slow wins the race

Hogaboom closes with a warning about institutional durability. Organizations racing to deploy AI for short-term productivity are quietly degrading their reliability. The decline will not be sudden or attributable to a single decision. It will be gradual, as lower-quality outputs erode trust, consistency, and reputation over time.

He points to Apple's iPhone launch as an analogy: last to market, no third-party apps for over a year, but the deliberate approach produces something so durable that the original design principles still hold. "The people adopting AI at breakneck speed right now are sacrificing their capability, their reliability, and their durability. I don't think this market rewards the first person there."