AI governance is a different problem than software governance
AI systems are probabilistic and non-deterministic. The same input can produce different outputs; the failure distribution cannot be fully characterized in advance. This is a structural property of how large language models and generative AI systems work. Organizational governance must be designed around the assumption that some fraction, increasingly small, will be wrong, in ways that cannot be fully predicted.
This property distinguishes AI governance from every prior enterprise software governance problem. Deterministic software has bugs, but its failure modes are in principle enumerable. AI's are not — the distribution shifts with model version, input domain, context length, and deployment configuration. Risk management can estimate the rate. Enumeration is not the right tool for the job. The governing response to AI uncertainty is protocol design for what happens when an output is wrong — before the wrong output has been identified.
Protocol governance scales; policy and compliance do not
Policy, compliance, and protocol each address different coordination problems and fail differently.
A policy requires central enforcement. "No employee shall use AI for customer-facing communications without manager approval" is a policy. It specifies a prohibition or requirement but depends on central authority (the manager, the legal team, the IT department) to monitor and enforce it. Policy scales poorly: as AI use becomes pervasive and simultaneous across thousands of interactions, central enforcement becomes the bottleneck. Policy-based AI governance produces the Samsung pattern: a clear prohibition, no mechanism to detect violations, and discovery 400+ days after the fact.
Compliance is adherence to external requirements — regulatory standards, audit frameworks, contractual obligations. Compliance governance asks "are we meeting the standard?" It is backward-looking: the standard was defined before the deployment; the audit evaluates the deployment against it. Compliance frameworks cannot anticipate the specific failure modes of novel AI deployments; they can only codify what has been identified and standardized. The EU AI Act, NIST AI RMF, and ABA Formal Opinion 512 are compliance frameworks. They are necessary and not sufficient for governing AI in production.
A protocol specifies in advance how actors behave at a handoff point, without requiring shared goals or central enforcement. The pull request protocol in software development is an example: it specifies how code moves from a developer's branch to the shared codebase (branch → commit → review → approve/reject → merge), without requiring a manager to review every commit. The protocol governs the handoff; the engineers operate within it autonomously. Venkatesh Rao defines protocol as "a stratum of codified behavior that allows for the construction or emergence of complex coordinated behaviors at adjacent loci."10 Protocols scale because they do not require central authority at every handoff. Alfred North Whitehead observed that "civilization advances by extending the number of important operations which we can perform without thinking of them."11 Protocols are that mechanism: they convert governance from a discretionary act requiring oversight into an automatic one requiring only design.
AI governance requires this property. The AI system and the human reviewer do not share goals: the AI system is optimizing for output generation; the human reviewer is optimizing for output quality. No central authority can monitor every AI interaction at organizational scale — at 84% developer adoption with 11% of PRs opened by agents (Uber's March 2026 figures), the volume already exceeds any reviewer's span of attention. A protocol is the coordination mechanism that scales to those conditions.
Ontological drift: the mechanism of ungoverned AI production
The absence of a governing protocol creates a specific failure mechanism in AI-enabled organizations: ontological drift. In traditional software development, the cost of documentation and specification is high; the cost of changing a term's meaning midstream is low (you update the docs). The LLM era inverts this: "LLMs make documentation, specifications, diagrams, and written artifacts essentially free — but they make ontological drift extremely expensive. When agents, tools, and auto-generated artifacts depend on stable definitions, changing the meaning of a term or schema midstream breaks everything."12
The implication is structural. AI-enabled organizations must front-load precision. Definitions must be stable before deployment begins. The protocol layer — the specification of what a term means, what output format a handoff requires, what "verified" means for a given function — cannot be negotiated in production. Sachin Benny observes: "Organizations compensate by freezing definitions, front-loading clarity, and minimizing mid-cycle reinterpretation. This is a return to Waterfall — not because people suddenly prefer big plans but because the communication structure that Waterfall requires (stable meanings, fixed interfaces, slow-changing schemas) now incurs the lowest transaction costs."13 This is a rational response to the cost structure of probabilistic systems: you cannot fix the ontology in production, so you must fix it before production.
The governing protocol is the mechanism through which ontology is stabilized. Without it, organizations encounter ontological drift at scale — and that drift is the Level 2 failure mode.
From smooth space to striated space
Rao's framing from "Constructing the Evil Twin of AI" captures the maturity arc: "protocols turn smooth behavior spaces (such as open, unbuilt terrain) into striated behavior spaces (such as a system of roads)."14 Without governing protocols, AI operates in smooth space — producing any output, accessing any data, making any claim. Smooth space has no defined lanes, which means it has no meaningful metrics.
Protocol design converts smooth space into striated space: defined lanes, handoff points, escalation triggers, feedback loops. Maturity is the progressive striation of AI behavior across an organization's functions. Each maturity level represents a specific degree of striation — and the failure mode at each level is what happens at the boundary of the striated zone, where the organization's governing protocols end and smooth space begins.
Protocols trade problems; they do not eliminate them
Protocols do not eliminate problems. They trade one class of problem for another. The "Table: Learning to See Business Protocols" documents this pattern across physical and institutional contexts: every protocol that solves the coordination problem of one system creates the coordination problem of the next.15 The ISO shipping container solved the coordination problem of incompatible cargo handling — and created the coordination problem of containerized port congestion, global supply chain fragility, and a shared attack surface that NotPetya found useful in 2017. The protocol was the right trade. But the trade is real, and the new problem is predictable in structure even if not in timing.
The same pattern drives each level of this model. Level 2 (Sanctioned access) solves the problem of invisible AI use — and creates the problem of unverified AI output at scale. Level 3 (Designed workflows) solves the output quality problem — and creates the problem of temporal divergence between AI-accelerated functions and the human review infrastructure around them. Level 4 (Infrastructural) solves the intra-organizational bottleneck — and creates the problem of sector-level fragility when infrastructure fails. The model is a map of predictable trades, not a set of aspirational targets.
Five terms this model depends on
These terms carry specific meanings throughout this paper. Where they diverge from common usage, the divergence is intentional.
Protocol
A coordination mechanism that specifies in advance how actors behave at a handoff point, without requiring shared goals or central enforcement. Distinct from policy (requires central enforcement to function) and process (describes sequence, not coordination across actors with different goals).
Governance
The set of protocols through which an organization decides which AI outputs to accept, verify, or reject. Distinct from compliance (adherence to external standards) and oversight (monitoring after the fact, not designing the handoff).
Uncertainty
The irreducible non-determinism of AI outputs — same input, different output, failure distribution not fully characterizable in advance. Distinct from risk (calculable probability) and error (implies a definable correct answer). Governing uncertainty requires protocol design; governing risk requires probability management.
Maturity
The precision with which an organization's governing protocols specify the boundary between AI autonomy and human judgment. A property of coordination design, not of tools, adoption rate, or compliance coverage.
Bottleneck
The function where the gap between AI exposure and protocol precision is largest and highest-stakes. The bottleneck constrains the organization's effective governance level regardless of how mature other functions are. Identifying the bottleneck is the primary diagnostic task.