One of the dominant patterns I’m seeing in 2026 is the “AI Office” — an internal team appointed to handle AI strategy, AI policy, and AI risk on behalf of the organization. The brief is usually broad: figure out what AI we’re using, write the governance policies, train the people, satisfy the regulators.

It’s the wrong organizational design. We made the same mistake with cybersecurity ten years ago, and it took most enterprises a decade to undo it.

The Promise

There is real value in a centralized AI function. Someone needs to maintain the inventory of AI systems in use. Someone needs to write the policies. Someone needs to be the single point of contact for the procurement team when a new AI vendor shows up, for the legal team when an AI-related contract clause needs review, for the regulator when an EU AI Act compliance question arrives. A central function reduces friction, prevents duplicated effort, and creates accountability that is at least findable on an org chart.

Centralized AI governance functions also serve a real internal-marketing purpose. They signal to employees that the organization takes AI seriously. They give the board someone to call. They make the EU AI Act Article 4 literacy training programmatic rather than ad hoc. This is the promise. It’s worth pursuing.

The Risk

The risk is the one cybersecurity discovered painfully between 2010 and 2020. When you create a department called “AI” and tell the rest of the organization that AI is now handled, the rest of the organization stops thinking about AI. The customer service team using a generative tool to draft responses doesn’t think they’re operating an AI system. The HR team using an automated screening tool doesn’t think they need to ask whether it’s biased. The product manager incorporating an LLM into a customer-facing feature doesn’t think they need to consult the AI Office until something breaks.

Cybersecurity went through this exactly. The early-2010s CISO model — single executive, single department, single budget line — produced a generation of organizations where the rest of the business assumed cyber risk was someone else’s problem. The mature evolution was the opposite: pushing cyber responsibility back into product teams, engineering teams, and business units, with the central function providing tooling, framework, and oversight.

The current AI Office model is the same mistake on a faster clock.

The Verdict

The needle leans toward Promise, but only because the alternative — no central AI function at all — is worse. The mature design is hybrid. A small central team owns the policy framework, the inventory, the regulator-facing relationships, and the framework choice. A distributed model means every team that deploys AI owns its AI risks the same way every team owns its security risks today.

The cybersecurity industry took ten years to get to this hybrid model. AI doesn’t have ten years.

Organizations setting up AI Offices in 2026 are at a fork. They can either bake the distributed-responsibility model into the design now, or they can spend the next decade un-baking the centralized model after it fails to scale.

For the longer analysis → I wrote a longer piece on why information security was never an IT-only function — and why AI governance is following the same arc. The argument is from 2016 but the punch line lands in 2026.

Read Information Security Was Never Just IT's Job. AI Governance Won't Be Either.