Chair Sessions Podcast: Why AI Governance Can No Longer Wait
Lewis Ho, CEO of LexGuard AI, recently joined Eric Thain on Chair Sessions to discuss the growing gap between rapid AI adoption and effective governance. The conversation explored key enterprise risks and the need for cross-functional governance structures.
Lewis Ho
LexGuard AI CEO Lewis Ho recently joined Eric Thain, Chair & Founder of the Artificial Intelligence Society of Hong Kong (AISHK), for a Chair Sessions discussion on one of the most urgent issues facing organizations today: the widening gap between AI adoption and AI governance. Click here to watch the full podcast: link.
The conversation focused on a problem many leadership teams are now confronting in real time. AI tools are entering the business faster than policies, controls, and governance structures can keep pace. In practice, that means organizations may be creating legal, operational, and reputational exposure without fully recognizing it.
Key themes from the discussion
1. AI adoption is creating a governance gap
Many organizations are approaching AI primarily through the lens of productivity, efficiency, and innovation. But without clear internal guardrails, rapid adoption can outpace legal review, risk management, procurement discipline, and management oversight.
This gap is becoming a business issue, not just a legal or technical one.
2. Shadow AI is already an enterprise risk
A major topic in the discussion was Shadow AI: the use of unapproved external AI tools by employees to meet business demands. While often well-intentioned, these practices can create serious questions around confidentiality, data handling, intellectual property, and accountability.
When staff input business information into external systems without proper oversight, the organization may be exposed long before leadership recognizes the risk.
3. The “Procurement Trap” is often overlooked
The session also examined what Eric Thain has described as the Procurement Trap: organizations moving quickly into AI-enabled tools or vendor relationships without fully understanding the legal, operational, and data-governance implications embedded in standard terms.
This is especially important where vendor contracts do not clearly address issues such as data use, model training, liability allocation, confidentiality protections, human oversight, and audit rights.
4. AI governance must be cross-functional
One of the clearest takeaways from the discussion was that AI governance cannot sit within one function alone. Legal, compliance, procurement, IT, security, HR, and business leadership all have a role to play.
A practical governance model requires:
clear ownership
decision-making pathways
documented policies
internal escalation mechanisms
review processes for vendors and use cases
training that reflects how AI is actually being used across the organization
5. Leadership cannot wait for perfect regulation
The discussion also touched on Hong Kong’s evolving regulatory landscape and the broader reality that many organizations are operating without a single comprehensive AI law to anchor every decision.
That does not reduce the need for action. It increases the importance of internal governance. Boards and senior management still need to make decisions about acceptable use, risk tolerance, internal controls, data protection, and accountability.
Why this matters for business leaders
For senior management, AI governance is no longer a peripheral compliance issue. It directly affects:
protection of proprietary data and IP
vendor and procurement risk
regulatory readiness
employee conduct and internal controls
operational resilience
board confidence and management accountability
Organizations that treat AI governance as an afterthought may find themselves reacting to issues that could have been prevented with clearer structure and earlier intervention.
LexGuard AI’s perspective
At LexGuard AI, we believe most companies make one of two mistakes: they treat AI risk as only a legal issue, or only a technical issue. In reality, it is a business governance issue that requires a coordinated, practical response.
The Chair Sessions discussion reinforced a simple but important point: AI governance is now a leadership priority. The organizations that move fastest and most safely will be those that pair innovation with practical controls, clear accountability, and cross-functional coordination.
If your organization is reviewing contracts, policies, procurement workflows, or internal governance structures in light of AI adoption, LexGuard AI can help assess the gaps and build a more defensible framework. Contact us today.
What is AI governance and why does it matter for companies?
AI governance is the framework of policies, oversight, controls, and accountability a company uses to manage how AI tools are adopted and used. In the transcript, AI governance is framed not just as a legal or technical issue, but as a business survival issue. Without governance, companies risk exposing confidential data, breaching privacy obligations, signing unsafe vendor terms, and losing strategic control over how AI is used across departments.
2. What is shadow AI and why is it a risk to businesses?
Shadow AI refers to employees using AI tools without formal company approval, oversight, or policy guidance. This can include pasting work documents into chatbots, using personal AI accounts for business tasks, or relying on unapproved AI tools. The risk is that sensitive company, customer, or employee data may be shared without management knowing, potentially creating privacy, compliance, and confidentiality issues.
3. Why should companies have an AI policy before adopting AI tools?
Companies should have an AI policy before adopting AI tools because once employees or departments begin using AI, data and governance risks can arise immediately. A policy helps define what tools are allowed, what data can be shared, who approves procurement, and how staff should use AI responsibly. As highlighted in the discussion, trying to create policy months after adoption may be too late because the company may already have exposed data or accepted risky vendor terms.