The Knowledge-Action Gap in AI: What Real Governance Requires
Most AI governance solutions are repeating the same fundamental mistake that plagued privacy tools for two decades: they can tell you what’s wrong, but they can’t fix it. Modern organizations deploy sophisticated data mapping and AI monitoring tools that generate impressive dashboards and detailed reports, yet when critical failures occur—unauthorized model access, policy violations, or regulatory enforcement actions—these systems offer no operational response.
This catalog-first approach fails because observation without control is not engineering—it’s documentation. While knowing where your data resides is necessary, it’s insufficient for AI systems that can ingest and process vast datasets at speeds that consistently outpace traditional governance frameworks. The gap between knowing what needs to be done and actually doing it creates dangerous exposure, particularly in AI systems where operational guardrails are still under construction.
The Operational Reality of the Knowledge-Action Gap
Traditional data catalogs excel at creating inventories, mapping data flows, and applying classifications. They document where Personally Identifiable Information (PII) exists, how data theoretically flows, and what classifications apply. However, they are not as adept at translating all of that into actions. They can’t prevent unauthorized data access, enforce privacy policies in real-time, or execute complex tasks like Data Subject Access Requests (DSARs) automatically across interconnected systems.
This creates a significant gap between knowledge and action. Engineers know where privacy violations might occur but lack the infrastructure to prevent them effectively. Consider a DSAR: simply knowing where the data lives is insufficient. You cannot document your way out of this situation. You need infrastructure that can automatically discover, retrieve, redact, and manage data across your entire ecosystem within regulatory deadlines.
The 2019 Facebook settlement with the FTC is a stark reminder of the consequences of this gap – a $5 billion fine that could have been prevented with proper operational privacy infrastructure.
AI Amplifies the Knowledge-Action Gap
Enterprise AI environments create exponentially more complex data flows than traditional systems. Machine learning pipelines pull from dozens of data sources, models are trained across distributed computing clusters, and inference engines process user data in real-time. This technical fragmentation is compounded by internal inconsistencies in data labeling and classification.
In these environments, static governance tools are like having a detailed map without the ability to influence where people actually go. Those people can get hopelessly lost.
AI systems are meant to simplify complex tasks and make life easier, but the systems themselves and the data on which they’re trained are opaque and typically unknowable to users. The efficiency and speed of AI systems mean they operate well ahead of manual oversight processes, creating compliance gaps that regulatory bodies are now aggressively targeting.
Recent enforcement actions prove this infrastructure gap is already creating real business consequences. In December, OpenAI agreed to pay a €15 million fine for processing “users’ personal data to train ChatGPT without first identifying an appropriate legal basis”. Regulators in the U.S. have also been paying close attention to how both AI companies and other businesses are handling the intersection of privacy and AI. The Federal Trade Commission in September 2024 announced a broad enforcement action against several companies for deceptive practices around user data and AI, and the commission has made it clear that AI systems are not special unicorns when it comes to privacy.
“Like most AI companies, model-as-a-service companies have a continuous appetite for data to develop new or customer specific models or refine existing ones. This business incentive to constantly ingest additional data can be at odds with a company’s obligations to protect users’ data,[2] undermining peoples’ privacy or resulting in the appropriation of a firm’s competitively significant data. There is no AI exemption from the laws on the books,” FTC staff said.
Current AI Governance Approaches Are Repeating the Mistakes of the Past
The emergence of broad privacy legislation in the U.S. and elsewhere in the 2000s led to the development of a large set of privacy governance and assessment tools that were sold on the promise of discovering potential data privacy concerns in enterprise environments. Those tools were good at data discovery, inventory, and identifying potential issues, but far less effective at providing effective and scalable controls to address those challenges.
Thus far, the rise of the AI machines is closely mirroring this pattern on both the product and controls fronts. AI governance solutions are generally designed to ensure security and mitigate risks in the AI supply chain, but are light on the mitigation piece of that. AI governance involves pinpointing weak points in the AI build pipeline, such as data poisoning, failing to apply access controls, and compromising the deployment process. Frameworks such as MITRE ATLAS are useful for finding potential attack vectors and providing guidance in security planning.
But those only go so far. Enterprises that operate at scale require an approach that can scale with them. Otherwise, they will likely trip on the same obstacles that have been scattered across the privacy governance landscape for the past 20 years.
Building a Unified Control Layer
The solution? Shifting from observation to control. This means building infrastructure that not only tell you where your data is but also control how it moves and is processed. When things go wrong – a misconfigured service tries to read sensitive information, user consent preferences need to be enforced, or regulations require immediate data access restrictions – this infrastructure can proactively address the issue.Engineering Operational Privacy with Fides
Ethyca’s open-source privacy engineering platform, Fides, provides this bridge. It transforms static policies into executable infrastructure, integrating privacy controls directly into development and operational workflows.
Key features include:
- CI/CD pipeline integration: Privacy checks become an integral part of the development pipeline, catching issues before they reach production and keeping data maps synchronized with system changes.
- Automated DSR handling: Fides eliminates the overhead of manual data maps and custom privacy services by providing a unified system that automatically discovers data, enforces labeling, and executes privacy operations.
- Real-time policy enforcement: Static privacy policies are transformed into dynamic enforcement rules, providing real-time validation of data access and processing activities and automating policy updates.
This infrastructure-first approach allows engineering teams to focus on building features while Fides handles the complex task of privacy enforcement.Impact on Business Operations
Operational privacy infrastructure has significant business impacts:
- Risk mitigation and compliance: Automated controls reduce the risk of violations, demonstrating compliance and reducing audit costs.
- Operational efficiency: Manual privacy operations are reduced, allowing for reallocation of engineering resources and faster time-to-market.
- Maximize data ROI: Organizations can launch and scale data-driven initiatives rapidly, building customer trust and turning data assets into business value.
Converting operational improvements into tangible business value is clear. Automated privacy validation prevents costly production rollbacks, automated DSSR orchestration reduces time and effort, and integrated privacy checks allow for parallel development.
The Path Forward
The future of privacy engineering lies in control, not just cataloging. Organizations need infrastructure that enforces policies automatically, handles requests programmatically, maintains consistency, and adapts to changing requirements. Getting there requires some foundational work on the enterprise side, specifically assessing the current state of their knowledge-action gap, identifying areas where AI exacerbates this problem, and then implementing a unified taxonomy for privacy and AI governance and deploying operational controls.
Solutions like Fides transform governance from documentation overhead into competitive infrastructure. By moving beyond “Where is our data?” to building infrastructure that controls how data is processed, accessed, and protected, organizations can unlock rapid data innovation and AI advancement while minimizing privacy overhead. Solutions like Fides empower engineering teams to focus on extracting value from data, transforming privacy from a constraint into a competitive advantage.