DataData Governance

Data governance in 2026: why compliance alone is no longer enough

Regulatory pressure on data has never been higher, but CDOs who treat governance purely as a compliance function are already falling behind. The organizations pulling ahead are the ones treating governance as a business capability with measurable commercial value.

July 4, 2026

A global financial services firm recently discovered that 34% of the data feeding its credit risk models had no documented lineage. The models were running. The decisions were being made. The exposure was invisible until an internal audit surfaced it. This is not an edge case. It is a pattern playing out across industries where data infrastructure outpaced data accountability by several years.

The irony is that most of these organizations have a data governance program. They have policies. They have a data catalog, probably from Collibra or Alation. They may even have a Chief Data Officer. What they often lack is governance that actually connects to how data moves, gets used, and generates risk in practice.

The governance pressure is structural, not cyclical

The EU AI Act entered phased enforcement in 2025 and now applies substantive obligations to any organization deploying high-risk AI systems in European markets. Those obligations land squarely on data: training data documentation, bias assessment, data quality standards for model inputs. For any CDO with exposure to EU markets, this is not a future consideration.

DORA (the Digital Operational Resilience Act) adds another layer for financial institutions, requiring documented data asset inventories as part of ICT risk management frameworks. The SEC's climate disclosure rules, despite ongoing legal challenges in the US, have pushed large public companies to think seriously about data lineage for ESG metrics. The regulatory surface area is widening.

At the same time, the AI buildout inside large enterprises is creating governance debt at speed. When a business unit spins up a retrieval-augmented generation tool on top of internal documents, someone needs to have answered several questions before that goes into production: which documents are included, who owns them, are any of them restricted under contract or data residency rules, and what happens when the model surfaces outdated information. In most organizations in 2026, those questions are being answered late, if at all.

The underlying dynamic is that AI deployment cycles are operating on sprint timelines while governance frameworks are still designed around quarterly review cadences. That mismatch is where the real risk accumulates.

What this means for the CDO

The CDO role in this environment has a specific tension to manage. The pressure from the business is to move fast and enable AI use cases. The pressure from legal, compliance, and increasingly from the board is to demonstrate control over data. Both pressures are legitimate. The problem is that most governance frameworks were built to satisfy the second pressure, not to coexist with the first.

The CDOs making progress on this are doing a few things differently.

They are treating data products as the governance unit, not datasets. When a team publishes a data product to an internal marketplace (as seen in organizations adopting data mesh architectures), governance requirements attach to the product at creation: ownership, classification, quality SLAs, access policy, and retention rules. This shifts governance from a retrospective audit function to a production requirement. Zalando and Saxo Bank have both been cited publicly for early data mesh implementations where this model was operationalized, though the specifics of their governance integration vary.

They are also separatingdata quality ownership from data stewardship as a job title. In too many organizations, the data steward is a mid-level analyst who inherits responsibility for data quality without authority to change the upstream systems producing bad data. That structure generates documentation without fixing problems. Effective governance assigns quality accountability to the domain teams closest to the source systems, with escalation paths that actually reach engineering and product ownership.

On the AI governance side specifically, the CDO needs to be in the room when new AI applications are scoped, not brought in afterward to retrofit compliance documentation. This requires a working relationship with the CTO and with the heads of each business domain that is different from the traditional CDO posture of policy custodian. It means the data governance function has to speak fluent product and engineering language.

There is also a harder conversation about the data catalog. Most organizations invested heavily in catalog tooling between 2019 and 2023. Adoption has been inconsistent. According to Gartner (figures from their 2023 data management survey), fewer than 30% of organizations reported that their data catalog was actively used by non-technical business users. If the catalog is only used by data engineers during onboarding projects, it is not functioning as a governance instrument. The CDO needs to audit actual usage patterns before assuming the investment is working.

Practical actions worth prioritizing now

  • Run a governance coverage audit specifically for AI inputs. Map which datasets are currently feeding production AI or ML systems and check which ones have documented owners, quality standards, and lineage. The gaps in that map are your immediate risk register.
  • Establish a lightweight AI intake process requiring domain teams to complete a short data governance checklist before new AI tools move to production. Keep it short enough to be completed in under two hours. Bureaucratic friction kills adoption; a four-question checklist does not.
  • Revisit data product ownership structures if you have moved toward a federated or mesh architecture. Federated governance only works if domain ownership is real, meaning the domain teams have both the accountability and the tooling to act on it.
  • Get specific about which regulatory obligations apply to your data assets in 2026. The EU AI Act, DORA, sector-specific rules, and data residency requirements under GDPR all have different scopes. A single governance framework that tries to satisfy all of them generically will satisfy none of them well.
  • Measure catalog and lineage tool adoption by actual usage metrics, not by license deployment. If your Collibra or Atlan instance has 200 registered users and 15 monthly active ones, that is a signal worth acting on before your next tool renewal.

The organizations that will have defensible data governance in three years are the ones building it into how data products are created and deployed today, not the ones adding documentation layers on top of existing processes. The difference between those two approaches is already visible in audit outcomes and in how quickly AI applications get to production without incident.

Finished reading?

Validate your read to earn XP and feed your radar.