Contributing Authors
Summary
The OECD's HAIP 2.0 framework marks progress in AI governance reporting, but reporting alone isn't governance. This article argues that organizations must shift from periodic documentation to continuous, operational governance that enforces policies at runtime.
Key Takeaways:
- Reporting frameworks capture past-tense governance; active governance operates continuously
- Shadow AI, unenforced policies, and undocumented decisions create hidden liability
- Governance controls must be enforced at the moment AI decisions are made
- Use HAIP's seven thematic areas as a diagnostic against your live environment
- Build governance into deployment workflows, not alongside them
Last week, the OECD launched HAIP 2.0 (Hiroshima AI Process Reporting Framework) with commitments from over 50 organizations. It’s a milestone in international AI governance. The framework improved meaningfully: it’s more role-aware, more accessible to smaller organizations, and better connected to actual tooling.
But buried in the framework’s own FAQ is a sentence that every AI governance practitioner needs to keep in mind:
“The Secretariat will not assess or verify the substance of submissions.”
What Reporting Captures — and What It Doesn’t
HAIP reports describe governance practices in the past tense. They document policies that exist, tools that are deployed, processes that were followed. They are, by design, a retrospective snapshot.
That’s valuable. Comparable, structured disclosure across organizations is genuinely useful for policymakers, researchers, and the governance community. We need more of it, not less.
But here’s what a HAIP report cannot tell you:
- What AI decisions were made in your organization last Tuesday
- Whether the model deployed last month went through your risk classification process
- Which agent is currently running without a documented owner
- Whether the override approved under deadline pressure last quarter was justified or a gap
- What changed after the last report was filed
These are the questions that determine whether your organization is actually governing AI, or just describing governance that was happening at the time someone filled out a form.
Reporting is a photograph. Active governance is the building.
The Retrospective Trap
There’s a pattern emerging in enterprise AI governance that’s worth naming directly: organizations investing heavily in compliance documentation while their AI environment outpaces the documentation process.
It looks like this. A governance team produces a thorough risk assessment for a generative AI deployment. The assessment is filed, reviewed, and approved. Six months later, the model has been updated twice, the use case has expanded, three new integrations have been added, and nobody has revisited the original risk classification. The documentation says one thing. The live environment is something else entirely.
This isn’t negligence. It’s the natural result of treating governance as a documentation exercise rather than an operational discipline. The report gets done. The underlying conditions change. The gap widens silently.
Three Things That Live Outside the Report
When we talk to governance practitioners about where their programs are most exposed, the same three areas come up consistently. None of them are well-served by periodic reporting.
1. The decision that happened last week
Every consequential AI decision is a governance moment. Most organizations have no systematic way to capture these decisions as they happen. They surface later, in audits or incidents, when the context that would have made them defensible has long since been forgotten.
Active governance means the decision and its justification are documented at the moment it occurs.
2. The AI you don’t know you have
The average enterprise has AI running in places its governance team hasn’t inventoried. Shadow AI is one of the most consistent findings in enterprise AI risk assessments. You cannot govern what you cannot see.
Voluntary reporting frameworks ask organizations to report on what they know about. They have no mechanism to surface what’s operating outside the governed perimeter. That requires continuous discovery.
3. The policy that isn’t being enforced
Governance policies that live in documents are not the same as governance policies that are enforced. An organization can have a well-written, ISO 42001-aligned AI risk management policy that its AI agents routinely operate outside of, simply because there’s no mechanism connecting the policy to the runtime behavior.
The gap between stated governance and actual behavior is where liability accumulates. Reporting frameworks can only see the stated governance. Active governance systems can see both.
What “Active” Actually Means
Active governance is a simple idea with significant operational implications: governance controls operate continuously, at the point where AI decisions are made, rather than periodically in documentation cycles.
In practice, it means:
Policies enforced at runtime. Rules about what AI agents can access, how they can handle sensitive data, which decisions require human review.
Continuous inventory. Every AI agent, model, and workflow is tracked as it’s deployed or discovered.
Decision logging at the source. When an AI agent makes a consequential decision that action is logged with full context automatically. Not reconstructed. Logged.
Risk classification before deployment. AI systems are classified by risk level before they run, so high-risk actions are caught at the gate rather than investigated after an incident.
Human-in-the-loop where it matters. Not every AI decision needs human review. But some decisions do: high-risk classifications, policy edge cases, novel use cases without precedent. Active governance routes those decisions to the right reviewer automatically, so oversight happens without becoming a bottleneck.
How HAIP 2.0 Fits Into an Active Governance Program
None of this is an argument against HAIP 2.0 or voluntary reporting frameworks. Disclosure norms matter. International comparability matters.
But for organizations building serious AI governance programs, the relationship between reporting and active governance needs to be understood clearly:
Reporting is the output of governance, not the input. A well-run active governance program generates the evidence that makes a HAIP report substantive: documented risk assessments, classification records, decision logs, policy enforcement history. Organizations that govern actively can produce those reports quickly and accurately. Organizations that govern through documentation alone will struggle to produce reports that mean anything.
The HAIP framework’s seven thematic areas are a useful governance checklist. Risk identification, evaluation and testing, transparency, governance structures, content authentication, AI safety research, global interests.
The September 2026 deadline is a useful forcing function. If your organization is considering submitting a HAIP report in the first cohort, use the framework as a self-assessment now. Walk through each thematic section and ask: do we have active evidence for this, or just a policy that says we do? The gap between those two answers is your governance program’s current exposure.
The Question That Changes Everything
There’s one question that separates organizations that are governing AI from organizations that are documenting governance:
If something went wrong in our AI environment yesterday, would we know it today?
Not in six months when the next compliance review is due. Not when an auditor asks. Today.
For most organizations, the honest answer is no. It’s an operational problem. It’s the difference between a governance program built around documentation cycles and one built around continuous visibility, runtime enforcement, and decision-level accountability.
What This Means for Your Program
If you’re building or maturing an AI governance program, three practical implications follow from this:
Treat your HAIP report as a diagnostic, not a deliverable. Before you file, or before you use the framework as a reference, work through the seven thematic areas against your live environment. The gaps between documented policy and operational reality are where your governance program needs to focus.
Build governance into the deployment workflow, not alongside it. The highest-leverage intervention in AI governance is the moment a new AI system or agent enters your environment. That’s when risk classification, ownership assignment, and policy alignment are easiest to establish. Every system that bypasses that moment creates a retrospective problem.
Invest in visibility before you invest in reporting. Organizations that can’t answer “what AI is running in our environment right now?” are not ready to make voluntary disclosures meaningful. Discovery and inventory are the foundation. Everything else, including HAIP reporting, is built on top of that.
The governance frameworks are getting better. HAIP 2.0 is evidence of that. But frameworks set the floor. Getting there requires operational infrastructure that keeps governance running continuously, not periodically.
The difference between reporting AI governance and doing it is whether your controls are enforced at the moment the decision is made.
That’s the standard worth building toward.
Ready to move from documenting AI governance to doing it? If your enterprise needs continuous visibility, runtime policy enforcement, and decision-level accountability, request a demo to see how Airia operationalizes AI governance with automated guardrails, real-time inventory, and complete audit trails—so governance happens at the moment of decision, not months later.
