When Your Government Can't Agree With Itself on AI, What Hope Does Your Board Have?

Germany's banking regulator just joined an emergency AI summit. Four days earlier, Germany's Chancellor demanded we stop regulating AI so aggressively. Same country. Same week. Same technology.

If a sovereign government can't reconcile whether AI is the threat or the opportunity, I'm not sure why we expect corporate boards to have it figured out by next quarter.

The Week Everything Contradicted Everything Else

At Hannover Messe last week, Chancellor Merz called for exempting industrial AI from "the current regulatory straightjacket." He wasn't wrong — Germany's manufacturing sector is watching competitors deploy AI while they navigate compliance frameworks designed for a different era.

Four days later, BaFin (Germany's financial regulator), the European Central Bank, the Bank of England, ASIC, and South Korea's Financial Supervisory Service convened emergency meetings on AI risk to financial stability. They weren't wrong either — algorithmic trading strategies are evolving faster than regulators can stress-test them.

Across the Atlantic, the picture gets even messier. The NSA is actively deploying Anthropic's Mythos AI system while the Pentagon has formally flagged the same vendor as a supply-chain risk. The left hand is integrating what the right hand is red-flagging.

This isn't bureaucratic dysfunction. This is what happens when a technology is simultaneously the biggest competitive advantage available to us and the most significant systemic risk in front of us.

I've Seen This Meeting Before

Every firm I'm working with right now is running the same internal argument. The board wants AI adoption metrics for the next earnings call. The risk committee wants AI controls before something breaks publicly. The CFO is asking which mandate takes priority.

This month, that exact tension escalated to a head of state. His answer was "both" — accelerate industrial AI, tighten financial AI oversight. And here's the uncomfortable part: he's right.

You cannot deregulate AI into growth and regulate it into safety at the same time. But every government, every board, and every professional services firm is going to try. The question isn't whether you'll manage the contradiction — it's whether you'll manage it with a framework or with chaos.

We've Run This Experiment Before

The closest historical parallel I've lived through is cloud adoption, circa 2012.

Every CISO memo said "no sensitive data in the cloud — security risk, compliance risk, vendor lock-in risk." Every business unit memo said "we need cloud infrastructure to survive — our competitors are moving faster, our costs are unsustainable, our talent wants to work with modern tools."

Both were correct. The firms that treated it as a binary choice — cloud skeptics versus cloud evangelists — lost. The firms that built a unified governance framework won.

The winners didn't ask "should we adopt cloud?" They asked "how do we govern cloud as a critical dependency?" They created cross-functional frameworks where security, compliance, and business strategy reported to the same executive. They moved fast with controls, not fast versus controls.

The losers left the tension unresolved. Their "cloud strategy" was written by whichever business unit moved fastest. Finance spun up AWS instances for month-end close. Marketing bought SaaS tools with credit cards. IT discovered the architecture six months later during a security audit.

AI is that same tension at ten times the speed — with one critical difference. Cloud was infrastructure. AI is decision-making. When cloud failed, systems went down. When AI fails, the decisions keep executing.

The Gap Is the Strategy

Here's the pattern I'm seeing in client conversations: firms that think they have an "AI strategy" usually have an AI adoption roadmap. They know which departments are piloting which tools. They've got vendor evaluations and proof-of-concept timelines.

What they don't have is an answer to this question: who owns AI adoption, and who owns AI risk?

If those are two different people who haven't met this quarter, the gap between them is your actual AI strategy. You're just not writing it. The business units are writing it for you, one tool at a time.

I was on a call last month with a risk committee that discovered — during the meeting — that their sales team had been using an AI tool to generate client proposals for nine months. Nobody escalated it because it wasn't "strategic AI." It was just a Chrome extension that happened to be feeding client data to a third-party model with no vendor agreement, no data residency review, and no understanding of where the training data came from.

That's not a failure of policy. That's a failure of governance structure. The risk team was asking the right questions about AI. They were just asking them in a room the business units had already left.

There Is No "AI Strategy"

Every board deck I've reviewed in the past six months has a section titled "AI Strategy." Half of them are adoption roadmaps. The other half are risk frameworks. Almost none of them are the same document.

Here's what I think is true: There is no "AI strategy." There is "how we govern a critical dependency" — and whether you wrote it or let the business units write it for you.

The firms that will survive this cycle are the ones treating AI the same way they treat financial controls, third-party risk, or business continuity: as a governed critical dependency that runs through every function, not a strategic initiative that belongs to one.

That means:

• The same executive owns AI adoption velocity and AI risk mitigation

• Security, compliance, and business strategy are in the same room before the pilot starts, not after the audit

• "AI governance" isn't a quarterly committee — it's the layer that sits between tools and deployment

The firms that will struggle are the ones still treating this as a choice between innovation and risk management. It's not. It's a choice between governed innovation and ungoverned innovation.

What This Looks Like Monday Morning

If you're sitting in a leadership meeting this week and someone presents an "AI strategy," ask one question:

Who owns AI adoption here, and who owns AI risk? If those are two different people, when was the last time they built something together?

If the answer is "they meet quarterly to review policy," you're already behind. Policy is what you write after you've built the governance structure. If risk is reviewing what business units already deployed, you're governing in past tense.

The German government is wrestling with the same contradiction your board is facing. Chancellor Merz is right that overregulation will calcify competitiveness. BaFin is right that underregulation will destabilize financial systems. The NSA is right that AI offers operational advantage. The Pentagon is right that AI introduces supply-chain risk.

All of them are correct. The only wrong answer is pretending you can resolve the tension by picking a side.

Build the structure where both mandates report to the same leader. Make AI governance the layer between experimentation and deployment, not the audit that happens afterward. Move fast with controls, not fast versus controls.

Or let the business units write your AI strategy for you, one unapproved Chrome extension at a time. But when the board asks why nobody flagged the risk, don't say you didn't see this coming. Germany's Chancellor and Germany's banking regulator both saw it — they just saw different parts of the same problem.

The firms that win will be the ones who saw both.

What to do this week: Pull your AI adoption roadmap and your AI risk framework. If they were written by different teams, in different formats, for different audiences, you've found the gap. The work isn't choosing between them. The work is building the governance layer that makes them the same document.

If you're running this conversation at your firm and want to compare notes on what's working, let's talk.