“"Cost control is emerging as one of the most effective governance controls because it forces organizations to be explicit about value."
Aaron WellerPrivacy Innovation and Assurance Leader @ HP
Enterprise AI governance is becoming as much an investment discipline as a compliance discipline. After two years of building policies, approval workflows, and governance frameworks, organizations are discovering that not all AI use cases deserve the same level of investment, oversight, or operational support. The discussion is shifting from whether a use case is permissible to whether it is worthwhile.
Aaron Weller leads the Privacy Innovation and Assurance function at HP, where he builds enterprise-scale privacy and AI governance programs that transform regulatory requirements into operational controls. Having spent recent months helping business teams navigate the rapid expansion of AI technologies, he increasingly sees governance and value realization becoming intertwined.
"Cost control is emerging as one of the most effective governance controls because it forces organizations to be explicit about value," Weller said. "If a use case introduces meaningful governance obligations but cannot demonstrate meaningful business value, that should influence whether it moves forward at all."
For years, governance teams focused primarily on risk. Was a solution compliant? Was it secure? Was it introducing regulatory exposure? Those questions remain important. But Weller believes organizations are increasingly asking a second question: what value does the organization receive in exchange for assuming that risk?
"Historically, governance focused on whether something could be done," Weller said. "Now we're increasingly asking whether it should be done. If a use case requires meaningful investment in governance, technical controls, monitoring, and oversight, can the business clearly demonstrate the value it expects to generate? Risk and value have to be evaluated together."
From abstract governance to measurable outcomes: One of the challenges organizations face is that many AI projects were approved before they developed a consistent methodology for measuring success. "We had always asked, 'Is this a duplicative use case? Do you really need to use AI for this? Those questions are a little bit squishy," Weller said. "If we can ask, 'What's your financial model for running this thing and what's the comparison versus the status quo?' Those give us harder numbers." The shift forces organizations to confront a difficult reality: many AI initiatives have strong enthusiasm but weak measurement.
Teams frequently define success through activity metrics such as prompts submitted, documents generated, interactions completed, tokens consumed, or theoretical hours saved. What is often missing is a direct connection to measurable business outcomes. "One of the struggles we're seeing is that organizations can often demonstrate AI usage but not necessarily AI value," Weller said. "The KPI discussion hasn't matured at the same pace as adoption. We need more rigor around defining baselines, measuring outcomes, and validating whether expected benefits actually materialized."
As AI spending becomes more visible, governance teams are beginning to demand the same discipline organizations expect from any significant technology investment. Before approval, teams must increasingly identify business objectives, establish success criteria, define expected outcomes, and explain how value will be measured after deployment. Without that rigor, it becomes difficult to determine whether a use case deserves additional investment, or additional governance attention.
Cost control becomes a governance mechanism: The spending controls have not always kept pace with AI adoption. Vendors have made it remarkably easy for business units to consume AI services while making it considerably harder for enterprises to enforce meaningful spending limits. Weller described situations where organizations could monitor consumption but lacked the ability to establish true preventative controls before spending occurred. That gap increasingly becomes a governance concern. "When governance teams can see risk but can't control consumption, they're left reconciling decisions after the fact," Weller said. "Organizations need the equivalent of financial guardrails for AI just like they have guardrails for cybersecurity, privacy, and access management."
What leaders should be asking: A more useful governance question, Weller said, may be whether AI is the most efficient way to achieve the desired outcome at all. "If an organization spends thousands of dollars every month on AI tools but cannot clearly articulate the business result that spend is producing, it becomes very difficult to determine whether that investment is justified."
Organizations increasingly need to evaluate AI against all available alternatives, including traditional software, process redesign, automation, outsourcing, and additional staffing. "AI shouldn't receive a free pass simply because it's innovative," Weller said. "It should be evaluated like any other investment. The question we should be asking isn't about the cost of technology. The real question should be what is the cost per outcome."
Model selection increasingly involves balancing price, cybersecurity requirements, export controls, privacy obligations, sustainability targets, and operational complexity. While some business units may see immediate savings from cheaper models, the governance consequences often land elsewhere. "If financial controls are weak, there could be a temptation for business units to effectively capture AI benefits on their P&L and then shift the governance load to centralized functions," Weller said.
Build the controls once: Rather than relying on manual reviews for every new use case, Weller advised that organizations should build governance into their foundations so that new AI deployments inherit controls automatically. "The more controls we can build in at the foundation of the platform layer, every time you then try and do something new, it's that much easier because you've already got 80% of the controls," he said.
A solid foundation: Data classification, sensitivity tagging, access boundaries, privilege management, monitoring, and auditability all form part of the foundation. "Have we tagged our data, so we know what's sensitive? If we have good tagging, we can do that triage automatically," Weller said.
He refers to governance as the selective application of friction. "We want to apply the friction to slow down the risky stuff and make sure the value justifies the investment. Then we should work relentlessly to remove that friction everywhere else." In that world, governance is no longer merely a mechanism for avoiding mistakes. It becomes a system for ensuring that enterprise AI is deployed where it can create the greatest value with the greatest confidence.





