Digital Content Editor, Eve Goode hears exclusively from Konexo’s Babar Hayat, Head of Technology and Transformation, Richard Chudzynski – Partner and Head of Konexo Middle East and Aben Pagar, Head of Digital Risk Consulting about governing autonomous AI.
Babar Hayat, Head of Technology and Transformation
Where do governance frameworks face the biggest challenges when being applied to real AI systems?
The biggest challenge is the gap between static governance frameworks and dynamic AI systems.
Many frameworks assume predictable behaviour, clear ownership and linear decision-making, while real-world AI is probabilistic, continuously learning and often embedded across multiple systems.
Operationalising governance into engineering workflows, model pipelines and third-party tooling remains difficult.
Accountability also blurs when decisions emerge from complex model interactions rather than explicit rules.
What controls are proving to be the most effective as AI becomes more autonomous?
The most effective controls are layered and baked directly into system design.
These include human-in-the-loop escalation thresholds, model monitoring for drift and bias, automated kill switches and strong access controls over model retraining.
Explainability tooling and logging are also critical. Controls that operate continuously outperform one-off approvals or policies that rapidly become outdated.
What does good governance look like in an AI system?
Good governance is practical, measurable and adaptive. It aligns risk appetite, ethics and regulatory requirements with how models are built, deployed and supervised.
Clear ownership, decision traceability, documented model intent and real-time oversight are key.
Ultimately, good governance enables innovation while ensuring AI remains aligned with business objectives and societal expectations.
Richard Chudzynski – Partner and Head of Konexo Middle East
Where are you seeing AI regulation evolve most effectively right now?
The most effective evolution is happening where regulators combine principle-based rules with clear operational expectations.
This is true of the Middle East, in particular in the UAE and the Kingdom of Saudi Arabia we are seeing guidance and soft law focusing on risk-based classification, accountability and governance rather than prescribing specific prescriptive requirements or standalone laws.
This approach gives organisations flexibility while making regulatory intent very clear.
How can accountability be strengthened as AI takes on more decision-making?
Accountability improves when responsibility is explicitly assigned across the AI lifecycle.
This includes named business owners, clear escalation paths and documented decisions around design, deployment and use.
Organisations also need evidence and of course human in the loop.
Logs, audit trails and explainability artefacts allow decisions to be reviewed, challenged and corrected when issues arise.
What should organisations focus on to stay ahead of the emerging regulations?
Organisations should focus on building strong governance foundations.
This includes AI inventories, risk assessments, model oversight and training for boards and senior management.
I cannot emphasise training and AI literacy enough; it will be key that across the organisation everyone is upskilled to get the best out of the technology and stay within the realm of the policies and regulations, as well as the ethical boundaries.
Firms that embed governance and training into operating models will adapt far more easily as regulations evolve across jurisdictions.
Aben Pagar – Head of Digital Risk Consulting at Konexo
How can boards take a more confident approach to managing risk with autonomous AI?
Tone from the top is fundamental to managing AI risk effectively.
Boards play a critical role in setting expectations by clearly articulating that the responsible use of AI is a strategic business priority, not a peripheral technology concern.
When leadership visibly reinforces the importance of AI governance, it signals to the organisation that AI risks are to be taken seriously, understood and actively managed.
A clearly defined risk appetite is central to building confidence in the use of autonomous and advanced AI systems.
Boards should be explicit about what levels of risk are acceptable, where human intervention is required and how trade‑offs between innovation, efficiency and control should be managed.
This provides management with a clear framework within which to deploy AI responsibly, rather than relying on ad hoc decision‑making.
Confidence also comes from assigning clear roles and responsibilities across the organisation.
AI risk cannot sit solely with technology teams. Effective oversight requires shared ownership across the business, including leadership, risk, legal, compliance, data, security and operations.
Each function must understand its role in managing AI risk across the lifecycle, from design and deployment through to monitoring and incident response.
Ultimately, organisations that treat AI risk as an enterprise‑wide business initiative are better positioned to harness the benefits of AI while maintaining control, trust and resilience.
Board engagement, clarity of accountability and alignment with business strategy together enable a more confident and sustainable approach to AI adoption.
Where are organisations making the most progress in understanding AI risk?
The most meaningful progress in understanding and managing AI risk is being made where organisations treat it as an enterprise‑wide risk rather than a narrow technology issue.
Firms that bring together legal, compliance, risk, security, data and engineering functions are developing far more mature and practical approaches to AI governance.
This cross‑functional collaboration enables a more balanced view of risks such as bias, accountability, operational resilience and third‑party dependency, which rarely sit neatly within a single function.
One area where this maturity is most evident is data privacy.
Given its regulatory intensity and enforcement history, organisations have invested significant effort in understanding how AI systems use personal data.
There is increasing clarity around lawful bases for training models, proportionality of data use, transparency obligations and the management of data subject rights.
Privacy has therefore become a natural entry point for broader AI risk discussions across the business.
Contracts are another domain where organisations are making tangible progress.
As a starting point, many are strengthening contractual protections to address AI‑related risks, including liability allocation, audit rights, transparency requirements and responsibilities when AI‑driven outcomes go wrong.
While contractual clauses alone are not sufficient, they play an important role in clarifying expectations and reinforcing accountability across internal teams and third parties.
Overall, organisations that approach AI risk through an integrated legal, operational and governance lens are developing a far more resilient understanding of both opportunity and exposure.
How can incident response improve to keep pace with AI operating at speed?
As AI systems operate at increasing speed and autonomy, incident response must evolve accordingly.
Traditional response models, which rely heavily on manual detection and escalation, are no longer sufficient. Effective AI incident response needs to be faster, more automated and explicitly designed to account for AI‑driven behaviour.
Organisations are making progress where they introduce predefined AI-specific incident scenarios and procedures.
These include model drift, unexpected decision patterns, bias amplification, data leakage, hallucinated outputs and unsafe autonomous actions.
Mapping these scenarios in advance allows response teams to move quickly rather than debating root causes in the middle of an incident.
Automation also plays a critical role.
Continuous monitoring, automated alerting and real‑time performance thresholds help detect issues early, while rapid rollback or model shutdown mechanisms provide a practical way to contain harm.
These controls are particularly important where AI systems are embedded into operational or customer‑facing processes.
Tabletop exercises tailored specifically to AI failures are becoming an essential capability.
Unlike traditional cyber simulations, these exercises test decision‑making around accountability, regulatory notification, customer impact and business disruption caused by AI behaviour rather than system outages alone.
Finally, clarity is needed on when AI behaviour moves from expected performance variance into a reportable incident.
Not every unexpected outcome represents failure, but without clear thresholds and escalation criteria, organisations risk under reporting serious issues or over reacting to normal model behaviour.
Strong governance, combined with AI aware incident response, is critical to maintaining trust, resilience and regulatory confidence.
