After 25 years securing systems across healthcare, manufacturing, high-tech, and SaaS, the AWS Security Technical Program Manager sees the next enterprise risk clearly: AI governance cannot live in policy documents.

Vinod Kumar has watched enterprise technology change enough times to recognize the danger in a familiar sentence: We will figure out governance later.

He heard versions of it when companies moved from on-prem systems into the cloud. He saw it again when compliance work shifted from annual paperwork toward evidence-based programs. Now he sees it in the rush toward artificial intelligence, where companies are adopting tools, vendors, integrations, and internal use cases faster than many security teams can track.

Kumar’s view is direct. AI governance is not something a company can solve by writing a policy, hiring a consultant, and filing a document away. It has to become part of how the organization operates.

“Too many companies are treating AI governance like a binder exercise,” Kumar says. “They want the framework, the policy, and the announcement. But if the documentation does not match what teams are actually doing every day, it will fail the first time pressure hits.”

That pressure is already building. Enterprises are trying to respond to the EU AI Act, NIST AI Risk Management Framework, ISO 42001, state-level AI laws, and sector-specific rules in healthcare and financial services. The result is a rush to show that AI is being managed. Kumar believes that rush can create a false sense of control.

His point is not that frameworks are useless. It is that frameworks are only the beginning. They show what good can look like. They do not run the business.

“ISO 42001, NIST AI RMF, SOC 2, ISO 27001, these are not operating models by themselves,” he says. “They are reference points. The real work is deciding who owns the risk, what evidence proves the control is working, and how that evidence stays current as the system changes.”

Kumar carries that argument into work. As a Technical Program Manager at AWS Security, he oversees security reviews of third-party vendors and AI integrations connecting into AWS services. In governance terms, what he does every day is evaluate whether outside systems — including an expanding category of AI tools and services — have built accountability into their design, or simply claimed it in documentation. The gap between those two things is where AI governance most often breaks down.

That work matters because third-party risk has become one of the most important security problems in modern enterprise technology. A company may secure its own systems carefully, then introduce risk through a vendor, integration, data processor, or software service that becomes part of the operating stack.

AI has made that problem harder.

“Traditional vendor risk programs were built for traditional software,” Kumar says. “AI vendors introduce different questions. What data is being used? Where does it flow? How is the model monitored? Who owns the decision? What happens when the tool changes? You cannot answer those questions with a checklist designed for yesterday’s SaaS environment.”

That gap is becoming more serious as AI tools spread across departments. Marketing teams use them. Product teams test them. Engineers integrate them. Employees experiment with them, sometimes without waiting for official approval. This is the shadow AI problem, and Kumar sees it as one of the clearest signs that AI governance has to move from theory into operations.

“You cannot govern what you cannot inventory,” he says. “If an enterprise does not know where AI is being used, what data is entering those tools, and who approved the use case, then it does not have governance. It has hope.”

Kumar’s authority comes from more than his current role. He has spent 25 years building, securing, and governing systems across healthcare, manufacturing, high-tech, and SaaS. He started in IT operations when the cloud was still closer to a physical data center than an abstract service layer. Over time, the problems changed, but the pattern stayed familiar. Organizations adopted new technology quickly, then tried to build the controls after the fact.

That experience shaped how he thinks about AI now. He does not see governance as a soft ethics discussion or a back-office compliance function. He sees it as a discipline that belongs inside engineering, security, procurement, legal, privacy, risk, and leadership.

“Most AI failures in the enterprise will not come from science fiction scenarios,” Kumar says. “They will come from undocumented data flows, untested integrations, weak ownership, and decisions nobody can explain after the fact.”

That is why he believes the best companies will treat AI governance the way strong engineering teams treat reliability. They will not leave it to one department. They will build it into design, deployment, monitoring, vendor review, evidence collection, and incident response.

For Kumar, the argument about AI governance is not purely theoretical. He is an IEEE Senior Member, a designation requiring peer endorsement and held by a small share of IEEE’s global community, and has authored more than 14 peer-reviewed publications and two books across security, AI, and information technology management. Those publications have drawn 78 citations on Google Scholar — including 32 for his paper on AI-Powered Virtual Health Assistants and 16 for his work on Regulating Artificial Intelligence — with citations from researchers at institutions independent of his employers. He has served as a judge for the 2024 and 2025 Globee Awards in the cybersecurity category — one of the most competitive technology recognition programs globally, selecting panelists based on demonstrated domain expertise — and reviews IEEE Senior Membership applications. He most recently delivered a 45-minute Session on portfolio thinking at the PMI Palmetto Symposium 2026.

That combination matters to him because enterprise security cannot exist solely in academic theory or in day-to-day operations.

“The research world and the operational world often speak past each other,” he says. “Research can be precise but hard to deploy. Operations can be practical but too focused on the fire in front of them. The useful work is in the translation.”

Kumar believes that translation will define the next phase of AI governance. Companies will need to prove not only that they have policies, but that controls are active, decisions are owned, vendors are reviewed, data flows are documented, and risks are being monitored continuously.

He expects ISO 42001 to become as important to AI as SOC 2 became to software trust. “By 2030, ISO 42001 will likely become the SOC 2 of AI,” Kumar says. “The companies that treat it as a living operating discipline now will have an advantage over the companies that wait until customers, regulators, or boards force the issue.”

His advice is simple, but not easy: build the governance infrastructure before scaling the AI.

The alternative is expensive. Organizations that rush ahead often discover later that they have to unwind tools, rebuild workflows, explain decisions, retrain teams, renegotiate vendor relationships, and prove controls they never designed correctly in the first place.

“Later almost always costs more,” Kumar says. “If you build governance after scale, you are fixing the airplane while it is already in the air.”

Kumar’s goal is to help move security and AI governance away from aspiration and into production reality. The future he describes is not about slowing AI adoption. It is about making sure AI can survive contact with real enterprise systems, real evidence requirements, real vendors, and real accountability.

“The organizations that win will not be the ones with the thickest policy documents,” he says. “They will be the ones that can show how governance actually runs every day.”

For more information on Vinod Kumar, visit his LinkedIn.