Speak Softly and Carry a Big Stick: Why Responsible AI Needs Both Advising and Governance Functions
Imagine an RAI team uncovers serious concerns during a pre-launch review. Their assessment is backed by testing showing the product performs poorly for certain demographics even when it’s functioning as intended. The findings are clear, documented, and communicated to the product team. So are recommended mitigations. The RAI team has done its job: identified the risks, documented the evidence, and recommended a path forward.
Then the product launches anyway.
Nothing in the process required the decision to be reviewed outside the product organization. No escalation was triggered. No executive was asked to formally accept the residual risk. And so, the recommendations remained just that: recommendations. The users that testing flagged as most at risk? They encountered exactly what the assessment predicted because a risk that can't be escalated is a risk that will ship.
The Advising Trap
I often think about Responsible AI structure and function through Theodore Roosevelt's famous phrase: Speak softly and carry a big stick. Most Responsible AI teams have mastered the first half: They speak softly, advise, collaborate and build trust. Unfortunately, many organizations never build the second half.
Responsible AI practitioners are hired to identify meaningful risks before products reach users. To that end, many organizations have invested heavily in testing methodologies, evaluation frameworks, documentation standards, and review processes, while structuring Responsible AI functions primarily around advising product teams. These capabilities matter. They help teams uncover meaningful risks, surface potential harms, and recommend mitigations. But they all serve the same purpose: strengthening Responsible AI's advisory function. What they don't answer is what happens after significant risks have been identified. What good is it to uncover risks and advocate for reducing harms if there is no structure to ensure those risks receive appropriate organizational scrutiny? This is the speak softly half. To carry a big stick, they need the other half: governance.
When I say governance, I do not mean that RAI teams should own every product decision or exercise unilateral veto power. Instead, I mean governance in the sense of providing clear mechanisms for escalation, accountability, and risk acceptance when significant concerns cannot be resolved through collaboration.
More specifically, a Responsible AI governance mechanism answers questions the advisory function cannot. Such as:
What happens when a product team chooses not to implement a recommended mitigation?
Who reviews decisions involving significant unresolved AI risks?
When should concerns be elevated beyond the immediate product team?
Who formally accepts the residual risk when Responsible AI disagrees?
In effect, a governance mechanism provides checks and balances to complement product design and RAI advising. Without answers to these questions, governance becomes an implicit process rather than an intentional one.
Governance mechanisms are not a revolutionary idea. Organizations routinely build governance mechanisms into other high-impact functions. Finance has internal controls. Security has escalation paths. Legal can require additional review before launch. These mechanisms don't exist because those functions own the product. They exist because some risks warrant broader organizational accountability. Responsible AI should be no different.
What a Governance Mechanism Actually Looks Like
RAI advising and governing are distinct responsibilities. The advisory function exists to help product teams make better decisions. The Responsible AI governance function, on the other hand, exists for the situations where reasonable people strongly disagree about risk, launch pressure outweighs mitigation efforts, or significant concerns remain unresolved. While those moments are relatively rare, they're also the moments governance was built to address. Without this second capability, while responsible AI teams may identify risks, they can’t ensure those risks receive the level of organizational scrutiny they deserve.
So what does a governance mechanism look like on a practical level?
First, it’s important to note here that an RAI governance mechanism is referring to the organizational processes that determine how unresolved Responsible AI risks are adjudicated, not broader regulatory compliance programs or external AI governance frameworks.
An RAI governance mechanism’s main boon for Responsible AI is requiring organizations to establish clear processes for how significant unresolved risks are handled.
That might include:
Predefined escalation thresholds,
Executive review for particularly severe findings,
Documented rationale when recommendations are declined,
Formal risk acceptance by designated leaders, or
Independent review bodies for exceptional cases.
What warrants escalation in responsible AI, in some ways, is more of an art than a science. Given how new the space is and how quickly developments in the field move, writing down and applying criteria uniformly can be a difficult prospect. In this context, the RAI governance mechanism exists to hold space for discussion around judgment calls. This fact is not a flaw in the field. It's a feature of work that sits at the intersection of technical systems and human judgment. The governance mechanism doesn't need to eliminate that ambiguity. Instead, it should be built to hold it and ensure that when a practitioner makes the call that something warrants escalation, there is somewhere for that judgment to land.
Notably, a governance mechanism’s impact is not limited to the moments when escalation is actually used. The existence of a pathway changes how decisions are made before escalation even happens. With a governance mechanism in place alongside the advisory work, RAI-product conversations shift from informal alignment toward more explicit reasoning about risk acceptance and mitigation. And so, what might previously have been treated as a “nice to have” recommendation becomes a decision that must be either addressed or consciously accepted. In effect, governance mechanisms change what “resolution” means, from an informal agreement between teams to a clear decision about whether a risk has been addressed or knowingly carried forward.
Finally, good governance shouldn't be measured by how often escalation occurs, but rather by how rarely escalation needs to be invoked. Governance isn't designed for the ninety-five percent of cases where everyone agrees. It's designed for the five percent where they don't. And ironically, the existence of that five percent pathway is what strengthens the other ninety-five. Product teams who know that unresolved high-severity concerns may require broader review have stronger incentives to resolve them collaboratively before that happens. And in this way, the stick makes the soft voice more credible.
Speaking Softly Isn’t Enough
Mature Responsible AI organizations should speak softly: Collaboration should remain the default. But collaboration alone cannot ensure that significant unresolved risks receive the organizational scrutiny they deserve. This is why Responsible AI is incomplete if it lacks a governance capability to complement its advisory capability. The pathway doesn't just exist for the rare cases where it's used; its presence is what makes the other ninety-five percent of cases resolve through collaboration in the first place.
Without a governance mechanism, Responsible AI can identify risk, recommend mitigations, and advocate for better outcomes, but it cannot ensure those risks are meaningfully considered when disagreement remains.
Because ultimately, a risk that can't be escalated is a risk that will ship.