AI Perspectives ←
AI GOVERNANCE & OPERATING RISK Article 01 — Data Curation & Governance

AI Doesn’t Need More Oversight. It Needs the Right Oversight in the Right Places.

By Ben DeMichael, Founder & Managing Partner, Foundation AI Advisory · 5 min read

AI produces mistakes. So does every other tool, process, and person in the building. The question is not how to eliminate them — it’s whether the workflow catches the ones that matter before they reach a customer, a regulator, a board, or the books.

Abstract green data-flow visualization suggesting a governed signal layer and risk-scan control surface around AI output.

By Ben DeMichaelMay 16, 2026

This week, EY Canada withdrew a published study after researchers found fabricated citations and made-up figures inside it. The story is being framed as another professional services firm led astray by AI. That framing is too easy, and it misses the more useful lesson.

Mistakes happen. They will happen with AI. They have always happened without it. The question for an operator is not how to eliminate them — that is not a realistic standard at any scale. The question is whether the controls sit in the right places so the mistakes that do happen never reach a customer, a regulator, a board, or the books.

That is a workflow question, not a technology question.

What happened

EY Canada published, then withdrew, a study on loyalty program fraud. Researchers found fabricated market sizing, footnotes pointing to pages that didn’t exist, and a citation to a McKinsey report that does not exist. EY removed the study and said the firm is reviewing the circumstances. The study was not connected to client work.

It is not the first incident of its kind. Sullivan & Cromwell recently apologized to a New York court after a filing cited cases incorrectly. Deloitte revised a Canadian provincial government report after fake citations surfaced. None of these are surprising. AI generates output at speed, and speed without a gate produces volume of error. Any firm at any scale can land in the same place if the workflow does not include a check.

The useful question is not who made the mistake. It is where the gate should sit so the mistakes that matter get caught before they leave the building.

What this is really about

Four things have to be in place before AI ships output that carries consequences. They are not heavy. They are not exotic. They are the basics.

Data. The model has to work against a governed source layer for the use case. Not perfect data — usable data. If the inputs are open-ended, the output will be open-ended. Data Curation & Governance is the first step.

Workflow. The output has to enter a defined path before it leaves the building. A review point. A verification step on anything cited, calculated, or claimed. Not for every output — for the outputs that carry consequence. Workflow Optimization is the second step.

Ownership. A named human has to own the gate. Not a process diagram. A person, by name, whose sign-off is required for the workflow to complete. If accountability lives only in documentation, it does not exist.

Controls. On anything external, regulated, or financially material, a second-pass check. Another set of eyes, another model with a different prompt, or both. The control sits inside the workflow, not inside a memo no one reads.

That sequence — Data Curation & Governance, then Workflow Optimization, then AI Design & Implementation — is the methodology. Out of order, the recommendation is wrong.

Right-sized, not maximum

The risk in any conversation about AI oversight is overcorrection. Controls that are too heavy slow the work to a stop, and the team routes around them. Controls that are too light let the failure ship. The point is not maximum oversight. The point is right-sized oversight, placed where the consequences actually live.

Three filters help calibrate it.

Reversibility. If the output can be corrected after the fact with no real damage, light oversight is appropriate. If the output cannot be unsent — a customer email, a regulatory filing, a published document, a financial commitment — the gate needs to be tight.

Visibility. If the output is internal and will get sanity-checked by the people who use it, light oversight is appropriate. If the output goes to a customer, regulator, board, or external audience, the gate needs to be tight.

Materiality. If the mistake is a rounding error, light oversight is appropriate. If the mistake moves margin, cash flow, compliance posture, or reputation, the gate needs to be tight.

Most AI output inside a business does not need heavy controls. Most of it is drafting, summarizing, restructuring, accelerating internal work that gets reviewed naturally as part of how the team operates. The mistake operators sometimes make is treating every AI workflow like the high-stakes ones. That is how oversight programs collapse under their own weight.

The smaller mistake — and the one that sinks reputation — is treating the high-stakes workflows like the low-stakes ones.

Where the exposure usually lives

In most operating businesses, the workflows that need the tight gate are a short list. Financial close and management reporting. Customer-facing proposals and contracts. Regulated filings and compliance documents. Pricing analysis. Operational dashboards that drive real decisions.

A hallucinated number in any of those lands negative ROI the moment it leaves the building. Reputational damage compounds for years. AI cost savings do not. The math is asymmetric, and it does not favor speed.

The good news is that the list of workflows needing the tight gate is finite. The work is in identifying which ones they are and putting the gate in the right place.

The corrective move

Identify the workflows most exposed if an AI artifact ships an error. Rank by reversibility, visibility, and materiality. The top of the list gets the tight gate. The rest do not need it.

Establish a governed source layer for the high-stakes workflows. Define what counts as an acceptable input, where it lives, and who owns it. Data Curation & Governance.

Redesign the workflow so the model’s output enters a review point before it exits. Name the human who owns the gate. Define what they are required to check. Workflow Optimization.

Add a second-pass control on the most consequential outputs. Build it into the workflow, not into a policy memo.

Then deploy AI inside the optimized workflow with the controls in place. AI Design & Implementation — last, not first.

That is the sequence. Not heavy. Not exotic. Right-sized.

Close

AI will produce mistakes. So will every other tool, process, and person in the building. The question is never whether errors will occur. It is whether the workflow catches the ones that matter before they reach someone who is going to act on them.

That is what good operating discipline has always looked like. AI does not change the principle. It raises the stakes on how it is applied.

Build the gate where it matters. Leave it open where it does not.

Foundation AI Advisory works with mid-market operators to apply AI inside business workflows that are clean, governed, and owned. Business Systems Assessment and 90-Day AI Execution Sprint engagements available.

Want to identify where the tight gate needs to sit in your business?

Foundation AI Advisory helps mid-market operators rank workflows by reversibility, visibility, and materiality — then install right-sized controls where the consequences actually live.

Start with a Business Systems Assessment