Governance by Design: Why Auditing AI After Launch Is Already Too Late
Most enterprise AI governance still gets built after the system ships, as an audit rather than an architecture decision. Dr. Zahra Timsah, CEO of i-GENTIC AI, explains why that sequence is backwards, and what governance by design looks like when it's done at build time instead.
TL;DR: Dr. Zahra Timsah, CEO of i-GENTIC AI, told Sparq at IIT2026 that most enterprise AI failures start with leaders who don't understand what they've deployed and can't measure its return. Since 2023, she’s argued for "governance by design," which means defining what data an AI system can access and what actions it can take, then building those controls directly into the code rather than auditing behavior after the fact. She also argues for narrow, specialized agents over general-purpose ones and for a three-part ROI model built on time saved, cost relative to a defined profit center, and reputational value. Gartner forecasts that more than 40% of agentic AI projects will be canceled by 2027 due to governance and ROI gaps that surface only after launch, a pattern that closely matches the one Timsah describes.
The Understanding Gap
We recorded this conversation with Dr. Zahra Timsah at IIT2026 in Long Beach for the first episode of The AI Friction Files, a series that documents why many enterprise AI projects stall before reaching production. Timsah runs AI governance and policy firm i-GENTIC AI and has pushed the governance-by-design argument since 2023.
When asked what companies are missing right now, she didn't point to the models. "I would say lack of understanding of AI and its capabilities," she said. "Everyone wants to adopt AI, but no one has the understanding of what to do with it."
That gap starts at the top. "A lot of leaders are just regurgitating information they're getting from LLMs like Claude, like ChatGPT," Timsah said. "There is not necessarily a deep understanding of what AI is." Her fix is blunt: "Understand your company's need. Don't just adopt it for the sake of adopting it. If you need it, then adopt it. If not, move on."
Nobody's Measuring the Right Thing
Timsah connects the literacy gap directly to a measurement gap: companies deploy and train AI systems without a return-on-investment framework.
Gartner's June 2025 forecast puts a number on where that leads. More than 40% of agentic AI projects are on track to be canceled by 2027, driven by unclear ROI, rising costs, and governance gaps that show up after launch. RAND Corporation's research on AI project failure found that AI projects fail at roughly twice the rate of non-AI IT projects, and that leadership-driven decisions, not technical limitations, were the most commonly cited root cause among the practitioners interviewed. Both numbers point to the same pattern Timsah describes: leaders put the model into production without a defined outcome attached, then treat the fallout as a technology failure.
Legacy Systems Can't Read Context
Timsah named the infrastructure version of the same problem: AI running on legacy systems that weren’t built to give an agent the context it needs, with data protection uncertain on top of it.
"AI at this point in time is still not context aware," she said. "It'll give you answers, but these answers might not necessarily be useful or beneficial to you." An agent without context still produces output. It just doesn't produce anything a team can use.
Sparq sees the same ceiling across transportation and logistics, insurance, and built environment modernization work: a freight exception, a claims record, or a maintenance ticket that lives only in someone's head because the legacy system never captured it. No agent can read context that wasn’t structured for anything but a person.
Governance by Design, Since 2023
"I started talking about governance by design in 2023," Timsah said. "Everybody, including politicians, administrations, were very much dismissive." Her definition: "Bake controls into the actual code of the AI. Define what data it can access, define what actions it can do."
Her objection to the standard approach is about sequence. "If you do audits, like what companies are doing right now, in retrospect, and not proactive control during execution itself, what's the point?" An audit finds a violation after it happened. A control built into the architecture stops the system from taking the action at all.
She orders the fix the same way every time: people, then process, then platform. "I still believe that people should be the focus," she said. "Start with your team. Educate them. Make sure they are ready to adopt AI." The platform is the last piece, added once the team and process behind it are ready.
"Don't Boil the Ocean"
When asked for practical advice on agentic AI, Timsah pointed away from the largest, most capable model available. "Don't do general agents, do specialized agents," she said. "What I do right now might not be as sophisticated as Claude, might not be as sophisticated as OpenAI, but it's accurate, it's consistent. I do five things, and the agent can do them with a high level of accuracy and consistency. Don't boil the ocean."
A narrow agent with a defined task list is easier to govern by design because the permission set is small. A general-purpose agent with broad access has more surface area to write controls for, and more ways to fail.
The Questions That Put a Number on It
Before the next AI deployment gets scoped, three questions from Timsah's KPI framework for agentic AI are worth asking in the room:
- Is there a defined ROI baseline, time saved, cost against a defined profit center, and reputational value, or is success being measured by adoption alone?
- Are the guardrails for this system defined in the architecture, or do they exist only as a policy document reviewed after something goes wrong?
- Does the underlying data give this system enough context to produce a useful answer, or just a generated one?
Watch the Full Conversation
This post is drawn from Episode 1 of The AI Friction Files, recorded live at IIT2026 in Long Beach, California. Watch Dr. Zahra Timsah's full interview in the video below.
Book a strategy session with a Sparq architect to find out whether your AI deployments are governed by design or governed by audit.
Part 1 in Sparq's blog series adapting The AI Friction Files. More episodes, covering agent governance, data silos, and the leadership accountability gap, will be released through summer 2026.
Frequently Asked Questions
What is governance by design in AI?
Defining what an AI system can access and what actions it can take, then building those controls into the code at build time instead of auditing behavior after deployment. Dr. Zahra Timsah, CEO of i-GENTIC AI, has argued for the approach since 2023.
Why do AI governance frameworks fail after deployment?
An audit only catches what already happened. Gartner attributes a large share of agentic AI project cancellations through 2027 to governance gaps that surface after systems are already live.
What is the three-part ROI model for enterprise AI?
Time saved, cost measured against a defined profit center, and value contribution at the reputational and ethical level. Most enterprise ROI frameworks stop at the first two.
Should enterprises use specialized AI agents instead of general-purpose ones?
For most production workflows, yes. A specialized agent with a narrow task list is easier to govern by design and easier to audit than a general-purpose agent with broad access.
Sparq is an economic performance engineering partner, built for the age of AI. We re-engineer the core systems businesses run on, turning manual bottlenecks into measurable margin, throughput, and decision speed. Trusted by clients across industries, including transportation & logistics, real estate & construction, and financial services & insurance.
Related