Corvus AdvisorsContact
00Insights/Operating Model

Who owns AI inside a regulated institution?

On the structural choices — CTO, CIO, CRO, dedicated office — and the trade-offs each entails for governance and delivery.

Essay·8 min read

Few questions consume more executive time, and produce less clarity, than the question of who should own AI inside a regulated institution. The conversation tends to centre on reporting lines: should the head of AI report to the CIO, the CTO, the Chief Data Officer, the CRO, or directly to the CEO? It is the wrong starting point.

Ownership is not a reporting question. It is a question about decision rights, accountability, and operating model. Two institutions with identical organisation charts can produce entirely different outcomes depending on how those three are configured beneath the chart.

The five common models

In practice, five ownership models recur. Each has a logic. Each has a cost. None is universally right.

  • Technology-led (CIO or CTO) — places AI alongside the infrastructure and engineering that delivers it. Strong on execution and integration. Weak when AI strategy needs to be argued at the level of the franchise rather than the platform.
  • Data-led (CDO) — places AI close to the data substrate it depends on. Strong on lineage and quality. Weak when delivery into the business requires authority the CDO does not have.
  • Risk-led (CRO) — places AI under the function most concerned with consequence. Strong on control and credibility with regulators. Weak when the institution needs the risk function to enable, not only to constrain.
  • Business-led (each line of business) — places AI close to commercial outcomes. Strong on relevance and adoption. Weak when fragmentation produces inconsistent standards, duplicated investment, and an inventory no one owns.
  • Dedicated office (Chief AI Officer or AI Centre of Excellence) — places AI in a function purpose-built for it. Strong on coherence. Weak when the office becomes detached from delivery, from data, or from risk — and is then quietly ignored.

Why titles are insufficient

The trade-offs above are real, but they are not resolved by choosing a title. They are resolved by being explicit about three things underneath the title: who decides which AI initiatives proceed; who is accountable when they succeed or fail; and where the operating capacity actually lives to run them.

An institution that names a Chief AI Officer without resolving those three questions has not solved its ownership problem. It has personalised it.

Ownership is not a reporting question. It is a question about decision rights, accountability, and operating model.

Decision rights, made explicit

The cleanest institutional designs we encounter share a common discipline: they have written, named decision rights for AI. Specifically, they have answered — on paper, in plain language — questions of this form.

  • Who approves a new AI use case at the enterprise level, and at what risk tier?
  • Who has the authority to halt a deployed AI system, and on what evidence?
  • Who owns the institution's relationship with each material AI vendor, and who is accountable when that vendor changes its product?
  • Who is the senior individual a regulator should expect to interview about a specific decision, and how is that individual prepared to answer?

These questions are answerable inside any of the five models above. They are also, in many institutions, answered by no one. That is the actual ownership problem.

Choosing deliberately, not politically

Ownership decisions tend to be made politically — which executive can absorb the mandate, which function has appetite for the scrutiny, which reorganisation is convenient. These considerations are real and cannot be ignored. But they should not be the basis of the decision.

A deliberate ownership choice begins from a different question: given this institution's franchise, its risk profile, its data maturity, and its delivery capacity, which of the five models is most likely to produce outcomes the board would be proud to defend three years from now? The answer is rarely the most politically convenient one. It is usually the one that places authority closest to the work that matters most, with the controls that make that authority safe.

A short conclusion

Title alone will not produce a coherent AI capability. Decision rights, accountability, and operating capacity will. Institutions that begin from those primitives — and then choose a structure that fits — tend to end up with both an organisation chart they can defend and an AI program that delivers. Institutions that begin with the chart usually end up with neither.

Related insights
Governance

What examiners will ask about your AI program in 2026

A pragmatic anticipation of the questions regulators are beginning to formulate — and what institutions can do now to answer them with conviction.

Read essay
Strategy

The institutional case against the use-case backlog

Why the proliferating list of AI pilots inside large institutions is a symptom of a missing strategy, and what to do instead.

Read essay
All insights