Este artigo está disponível apenas em inglês no momento.
What Is Data Governance? How It Differs from AI Governance and Why You Need Both
Data governance and AI governance are distinct but interconnected. Good data governance is a prerequisite for good AI governance — you cannot govern AI well without governing the data it uses.
Key Takeaways
Data governance is the set of policies, processes, and accountabilities governing how data is managed across its lifecycle. AI governance addresses the governance of AI systems specifically — they are related but distinct.
Good data governance is a prerequisite for good AI governance: AI trained on poor quality, biased, or improperly consented data produces poor quality, biased, or non-compliant outputs.
Core data governance elements: data ownership, data quality standards, data classification, access control, data lineage, retention and deletion, and privacy compliance.
AI-specific data governance requirements include: training data provenance and consent, bias monitoring in training datasets, version control for training data, and data lineage through AI pipelines.
Regulatory requirements demand data governance as a precondition of AI compliance: GDPR's data minimisation, EU AI Act training data documentation, and APRA's CPS 230 critical resource management all require data governance infrastructure.
The most common data governance failure in AI is training data provenance: organisations cannot demonstrate where training data came from, what consent existed for its use, and whether it was representative.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
Data governance versus AI governance — why both are necessary and how they interact
Data governance and AI governance are related but distinct disciplines that address different risks and require different accountability structures. Confusing them — or treating AI governance as a subset of data governance — leaves significant gaps that regulators and auditors will identify.
Data governance addresses the management of data assets across their lifecycle: how data is collected, classified, stored, accessed, used, retained, and disposed of. A mature data governance programme includes a data dictionary, data ownership and stewardship accountabilities, data quality standards, access controls, and retention and disposal schedules aligned with legal obligations. Data governance applies to all data, not just data used in AI systems.
AI governance addresses the specific risks introduced when AI systems use data to make or inform decisions. It covers the data inputs to AI systems (training data, inference data), the models themselves (design, training, validation, bias assessment, post-market monitoring), the decisions AI systems produce (accuracy, fairness, explainability, human oversight), and the organisational accountability for those decisions (who is responsible when an AI system causes harm). AI governance applies a set of controls and accountability structures that have no equivalent in data governance — model risk management, algorithmic auditing, AI-specific incident response, and regulatory compliance for AI-specific legislation.
The relationship between the two: good data governance is a prerequisite for good AI governance, because the quality of AI outputs depends directly on the quality of data inputs. But data governance does not substitute for AI governance. An organisation with mature data governance that has not addressed AI-specific risk — model bias, hallucination, autonomous decision-making, AI vendor accountability — has significant unmanaged exposure.
What AI governance requires from data governance
AI systems place specific demands on data governance infrastructure that organisations must address as AI adoption increases:
Training data quality and lineage. The accuracy and fairness of an AI model depends on the quality of the data it was trained on. Data governance must extend to training datasets: documenting where training data came from, what demographic groups are represented (and underrepresented), how it was cleaned and prepared, and what quality controls were applied. The EU AI Act's data governance requirements for high-risk AI systems (Article 10) require that training, validation, and testing datasets be relevant, sufficiently representative, and as free of errors as possible relative to the intended purpose. These requirements cannot be met without underlying data governance infrastructure.
Inference data and privacy. Data sent to an AI system during inference — the inputs that drive the system's outputs — is subject to the same privacy obligations as other personal data. If personal information is included in prompts sent to an AI model (whether deployed internally or via a vendor API), it must be handled in compliance with the Privacy Act 1988 (Australia), GDPR (EU), or other applicable privacy law. This includes ensuring appropriate consent or legitimate basis for the processing, implementing data minimisation, and ensuring the vendor's data processing practices meet the organisation's contractual and regulatory obligations.
Automated decision-making transparency. Australia's Privacy and Other Legislation Amendment Act 2024 introduced automated decision-making (ADM) transparency obligations effective 10 December 2026. APP entities will be required to include in their Privacy Policies information about the kinds of personal information used in substantially automated decisions that have a legal or similarly significant effect on individuals. Meeting this obligation requires data governance infrastructure that tracks what personal information is used in which AI-assisted decision processes.
Data access and least privilege for AI systems. AI systems — particularly agentic AI that can access and act on data autonomously — must be subject to the same access controls as human users. APRA's April 2026 letter noted that identity and access management has not yet adapted to non-human actors like AI agents. Data governance frameworks must be extended to cover AI system identities: scoping access to only the data necessary for the specific function, logging AI data access, and implementing revocation capabilities.
Building integrated data and AI governance
The most effective approach treats data governance and AI governance as integrated but distinct programmes, with shared infrastructure and coordinated accountability:
At the data layer, existing data governance infrastructure — data catalogue, data quality controls, access management, retention schedules — should be extended to explicitly address AI use cases. This means tagging data assets with their AI usage (used in training, used in inference), adding AI-specific data quality requirements, and extending access management to AI system identities.
At the AI layer, AI governance adds the model-specific accountability that data governance cannot provide: model risk management (model validation, bias assessment, performance monitoring), AI incident response, AI vendor due diligence, and regulatory compliance for AI-specific obligations. These require accountability structures — typically a model risk committee or AI governance committee — with representation from legal, risk, technology, and business functions.
The key integration point is the AI inventory: a register of all AI systems in use, the data each system uses, the decisions each system influences, and the accountable owner for each. This inventory serves both data governance (understanding what data is used in what AI systems) and AI governance (understanding what AI systems require oversight). APRA expects regulated entities to maintain such an inventory, and its absence was a finding in the April 2026 supervisory engagement.
From a regulatory compliance perspective, the frameworks that require data governance capabilities as part of AI compliance include: the EU AI Act (Article 10 data governance requirements for high-risk AI); Australia's Privacy Act ADM transparency obligation (December 2026); CPS 230 operational risk management requirements for data quality in critical operations; and the NIST AI Risk Management Framework (which treats data quality as a core dimension of AI trustworthiness under the Map and Measure functions).
Related reading
GDPR and the EU AI Act: How They Interact and Where They Conflict · GDPR and AI: The Practical Guide for European SMEs Using AI Tools