AI Governance Is Now Core, Not Optional

With the release of ITIL v5 product and service management has crossed an important threshold. AI is no longer something organisations are experimenting with at the edges, it is now embedded in the core of how services are delivered, supported, and improved.

That shift introduces a new kind of challenge. Not a tooling issue, and not simply a capability gap, but a governance question. When decisions are increasingly made by machines, often in real time and at scale, how do organisations maintain control, accountability, and trust?

ITIL v5 doesn’t frame this as a future concern. It treats it as today’s operating reality.

From Automation to Autonomous Decision-Making

Under ITIL v4, automation was positioned as an enabler, something that could streamline workflows, reduce manual effort, and improve consistency. Governance, however, remained largely human-centred, built around approvals, escalation paths, and clearly defined responsibilities.

What has changed is not just the extent of automation, but its nature.

AI systems are no longer simply executing predefined instructions. They are interpreting data, making judgements, and triggering actions based on learned behaviour. In many environments today, incidents are categorised and prioritised automatically, changes are assessed and deployed through pipelines, and monitoring tools decide which signals matter and which can be ignored.

These are no longer emerging patterns, they are becoming standard operating practice.

The implication is straightforward but significant: governance can no longer focus only on what people do. It must also account for what systems decide.

Rethinking Governance: From Process to Decision Integrity

Traditional IT service management governance was built on process control. If the right processes were defined and followed, outcomes could be managed and risk could be contained.

In an AI-enabled environment, that assumption starts to break down.

You can still have a well-structured change enablement process, but if an AI model is dynamically assessing risk and making approval decisions, the true control point is no longer the process itself, it is the decision logic behind it.

This shifts the focus of governance from process compliance to decision integrity.

Organisations need to understand not just what decisions are being made, but how they are being made. What data is influencing them? What assumptions are embedded in the model? Under what conditions might the outcome change?

ITIL v5 reflects this shift by implicitly repositioning governance closer to the point where decisions actually occur, at the intersection of data, automation, product and service delivery.

The Hidden Nature of AI Risk

One of the challenges with AI in service management is that the risks it introduces are often less visible than traditional operational risks.

When a human makes a mistake, there is usually a clear trail; context, intent, and accountability. When an AI system makes a poor decision, the root cause can be far less obvious. It may lie in biased training data, flawed logic, or gradual degradation in model performance over time.

In practice, this can show up in subtle but impactful ways.

An incident model might consistently deprioritise certain types of issues, quietly affecting user experience. A change model might underestimate risk in specific scenarios, increasing the likelihood of disruption. A monitoring platform might suppress alerts that, while noisy, were early indicators of a larger issue.

Individually, these may not trigger immediate concern. But collectively, and over time, they can erode service quality and trust.

This is why ITIL v5 places such importance on making AI-driven decisions transparent, traceable, and accountable. Without those qualities, organisations are relying on systems they cannot fully see or explain.

Embedding Governance Into Everyday Service Management

A common misconception is that AI governance sits outside of normal operations, as an additional layer of control or oversight. In reality, that approach quickly becomes impractical.

What ITIL v5 points towards is something more integrated: governance that is embedded into the flow of work itself.

In incident management, this might mean continuously validating how AI models classify and prioritise tickets, and ensuring there are clear pathways for human intervention when confidence is low. In change enablement, it means defining when automation is appropriate and when risk thresholds require escalation.

In monitoring and event management, governance extends to understanding what is not being surfaced, ensuring that suppression rules are visible and periodically reviewed. In security operations, it requires the ability to explain and justify automated responses, particularly in environments where auditability matters.

The pattern is consistent. Governance is no longer a checkpoint at the end of a process. It becomes a continuous activity, supported by visibility and reinforced through regular validation.

The Intersection with Risk and Compliance

For organisations aligned with frameworks such as ISO/ISEC 27001:2022, the rise of AI in service management creates both complexity and opportunity.

Traditional risk management approaches tend to be periodic and relatively static. AI-driven environments, by contrast, are dynamic and constantly evolving. This mismatch can expose gaps in control if governance does not adapt.

At the same time, AI has the potential to strengthen risk management. When properly governed, it enables more responsive assessment, continuous monitoring of control effectiveness, and faster mitigation of emerging issues.

ITIL v5 sits at the intersection of these disciplines. It provides a structure for aligning product and service management, security, and risk into a more cohesive operating model, one that supports both innovation and control.

Where to Start

For many organisations, the challenge is not recognising the importance of AI governance, but knowing how to begin without creating unnecessary complexity.

A practical starting point is visibility.

Understanding where AI is already influencing decisions across the product and service landscape is often revealing. From there, the focus shifts to making those decisions understandable, identifying inputs, outputs, and boundaries of autonomy.

Once that visibility exists, governance can evolve naturally. Decision thresholds can be clarified, oversight can be targeted where it adds value, and models can be monitored as actively as any other critical component.

The goal is not to control everything, but to ensure that nothing critical operates without awareness or accountability.

The Bigger Picture

There is a persistent belief that governance slows organisations down. In the context of AI, the opposite is often true.

Without clear governance, organisations hesitate. Automation is underutilised, decisions are questioned, and progress stalls under uncertainty. With the right guardrails in place, organisations can move faster, not because they are taking more risks, but because they understand and manage them more effectively.

This is the real significance of ITIL v5. It acknowledges that AI is now part of the fabric of product and service management, it provides a way to operate confidently within that reality.

Final Thought

AI is already shaping how products and services are delivered. It influences what gets prioritised, how quickly issues are resolved, and how organisations respond to change.

The question is no longer whether AI will make decisions. The question is whether those decisions are being governed.

ITIL v5 makes the expectation clear: governance must evolve, not by adding layers of process, but by moving closer to where decisions are actually made.

Because in an AI-enabled world, control is not about slowing things down.

It’s about understanding what’s driving them forward.