“We cannot do that,” says the Compliance department. “Too high a risk.” “If we don’t do that, we will be irrelevant in three years,” says the project team. “Competitors are already far ahead.” “Then just make it compliant,” says management. As if it were that simple.
This is the most frustrating loop in regulated industries: innovation meets governance. Agility meets regulatory authorities. The desire for speed meets the reality of regulations, laws, industry standards, and internal guidelines that have grown over decades. The result: projects that take forever. Innovations that die in committees. And an organization that is simultaneously too slow for the market and too risky for supervision.
The real problem is not governance. The real problem is the assumption that governance and innovation are opposites. They are not. But they require a different way of thinking, planning, and leading.
A division head in the energy sector told me: “It took us eighteen months to approve an AI-based grid optimization. Our competitor launched three pilots and scaled one in that time. Not because they are less regulated, but because their governance makes decisions faster.”
Governance exists for good reasons: client protection, operational safety, data protection, financial stability. In industries like energy, finance, healthcare, or telecommunications, these are not abstract concepts. An error can endanger lives, cost millions, or damage the trust of an entire industry. The problem is not that governance exists. The problem is how it is practiced in many organizations.
The Veto Problem. Compliance, Legal, Data Protection, IT Security all have one thing in common: a “no” is safe, a “yes” is risky. If they reject a project and it would have worked, no one asks questions. If they approve it and something goes wrong, they are responsible. The incentive structure rewards risk avoidance, not risk management. In doubt, the “no” wins, not because it is the right decision, but because it is the safe one.
The Precedent Problem. In large organizations, every exception becomes a rule. “If we allow this for Project A, we must also allow it for Project B.” This logic leads to extreme caution: better no exception at all than one with uncontrollable consequences. Every pilot is treated as if it were already in production. Every innovation must meet the standards that apply to old core systems. The space for controlled experimentation does not exist.
The Understanding Problem. Many governance structures were developed for a world where IT meant: servers, databases, ERP systems. Stable, predictable technologies. Today, you talk about AI, cloud architectures, and microservices, and the governance teams often do not understand what that specifically means. This leads to two extremes: Either everything is rejected across the board as “too risky.” Or it is waved through because no one asks the right questions. Here, basic technological competence is lacking on both sides.
| What Governance Teams Say | What Project Teams Hear |
|---|---|
| “We need to review this first.” | “This will take months.” |
| “This does not meet our standard.” | “Innovation is not desired here.” |
| “We need a full risk assessment.” | “Write a dissertation before you are allowed to start.” |
| “We cannot approve this as is.” | “No. Without an alternative.” |
Every month your governance blocks instead of enables innovation costs you more than most organizations are willing to admit.
It costs speed. Your competitors move faster, not because they are less regulated, but because they handle governance differently. While you debate in committees, they launch pilots. While you write risk assessments, they gain experience.
It costs talent. Good people want to make things happen. If every initiative gets stuck in bureaucratic processes, they leave. To digital competitors, to less regulated industries, to organizations that enable innovation instead of preventing it. You don’t just lose expertise. You lose the people who could drive your transformation.
It costs innovative capacity. Organizations that have learned for years that innovation is “complicated” and “risky” eventually stop trying. The culture becomes risk-averse. New ideas are not even expressed. You no longer have paralysis. You have stagnation.
The greatest danger of overly cautious governance is not that you misjudge a risk. The greatest danger is that you stop seeing opportunities.
The solution is not less governance. The solution is better governance that manages risks instead of preventing them, that enables innovation instead of blocking it, that makes decisions quickly instead of endlessly reviewing.
First: Manage based on risk instead of blanket prohibition.
Not every project has the same risk profile. An internal pilot with 50 users is not the same as a business-critical system with millions of transactions. An AI that categorizes documents is not the same as an AI that makes credit decisions. The governance approach must reflect this. Successful organizations work with tiered models: Low-risk projects receive lean approval in two weeks. Medium risks undergo a targeted review in four to six weeks. High-risk projects receive a full assessment in eight to twelve weeks. Not everything needs the highest level. If you accept this, you gain enormous speed.
Second: Create controlled spaces for experimentation.
Regulated organizations need areas where innovation can take place under defined conditions. Not “let’s just do it,” but “let’s do it in a controlled manner.” Such a space defines clear boundaries: what may be tested, who is involved, what data may be used, how long experimentation will last, and when a decision will be made whether to proceed or stop. This is not a lawless space. It is a defined space where risk is consciously limited to enable faster learning. This gives innovators freedom and governance teams security.
Third: Involve Compliance as a partner and release incrementally.
The traditional model works sequentially: The project team develops something, then Compliance comes and reviews it. This takes time, and often the result is: This won’t work, start over. The better model involves Compliance from the beginning. Not as a brake, but as a partner who helps design the project to be compliant from the outset. This requires a shift in thinking on both sides: Project teams must accept that Compliance is not the enemy, but the reality check. Compliance teams must accept that their job is not to “say no,” but to “enable yes.” At the same time, you replace the binary approval at the end with iterative stages: Can the system be launched internally in its current state? What is needed for a pilot with selected clients? What is needed for the full rollout? This way, you move faster from pilot to production because you don’t have to make everything perfect first.
Good governance in regulated industries does not protect against risks by preventing everything. It protects against risks by enabling intelligent experiments.
Take your last delayed or failed innovation project and answer three questions.
Three warning signs mean: your governance systematically stifles innovation. Two warning signs: you have a speed problem. One: you are on the right track. None: Either you have excellent governance, or you are measuring the wrong things. Most regulated organizations have two to three warning signs. This is no cause for panic, but a clear signal of where you need to start.
Governance in regulated industries will not disappear. Regulation is more likely to increase than decrease. The question is not whether you need governance, but whether your governance protects or stifles your company.
Rethinking governance requires courage on both sides. Courage from innovators to take compliance seriously. And courage from compliance to allow controlled risks.
Tomorrow, take your current innovation project and ask one question: At what point is this project currently waiting for a governance decision, and what can you do to bring about that decision this week?
Break through the culture of self-protection – When governance becomes about self-protection instead of control, it stifles instead of protects.
Decisions under uncertainty – Governance must enable decisions, not prevent them.
Proven tools and models for self-application are available under Solutions.
If you want to take these thoughts further for your company, a no-obligation initial conversation is worthwhile.
