Sovereignty beats price: the new procurement signal
Angelika Beierlein
8 min read The German federal government has commissioned SAP and Deutsche Telekom to build its central ...
Read Article
Board retreat: Who operationally owns AI operations will be the decisive question in 2026. (Photo: V. Karpovich / Pexels)
8 Min. Read Time
AI operations in German boards won’t stabilize until CIO, COO, CFO, and Risk jointly formulate a robust mandate. Pilot projects are underway, budgets are allocated, but governance is lacking. As long as it’s unclear who truly owns AI operations, every escalation will continue to cycle through the board more than necessary.
Key Takeaways
- AI ownership is no longer just an IT issue. Operational AI operations impact model risk, data protection liability, supplier binding, and capital deployment. Four C-level roles, one topic, no clear mandate.
- The ownership gap costs speed. Where no one is responsible for operations, escalations drag on for three quarters through the board. By then, productive use cases have either grown or stalled.
- Operating model decides before tool choice. Which hyperscaler, which model, which agent: secondary. The question is who is pageable on a Sev-1 and who still budgets the model after the Year-of-the-CIO.
- Three decisions suffice. A clear owner per AI cluster, a reporting path with quarterly cadence, a sunset mechanism for pilot projects without impact. That’s all that’s needed for the next board decision.
RelatedThe 40-Percent Question: AI Budget / AI Agents: ROI or Pilot Graveyard
Why the ownership question becomes unavoidable in 2026
Three years of pilot operations have created a reality in most DACH corporations that doesn’t appear in strategy folios. There are 15 to 40 productive AI applications scattered across business units, corporate IT, and individual subsidiaries. The models live in different tenants with two or three hyperscalers. Licenses are a mix of corporate framework agreements, business unit subscriptions, and individual tokens.
No one planned it this way. It evolved because each pilot phase found its own path. What was legitimized as an experiment in 2023 is an operational risk in 2026. The question isn’t whether it needs to be addressed, but who will address it and with what mandate.
The interesting leadership decisions aren’t the ones that appear in the quarterly report. They’re the ones someone makes in the third week of a project that no one ever notices. These decisions are now emerging everywhere in the corporation’s AI landscape, without the board knowing what they were.
Four roles, one topic, no clear owner
The operation of AI depends on four top management functions, all of which have a legitimate interest and come from different directions. Understanding the distribution of these interests reveals why ownership discussions often end in conjecture.
| Role | Legitimate interest | What they can’t decide |
|---|---|---|
| CIO | Platform architecture, model sourcing, integration into existing IT, SLAs. | Reallocation of budget from specialist departments, supplier binding beyond CIO contract framework. |
| COO | Process integration, adoption in business units, value contribution in operational KPIs. | Technical depth of model selection, data protection law issues. |
| CFO | Capital expenditure, token cost forecasts, contract risks, working capital impact. | Model performance trade-offs, technical architecture decisions. |
| Risk / CISO | EU AI Act, model risk, data protection, auditability, provider concentration. | Operational distribution of Sev-1 responsibility, adoption drivers. |
The table is not surprising; it’s everyday reality. What’s remarkable is that many DACH corporations lack an explicit, written distribution of these responsibilities. There are those responsible for individual projects, platform selection, and the annual AI risk statement. Rarely is there a written definition of who is responsible for the operating stock.
Culture is what happens when stress increases
When the first productive AI use case produces a serious incident, a hallucinated output is sent to a major customer, or a token retrieval generates an unexpected cloud bill, the ownership question is no longer academic. At this very moment, it becomes clear whether escalation takes hours or days. Those who have clarified the question beforehand gain speed. Those who haven’t, burn through the patience of those involved.
The most common observation is the following. Corporations that have named an ad-hoc owner for every pilot phase enter a state of diffusion within the first two years of productive operation. No one bears overall responsibility anymore because no one had it to begin with. The ad-hoc owners are assigned to other topics, and the operating model hasn’t evolved further. This isn’t malicious intent; it’s a lack of design decision.
An honest retrospective is more expensive than three offsites. But only one of them changes something. In AI operations, the retrospective is rarely early enough because no one is accountable for it.
Three numbers that bring executives to the table
Instead of fixating on growth forecasts for AI budgets, it’s worth taking a look at three straightforward operating numbers. They’re the ticket to the boardroom meeting where AI ownership is decided.
Operating reality
15–40
Productive AI applications. Range in DACH corporations by 2026. The spread says more than the average.
3 Q
Escalation cycle without an owner. Three quarters until an operating decision leaves the board is realistic. In two of them, the pilot project has already become politicized.
~ 0
Written operating mandates. Proportion of DACH corporations with a clearly documented AI operating mandate at the board level. The gap is the real story.
The first two numbers are based on experience from discussions with executives and IT leaders, the third is a consequence of that. They’re not a study, they’re a basis for discussion. Applying them to your own operating model leads to an honest assessment.
“The question of who really owns AI operations is, at its core, a question of willingness to take responsibility, even when a model hallucinates at night. That’s not delegable. It’s also not solvable through tooling.”
from a board retreat, DACH industrial corporation, Q1 2026
What a robust ownership definition entails
An operating mandate definition is not a strategy paper. It’s a working document for the next two years. Three definitions are sufficient to make the inventory manageable.
Firstly, a clear owner per AI cluster. Clusters are groups of related use cases, not individual applications. One named person per cluster who decides on Sev-1, budget realization, and sunset. Secondly, a reporting path with a quarterly cadence that provides the board with three numbers: productive applications, token costs, and material incidents. No more, otherwise the format won’t be read. Thirdly, a sunset mechanism that forces pilot projects without demonstrable value to make a decision within twelve months.
These three points fit on an agenda. They don’t replace the strategy discussion about AI ambition, but they provide the operational foundation without which any strategy is hollow.
The open question of the year
2026 is not the year of model choice. It’s the year of the operating decision. Boards that clarify the question of AI ownership in the first two quarters gain more time for strategic ambition than those who lead the model debate well but leave the operating question open.
The answer will rarely be elegant. It will be political, it will touch on the division of CIO-COO-CFO responsibilities, and it will bring Risk into a more central position than some in the executive team expect. But it will make a material difference for the next quarter and the two after that.
Frequently Asked Questions
Who is the typical AI Operating Owner in mid-sized companies?
In the DACH mid-market, AI ownership is often concentrated with the CFO or the CEO with IT responsibility. This is pragmatic because budget and operational authority are combined there. It becomes critical as soon as model risk and data protection need to be structurally addressed, because the CFO role rarely carries this expertise alone.
Is an AI steering committee sufficient as an operating model?
For strategic questions, yes; for operational management, rarely. A committee doesn’t steer in real-time. When a Sev-1 incident occurs, you want a person on call, not a quarterly meeting. A committee makes sense as an escalation forum with clear operational responsibility below it.
How does the EU AI Act fit into the ownership question?
It increases the pressure. Risk assessment and auditing under the EU AI Act require assigned responsibility at the board level. Failing to clarify this risks not only compliance findings but also the trust relationship with the supervisory board and auditors. Risk and CIO must work together in a clear escalation cascade.
What is the cost of lacking ownership in real money?
Difficult to quantify, but the pain points are clear. Duplicate token contracts, licenses for models that nobody tracks centrally, pilot projects that continue without a sunset clause, unplanned cloud costs without forecasting. Conservative estimates from DACH corporations range from high six-figure to low seven-figure amounts per year, without a single material incident occurring.
When is the right time to establish an operating model?
Between 15 and 25 productive applications. Below that, it’s organizationally too early because no real diffusion has occurred. Above that, it’s too late because shadow IT structures have solidified, and dismantling them becomes more expensive than the initial operating decision.
More from the MBF Media Network
mybusinessfuture