AI Governance Is Theatre Until You Solve Discovery

The NIST AI Risk Management Framework is a serious piece of work. The EU AI Act is the most ambitious AI regulation any major jurisdiction has produced. ISO/IEC 42001 is a credible management standard for AI. The AI governance vendors layering tools on top of these frameworks are doing real engineering, and the analysts covering the space are not wrong to call it the most important new security category of the decade. All of it is downstream of one quiet, embarrassing question: which AI is actually in use here? And the honest answer in most organizations is: we have a registry of about 20 things, our employees are using about 200.

The registry is doing 10% of the work

Walk into any company that takes AI governance seriously, and they'll show you the registry. Each entry has an owner. Each entry has a risk tier. Each entry has an impact assessment, a data flow diagram, and a quarterly review attached. The dashboards are beautiful.

Then walk into the marketing team's open-plan area and ask which AI tools they used today. You'll get a list five times longer than the registry. None of them went through intake. A meaningful number are processing customer data. Several are operating with persistent OAuth tokens. One or two are actively training on the data being sent to them.

Now ask the engineering team the same question. Same outcome. Now finance. Now legal. Now HR. The registry that looked so impressive in the boardroom slide doesn't even know these tools exist.

The frameworks know this. They just can't say it directly.

The NIST AI Risk Management Framework assumes you have an inventory. The EU AI Act assumes you can classify use cases — meaning you can name them in the first place. OWASP's Top 10 for LLM Applications assumes you know which LLM applications you're running.

All of these frameworks are written with the polite assumption that you've done the discovery work. None of them will say out loud what every practitioner knows: the discovery work is the hard part, and nobody is doing it well.

What "theatre" looks like in practice

Here's what AI governance theatre looks like, in case you're wondering whether your program is performing it:

• Quarterly AI review meetings that discuss the same five use cases every quarter.

• An intake form that takes three weeks to clear and gets bypassed routinely.

• A risk register that has fewer entries than your average engineering org has Slack channels.

• Glowing reports to the board about "AI governance maturity" that nobody in the workforce would recognize.

If any of those sound familiar, you're not alone. Most AI governance programs in 2026 look like this. It's not because the people running them are bad at their jobs. It's because the registry is incomplete in ways the registry itself can't detect.

The fix is unglamorous

The fix is discovery. Shadow AI discovery — the boring, structural, multi-signal kind, not a browser-extension hack — surfaces the AI in use across personal sign-ups, OAuth grants, embedded SaaS features, and AI agents. Once those names show up, the registry stops being a wish list and becomes an actual inventory. The frameworks suddenly have something to apply to. The dashboards stop lying.

Your employees are already using AI tools you've never approved — that's the headline. The follow-up question is whether you want to know about it before the auditor does.

That's what Waldo Security's SaaS Discovery is for. It's the unglamorous foundation under the impressive frameworks. The theatre stops once you have it.

Curious what's hiding in your AI footprint? Demo a working session. First report inside a day.