New Release · June 2026 · CISO Quick Review Edition

THE
AI MANDATE

Why AI Governance Belongs in the CEO's Office, Not the IT Department

Manav Chadha
Manav Chadha Digital Transformation & Cybersecurity Leader · AI Governance Practitioner MBA · CISM · Associate C|CISO · CCEP · 25 Years of Experience
Read The Executive Preview
Preface · 10 Chapters · 28 Minutes · One Governance Framework

What you'll read in The AI Mandate

The Delegation Trap

Preface 2 min read

I did not plan to write this book.

I planned to keep doing what I had been doing for over twenty years, walking into organizations, finding the gaps between what leadership believed was happening and what was actually happening, and helping close them. Quietly. Practically. Without a book attached to it.

Then I started watching the same conversation happen everywhere, in every boardroom, in every executive briefing, across every industry and every size of organization. Someone would ask about AI risk. Someone would mention data governance. Someone would raise the question of what employees were actually doing with the AI tools they had access to. And then a senior leader, always confident, always well-intentioned, would say the sentence that ends the conversation.

"The IT team handles all of that."

And that would be it. The room would move on.

I wrote this book because that sentence is the most expensive sentence in corporate leadership right now. Not because IT teams are incapable. They are often extraordinary. But because AI governance is not an IT function. It is a leadership accountability. And the gap between those two things is where organizations are getting hurt.

Why I Am the Person Writing This

I am not an academic. I am not a researcher who studied the problem from the outside. What I have is 25 years of being inside technology organizations when things went wrong. Not reading about what went wrong. Being in the room.

I have led enterprise governance programs that passed international audits. I have been inside organizations when their systems failed catastrophically. I have built a semantic leakage prevention prototype because I watched confidential data entering public AI tools every day without any governance behind it. I have coached more than two hundred professionals in IT, security, and governance.

And I have had the conversation about AI accountability with enough senior leaders to know that the problem is not knowledge. Most leaders understand, in the abstract, that AI is a risk. The problem is ownership. They have not yet decided — explicitly, visibly, in a way that changes behavior — that AI governance is their accountability.

This book is about that decision.

Why June 12th

I chose the publication date before I wrote the first word. June 12, 2026 is the one-year anniversary of losing my mother.

She was the person who taught me, through her own quiet example, that accountability is not a burden. It is a form of love. You own the outcome because you care about the people who depend on it. That is the leadership principle at the center of this book.

This book is dedicated to her. To my wife and children, who gave me the space and the love to write it. And to every leader willing to be accountable before the crisis demands it.

THE PROMISE OF THIS BOOK

You can delegate the management of risk. You cannot delegate the accountability for its consequences. When something goes wrong, the board calls the CEO. Not the CTO. Not the CISO. You.

This book gives you the language, the stories, and the framework to own that accountability before the crisis — not after it.

The AI Mandate Declaration

Five commitments. One signature. One organization that has decided to lead.

The AI Mandate Declaration is not a checklist. It is a leadership statement. When a CEO signs this page, they are not completing a compliance exercise. They are announcing — to their organization, their board, and their vendors — that AI governance is their personal accountability.

THE AI MANDATE — FIVE COMMITMENTS
  1. 01

    AI governance is my accountability. I cannot delegate it completely. I can delegate the management. I retain the accountability for the outcome.

  2. 02

    Every AI tool in active use will have a named owner. Not a department. A person. If something goes wrong, there is one name attached to every AI tool in this organization.

  3. 03

    No AI tool handling our data will be used without written proof of zero retention. Not a privacy policy. A contract clause with consequences. Before any AI tool is approved, I will have written proof that our data is not retained.

  4. 04

    My employees will know the rules because I will tell them, not IT. A mandate from the CEO is policy. A mandate from IT is a suggestion.

  5. 05

    I will chair a formal AI Governance Review every quarter. I will read it. I will act on what it tells me. I will treat it as a leadership responsibility, not a reporting exercise.

This is The AI Mandate.

Signature
Date
Full Name
Title
Organization

This page may be reproduced freely for internal organizational use. Copyright 2026 Manav Chadha

The Leadership Mandate

You can delegate the task. You can never delegate the liability. 3 min read

Here is the thing nobody tells you when you accept a senior leadership role. They tell you about the strategy, the vision, the revenue targets. Nobody tells you that every single one of those things runs on technology. And that when the technology fails, nobody asks the CTO first. They ask you.

Five Days That Changed Everything

The power went out. Not a planned outage. A failure. And when the team went to restore systems, they discovered that critical firmware had not been updated in years. There was no named owner for the update process. There was no process.

Five days. That is how long the organization was down. And in those five days, the CEO faced three questions from the board that they could not answer.

Question What the Answer Reveals
What happened? Whether governance was operational or theoretical
What is our Recovery Point Objective — how much data did we lose? Whether the risk was understood before the event
What is our Recovery Time Objective — when can I tell the business we are back? Whether there was a plan, or just an intention
FROM THE TRENCHES

Five days of business downtime. The engineer who skipped the maintenance is long gone. The CEO still had to explain it to the board. That is what accountability without governance looks like up close.

The MDM Project

The gap between a leader's intention and an organization's execution is exactly the size of the accountability structures that fill it.

FROM EXPERIENCE

The gap between what a leader believes is happening and what is actually happening is always filled with something. Either it is filled with clear accountability structures and honest upward reporting. Or it is filled with confusion, assumption, and deferred problems.

What I Ask for on Day One

Show me the Risk Register.

Not because I want to read every line. Because the answer to that request tells me everything I need to know about whether governance is operational or theoretical. If someone can produce it in five minutes, the organization is managed. If the response is confusion, a meeting is scheduled, or it arrives three days later — I know where the work begins.

Hope is the worst disaster recovery strategy in existence.

Question What the Answer Reveals
Can someone produce the Risk Register right now, without preparation? Whether governance is operational or theoretical.
Which AI tools are employees using today that were not formally approved? Whether your AI governance is real. If nobody knows, the tools are being used without rules.
If primary systems went offline in the next hour, who are the first three people you call? Whether your crisis response is a plan or just an intention.

Proper delegation is not walking away. It is delegating the task and staying accountable for the outcome. That is a leadership decision you make before the crisis. Not during it.

— Manav Chadha
WHAT TO DO NEXT
  • Run the three questions in your next leadership meeting
  • Assign a named owner to every AI tool in use this week
  • Get the Risk Register in front of you before the next quarter ends
  • Send one email to your technology leadership this week asking for the AI tool inventory

The ROI of Trust

Governance is not your biggest cost. It is your most powerful competitive advantage. 3 min read

Most governance conversations start in the wrong place. They start with risk. That is the right conversation to have, but it is not the only one. And for many leaders, it is not the most persuasive one.

Risk avoidance is the floor. The ceiling is competitive advantage. When governance is operational, documented, and demonstrable, it becomes the thing that wins you clients, survives vendor audits, and lets you charge a premium because trust is the product.

The CMMI Story

I worked on a CMMI Level 5 assessment. When the assessment team arrived, the scores were poor — not because the work wasn't being done well, but because nobody had organized the evidence. The documentation existed in fragments, scattered, undated, without the structure an auditor needs to confirm what an organization claims about itself.

We brought the scores up. We presented the evidence. We passed. And then the real insight emerged: our site had performed significantly better than others in the portfolio. We now had a documented baseline. That baseline became the proof that opened new contracts.

FROM THE CMMI EXPERIENCE

The best time to build your governance baseline is before you need it. The second best time is now. A documented starting point is worth more than any number of undocumented good intentions.

The Vendor I Said No To

A vendor came to us. Strong product. Strong presentation. The sales team was impressive. Then we asked the question we ask every vendor: do you have a SOC 2 Type 2 report?

They had a Type 1. We asked about data retention — specifically, written contractual proof that our data would not be retained. They said they would get back to us. We did not approve the vendor.

Months later, that vendor had a data exposure incident. The organizations that had approved them without asking the question were in the headlines. Our client was not.

A vendor who hesitates to answer how they protect your data — that hesitation is their answer. Brand is not a security control. A professional sales presentation tells you exactly nothing about the quality of security controls.

— Manav Chadha
WHAT TO DO NEXT
  • Ask your procurement team: what security certification evidence did we collect in the last vendor renewal?
  • Request and actually read — not file — the most recent SOC 2 Type 2 report from every critical vendor
  • Treat every passed audit as a commercial asset — document it, date it, keep it accessible

Defining Your Red Lines

The most dangerous risks are the ones that look like convenience. 5 min read

Let me tell you about something I believe is happening in your organization right now. Today. Without your knowledge or your permission.

Employees are feeding confidential data into public AI tools. Not because they are careless. Not because they are trying to cause harm. Because AI tools give better answers when they have more context, and nobody told them where the line was.

And then the biggest question becomes: if something happens downstream as a result of that data exposure, who is responsible? The source of truth could be missing. Who knows what data trained what model, by whom, and what it resulted in? That is dangerous.

What goes in may stay in.

The Three Rules That Cannot Be Negotiated

Rule One If you would not post this information on your public LinkedIn profile, you do not feed it to a public AI tool. No exceptions.

This rule prevents the majority of data exposure incidents because it gives employees a concrete test they can apply in the moment. No training required. No ambiguity. Everyone already knows what they would not post publicly.

Rule Two No internal documents, financial data, client information, or proprietary content gets uploaded to a public AI tool.

The moment you upload a file, you surrender custody of its contents. The upload is where the most significant exposure occurs — an entire document submitted in a single action.

Rule Three Before any AI tool is approved for organizational use, obtain written contractual proof that the vendor does not retain your prompts or data.

Not a privacy policy. A contract clause with consequences. Privacy policies change without notice. Contract clauses have legal remedies.

What you feed into AI is your responsibility. Not the vendor's. The source of truth for AI governance is not the vendor's terms of service. It is the policy your CEO signs.

— Manav Chadha
WHAT TO DO NEXT
  • Send one email to your organization today announcing the Three Rules. Not from IT. From you.
  • Survey every department head: list every AI tool your team used in the past 30 days
  • Before your next vendor renewal, ask in writing: does your contract include a zero data retention clause?

Inside the Prototype

How Semantic Leakage Prevention Works in Practice

Let me be specific about what I built. Not theoretical. Not aspirational. Here is the actual mechanism.

Semantic leakage is what happens when meaningful, sensitive information leaves your organization through the ordinary use of public AI tools, one prompt at a time. The employee is not trying to leak data. They are trying to do their job. The leakage is a byproduct of context.

Before — What the AI Receives
Draft an email to Sarah Mitchell at Acme Corporation regarding the $2.4M contract renewal for Project Horizon. Her email is sarah@acmecorp.com.

Counterparty identity, contact details, deal value, and project name transmitted to external AI infrastructure.

After — What the AI Sees
Draft an email to [CONTACT_1] at [COMPANY_1] regarding the [VALUE_1] renewal for [PROJECT_1]. Her email is [EMAIL_1].

Semantic meaning fully preserved. AI utility maintained. Zero identifying data transmitted.

The employee gets what they need. The AI never sees the real data.

I want to be honest about what this is and what it is not. Pattern recognition is not perfect. A determined employee can describe sensitive context in ways no filter will catch. A document summarized in the employee's own words still carries meaning no tokenizer can mask. No technical layer, mine included, replaces the policy, the training, and the leadership mandate that the rest of this book is about.

The prototype closes the accidental path. Only governance closes the deliberate one.

WHAT I LEARNED

The technical solution needs the leadership mandate. You cannot code your way out of a behavior problem. The prototype stops the data from leaving. The policy stops the behavior that would send it. Both are required. Neither is sufficient alone.

The New Terrain

What Makes AI Risk Different — Why the governance you already have is necessary, but no longer sufficient.

AI has not replaced the risks your governance was built to manage. It has layered new categories of risk on top of them — categories that existing frameworks were not designed for.

Generative AI and the Confidentiality Problem

Every prompt is a potential data transmission. The employee using AI to draft a document may be sending more context than they realize — and the model may be retaining it.

Agentic AI and the Accountability Problem

When AI acts autonomously — scheduling, emailing, accessing systems — the question of who is accountable for its actions becomes urgent. The answer must be a named person, not a system.

Model Governance and the Black Box Problem

AI models make decisions that cannot be fully inspected. Governance requires auditability. The two are in tension — and that tension is now a leadership accountability.

AI Regulation and the Compliance Horizon

Regulatory frameworks for AI are being adopted globally. ISO 42001 is now the recognized international standard for AI management systems. Organizations that have not started are already behind.

AI Vendor Management and the Supply Chain Problem

Your AI vendors have AI vendors. The supply chain now includes model providers, inference infrastructure, and data pipelines you have never audited and may not even know exist.

THE CORE OF IT

The governance principles in this book are not new. The reason they matter more now is that AI has raised the stakes and shortened the timeline. The same accountability that has always belonged to the leader now governs systems that act on their own, learn from what they are given, and make decisions no one can fully inspect. The mandate has not changed. The cost of ignoring it has.

The Risk Radar

A metric with no source of truth is not a metric. It is a guess dressed up as a number.

I want to tell you about a walk I took with a senior leader. Not a strategy walk. A literal walk through a building, from the boardroom down to the people who actually managed the technology every day. His dashboard said everything was fine. He had been making decisions based on that dashboard for months. It did not reflect reality.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 4 covers the AI Governance Maturity Model in full — four levels from Unaware to Proactive — and what it takes to move your organization through each one. Available in the complete book.

Clean Fuel: Data Integrity

Garbage in, governance out. There is no shortcut past documentation.

Documentation is not bureaucracy. Documentation is survival.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 5 covers data integrity as the foundation of every AI governance program — why clean data is the prerequisite for trustworthy AI output, and what a data classification policy requires to be operational. Available in the complete book.

The Third-Party Trap

Your vendor's breach is your breach. There is no legal distinction that matters to your clients.

We were in the middle of a global migration project. The vendor told us the software would support the migration completely. It did not — a 32-bit architecture limitation they had not disclosed. The delay was our problem. The client's deadline was our problem. The vendor's gap became our gap.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 6 covers third-party AI risk in full — vendor audit frameworks, the four contract clauses that are now non-negotiable, and how to assess AI vendor security without being misled by brand or presentation. Available in the complete book.

The Human-in-the-Loop

The smartest algorithm in the world cannot feel that something is wrong.

I believe in AI. I use it. I advocate for it. I have built technical solutions on top of it. But one hundred percent dependency on any single system, including AI, is a risk without a mitigation. Keep the humans sharp.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 7 covers the governance structures that keep human judgment in the loop — where automation ends and accountability must begin, and what it means to build AI dependency without building AI resilience. Available in the complete book.

The Ethics Moat

The cover-up always costs more than the truth. Without exception.

I could talk about my mother every day. Not because the grief is still acute, though the loss is real. But because the lessons she embedded in me are ones I keep finding in my professional life, in situations she never could have imagined but would have recognized instantly.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 8 covers the ethics of AI governance — transparency, accountability, and why the organizations that lead on AI ethics build a competitive moat that cannot be replicated by policy alone. Available in the complete book.

The Kill Switch

There is no kill switch. There is only preparation.

Every leader I have ever worked with has asked the same question in some form: if something goes catastrophically wrong with our AI or our technology systems, can we just shut it down? The answer is more complicated than yes.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 9 covers AI resilience and continuity — what it means to have a tested kill switch, how to build AI shutdown procedures that actually work, and what most organizations discover too late about their own dependencies. Available in the complete book.

The Future-Proof CEO

Most executives think AI governance is about technology. It is about behavior, culture, and the decision to lead.

I want to tell you what I actually hope for when someone finishes this book. Not that they implement every framework in the appendix. I hope they become the leader who asks before the crisis.

CONTINUE READING IN THE FULL AI MANDATE

Chapter 10 closes with the Monday Morning Diagnostic — five questions every leader should be able to answer right now — and the governance posture that separates organizations that are ready from those that are not. Available in the complete book.

Executive Toolkit

You've Read The AI Mandate.
Here Is Your Next Move.

The governance gap closes with decisions, not documents. Choose your starting point below.

Read Online Download Full PDF Executive Summary

The Complete PDF

The full AI Mandate — CISO Quick Review Edition. Read offline, annotate, and share directly with your executive team or board.

Download PDF

AI Governance Assessment

25 questions. Under 8 minutes. A structured diagnostic that benchmarks your organization's AI governance posture across 5 dimensions — no email required.

Take the Assessment →

Governance Checklist

A structured checklist built directly from the 90-Day Sprint framework — for the practitioners responsible for making governance operational.

Download Checklist

Executive AI Governance Review

60 minutes with Manav Chadha. Complimentary — valued at $2,500. Walk through your governance posture and leave with a prioritized action plan.

All materials are ungated. No email required. No form. The AI Mandate is a trust-building asset — QTSI shares it openly.

Manav Chadha — Digital Transformation & Cybersecurity Leader
  • MBA
  • CISM
  • Associate C|CISO
  • CCEP
  • 25 Years
About the Author

Manav Chadha

Digital Transformation & Cybersecurity Leader · AI Governance Practitioner

Manav Chadha is a technology leader, cybersecurity practitioner, and governance advisor with 25 years of experience in IT, information security, and cybersecurity. His work sits at the intersection of security governance, AI risk management, and executive decision-making — the space most organizations discover only after an incident makes it unavoidable.

He is the founder of QTSI (Quality Training & Technology Services Inc.) and TrustGate Security Inc., and the architect of the Semantic Leakage Prevention Prototype described in Chapter 3. The AI Mandate was written for the leaders he has advised who needed a governance conversation — not another framework document.

QTSI TrustGate Security Edmonton, Alberta
Executive Advisory

Your Private AI
Governance Advisor

Ask any governance question — from where to start your 90-Day Sprint, to how to brief your board on AI risk, to which vendor clauses are non-negotiable. The Advisor draws on The AI Mandate framework and responds with the directness of a senior practitioner, not the hedging of a search engine.

Designed for executives who need answers, not orientation.

QTSI Executive AI Governance Advisor · Responses are advisory in nature — verify against your specific regulatory and organizational context before acting.
QTSI Executive AI Governance Advisor Based on The AI Mandate
I've read every chapter of The AI Mandate. Ask me about your governance posture, the Three Red Lines, vendor contract clauses, the 90-Day Governance Sprint, or what accountability means at the CEO level. I'll give you a direct answer — no orientation, no hedging.