AI Is Already Running in Your Marketing Team. Does Anyone Own It?

In the last few posts, we’ve started reviewing the 4P AI Marketing Excellence Framework and each of its pillars. This next ‘Protect’ pillar of the Model refers to the risk mitigation element around ensuring data privacy, governance and responsible AI use.

Because while most marketing conversations focus on what AI can do, very few focus on making sure that AI usage isn’t getting out of hand. And it does.

Why AI Governance Matters

DPD's AI customer service chatbot was manipulated by a frustrated customer into swearing on the company's behalf, writing poetry about how terrible DPD was - all in a live, customer-facing environment. Screenshots went viral. Funny for most but your own chatbot calling your company the worst delivery firm in the world is not the kind of free PR you’re looking for.

In a similar, chatbot-related incident Air Canada was found legally liable for misleading information provided during the exchange, despite arguing it shouldn't be responsible for what the bot said. The tribunal disagreed.

Just weeks ago, PocketOS, a SaaS platform used by car rental businesses to manage reservations, payments and customer records, suffered a catastrophic outage after an AI coding agent encountered a routine technical problem and decided, entirely on its own initiative, to fix it by deleting the entire database. Then all the backups. While the data was eventually largely recovered thanks to the business’ cloud infrastructure provider, the AI agent’s rouge action caused a 30-hour outage and significant operational chaos for the platform and its customers, as well as potentially reputational and trust issues for PocketOS.

The 2025 IBM Cost of a Data Breach Report revealed that AI adoption is greatly outpacing AI security and governance, highlighting the following, worrying stats:

• 13% of organisations reported breaches of AI models or applications, while 8% of organisations reported not knowing if they had been compromised in this way.

• Of those compromised, 97% reported not having AI access controls in place.

• As a result, 60% of the AI-related security incidents led to compromised data and 31% led to operational disruption.

Aside from these real-life examples of lack of AI governance, regulators are catching up. The EU AI Act - the world's first comprehensive AI regulatory framework - entered into force in August 2024 and is rolling out in phases, with full enforcement landing in August 2026. For marketing teams, this includes transparency obligations around AI-generated content, restrictions on certain personalisation techniques, and disclosure requirements when consumers interact with AI. Critically, it applies to any organisation whose AI tools reach EU audiences - regardless of where you're headquartered.

The regulatory era of AI has begun. The question is whether marketing functions are ready for it.

The Data Question Nobody Thinks Is Still a Question

Before we get to the high-profile failures, there's a more fundamental issue that a surprising number of organisations still haven't resolved: What data should and shouldn't be fed into AI tools in the first place.

This matters more than most marketing teams realise. When AI is used for audience segmentation, go-to-market strategy, or campaign personalisation, it often draws on CRM data: Customer purchase history, behavioural data, contact information, sometimes sensitive demographic fields. When that data is entered into third-party AI tools, it may be used to train models, stored in ways you can't audit, or processed outside the jurisdictions your privacy policy assumes.

The basic governance question - what data can we share with this tool, and under what conditions?- needs to be answered before any AI tool touches customer data. This isn't a marketing question alone. It's a joint conversation between marketing and IT, informed by legal and privacy. But marketing needs to be at the table, because marketing is often the team making the tool choices and feeding in the data.

The High-Risk Use Cases in Marketing

Not all AI use in marketing carries the same risk profile.

Generative AI: Tools that produce content, copy, images or video - introduce risks primarily around data exposure and content quality. AI-generated content that is factually wrong, off-brand, legally problematic or deeply uncanny can move from creation to publication with very little friction. When that's happening at scale, across teams, with vendor-generated assets in the mix, the exposure compounds quickly.

Agentic AI goes further. These systems don't just produce outputs - they take actions. In a marketing context, that might mean an AI that can analyse campaign performance, reallocate media spend across channels, trigger customer journeys based on behavioural signals, or optimise targeting parameters automatically, in real time.

With generative AI, the primary risks are around data exposure and content quality. With agentic AI, organisations must also govern:

• Decision-making authority: What is the AI actually empowered to do?

• System permissions: What does it have access to, and across which platforms?

• Human override processes: Who can stop it, and how quickly?

• Accountability and auditability: Can you reconstruct what happened, and why?

The risk isn't that agentic AI is bad. It's that it moves fast, has reach across systems, and the failure modes are harder to catch before they propagate.

Customer-facing AI agents and chatbots sit in a category of their own. Any AI that speaks to a customer on your behalf creates reputational and legal risk if it hallucinates, misrepresents, or goes off-script.

Third-party and vendor AI remains an underestimated exposure. Much of the AI your team is using sits inside tools you didn't build and can't fully audit. Even if the problem comes through a vendor, the brand still wears the consequences.

A Practical Framework for Marketing AI Governance

There's a structure emerging in how mature organisations are approaching this — and it maps cleanly to the marketing context.

1. Map out your AI uses and classify by risk tier. Not everything needs the same level of scrutiny. A tool helping a marketer draft an internal brief carries different risk than an autonomous agent reallocating budget or a chatbot handling customer complaints. Map your tools and use cases, assign a risk tier to each, and let that tier determine the level of governance required. Customer-facing, brand-impacting, data-intensive, and decision-making applications sit at the top.

2. Establish clear ownership and close the gap between marketing and IT. This is where most organisations stumble. Marketing adopts tools quickly and independently. IT often doesn't know what's running. Neither has full visibility, and the space between them is where governance breaks down. Marketing should lead on use case definition, brand standards, content review, prompt governance, and outcome accountability. IT should own security review, data governance, vendor assessment, and integration into enterprise systems. The grey zone - model behaviour, third-party APIs, agentic workflows, CRM data permissions - needs joint accountability.

The key is not to become a blocker for AI usage as this usually backfires. JP Morgan prioritised visibility over control as they asked business units to register AI tools in use, with no approval required. After obtaining an inventory of the tools in use, the company build governance around those and enabled responsible use that way.

3. Build human checkpoints into the workflow, not just at the end. For high-risk use cases, review can't be a final gate when it needs to sit inside the process. This means defined approval steps, clear prompting standards, and someone whose role includes watching for drift - in outputs, in vendor behaviour, and in how tools are actually being used day to day. For agentic systems specifically, this means defining upfront what the AI is and isn't authorised to do, and making sure a human can intervene when it matters.

Marketing Should Lead This - But Not Alone

There's a tendency to treat AI governance as an IT problem. It isn't, at least not in marketing.

The risks that surface in marketing AI are brand risks, compliance risks, and customer trust risks. That means marketing needs to own the conversation, set the standards, and be accountable for outcomes.

But marketing teams typically don't have the technical depth or capacity to assess model risk, audit vendor data practices, or evaluate what happens when an agentic tool starts taking actions at scale. That's where IT, as well as potentially legal and procurement, need to be in the room from the start, not brought in after something breaks.

Govern AI or let it govern you

AI governance in marketing isn't about slowing things down. It's about making sure the pace of adoption doesn't outrun your ability to manage the consequences.

‍ ‍