Every single executive leading one of the world's 500 largest companies said, without hesitation, that their company was "governing AI." Then came the follow-up question: "If that AI is causing harm right now, who has the authority to shut it down?" This time, most had nothing to say. Joseph Wallace, Adobe's director of data and AI governance, opens his piece in MIT Sloan Management Review with that one silence. The gap between claiming to govern AI and actually being able to stop it is what he's pointing at — and it's a gap that shows up at every company, at every scale, which is exactly why it matters just as much for practitioners in Korea.

Governance statements pile up. Shutdown authority stays blank.

"AI governance" has become a fixture of corporate filings and press releases. Behind the phrase sit usage guidelines, ethics documents, internal review processes. Some large companies have even formed dedicated committees. From the outside, it looks like a functioning system.

But Wallace zeroes in on the gap that inevitably opens up inside that system. There's someone who drafts the AI policy. Someone who defines the ethical standards. Someone who distributes the usage guidelines. But when an AI system actually malfunctions or causes harm, who has the authority to pull it offline or restrict its operation is, in most organizations, never decided in advance.

"If this AI is causing harm, who is responsible for stopping it?" If you can't name that person on the spot, the execution structure is unfinished — no matter how thick the rest of the governance documentation is.

Korea is no exception. More teams are drafting AI usage guidelines, and seminars sharing adoption case studies have become more frequent. But when an AI customer-service tool confidently states something untrue, or a marketing automation tool sends out a message in an unintended tone, few teams have already decided who can call it and shut things down on the spot. Guidelines are being written faster than shutdown structures are being designed.

Control means being able to stop it, not use it well

When teams first adopt an AI tool, most practitioners focus on using it better — refining prompts, connecting it to more workflows, widening the scope of automation. That's the natural order of things. But Wallace is pointing in the opposite direction. Proof that you control a tool isn't how well you can use it — it's whether you can stop it.

You can only say a governance program is genuinely operating once someone has clearly been granted the authority to make the call to stop.

"Deciding to stop" is actually several linked steps. Who detects the warning signs coming from this tool, and how? Once that signal comes in, who has the authority to act on it? And afterward, who decides, by what criteria, when it's safe to resume? At large companies, these roles are scattered across different teams, which makes coordination complicated. At small organizations or for solo operators, one person often handles all of it — but rarely recognizes that as an explicit responsibility they hold.

In management theory, separating who executes a decision, who bears final accountability, who should be consulted, and who merely needs to be informed is considered the starting point of organizational risk management. Apply that lens to the decision to shut down an AI system, and you'll find that in most organizations, the "final accountability" box is empty. Whether that blank has been sitting there for a long time or simply hasn't been noticed yet varies by organization — but the blank itself is universal.

Naming a shutdown owner doesn't make the problem go away

It's worth looking honestly at the counterargument here. Naming a single person responsible for shutdown isn't, by itself, enough to manage AI risk.

Once a clear owner is named, everyone else tends to stop watching and judging for themselves — a "that's their job" reflex kicks in. Social psychology calls this the diffusion of responsibility: the more concentrated accountability becomes in one person, the weaker everyone else's willingness to act becomes. This happens even with a named owner in place, and if that one person is out or burned out, both detection and judgment go dark at the same time.

There's a deeper problem, too. Not every AI harm sends a clear "stop now" signal. A subtly biased tone creeping into customer interactions, internal decisions leaning too heavily on data skewed in one direction, a content recommendation range slowly narrowing — none of these look like an obvious incident. Even with a named owner, if there's no monitoring system giving that person something to act on, no real line of defense gets built. Naming a shutdown owner is the starting point of governance, not the finish line.

Wallace doesn't deny this limitation either. The question he poses isn't a formula for handling every kind of risk. It's a minimum bar for telling whether governance has moved from a declaration to a structure that can actually be executed.

What practitioners can check right now

A story about Fortune 500 companies might sound like it belongs to a different scale of operation. But the same question applies the moment even one AI tool is part of your workflow.

Start by listing every AI tool currently in use. Slack bots, email auto-sorting, content drafting, customer-service automation, meeting summarizers — simply naming and listing them changes how you see the picture. Most small teams have never made this list. Once you do, there are usually more tools already embedded than expected.

Next, for each tool, write down one line: "How would I know if this tool produced a wrong result?" Without monitoring, you may not notice a problem until the harm has already spread. Setting even one warning-sign criterion per tool changes how fast you can respond.

Finally, check: "If I decided to stop this tool right now, how quickly could I actually do it?" Knowing in advance whether you can revoke an API key instantly, how many days it takes to cancel a subscription, and whether additional internal approval is required changes your decision speed when it actually matters. This isn't a crisis-response manual — it's basic hygiene for operating a tool.

Mid-level managers driving AI adoption in Korea have one more thing to check. The people who first notice something going wrong are usually the frontline staff actually using the tool, while the authority to shut it down usually sits higher up. If there's no pre-built channel for staff to flag a warning sign to leadership, the gap between noticing and deciding stretches out. Designing that channel in advance is a concrete contribution a mid-level manager can make right now.


Feeling like you control AI through documentation and actually having a structure that can stop it are two different things. Naming a shutdown owner isn't glamorous. It's not forming a committee, and it's not issuing a new set of principles. It's just filling in one blank with one name. I'd argue that governance with that one line left blank isn't yet operational — no matter how thick the rest of the documents are.