The Question Has Changed

A year ago, when I walked into a room of maritime professionals and raised the subject of AI, the question in the air was some version of: should we be using this? There was curiosity, some scepticism, and a lot of watching from the edges to see what others would do first.

That question has gone. In the past three months, every conversation I have at conferences, in boardrooms, and in the training rooms I have been in this week starts somewhere different. The question now is: half of our people are already using AI, and I have no idea what they are doing with it.

That shift tells me something. Our industry moved from observer to participant faster than most expected, and mostly without a plan. The work now is getting organisations into a defensible position before the gap between individual use and organisational awareness costs them something they cannot easily recover.

The technology has moved faster than any governance conversation could keep up with. The most capable AI models are now powerful enough that the United States government has restricted access to the most advanced of them on national security grounds, because they are performing in ways that create real risk. Earlier this month, a Senate hearing was told that one such model identified vulnerabilities in classified systems, including software flaws that had gone undetected for over twenty years.

I mention this because it answers a question I still hear in the rooms I work in: is AI capable enough to matter for our operations? The answer is settled. The models are capable. The question our industry needs to move to is whether organisations have any kind of structured relationship with that capability, or whether it is happening around them without a plan. The same question of dependency, examined from the supply-chain angle, is taken up in Model Dependency Is a Supply Chain Decision.

Roughly 95% of organisations have no strategic plan for AI adoption, and only 6% report having seen measurable value from it (McKinsey, 2024). The gap between capability and value is a governance gap.

The word governance puts people on edge. It suggests compliance, paperwork, regulatory burden, something that arrives from outside and tells you what you cannot do.

Think of your SMS. Your safety management system is a practice for knowing what you have, understanding the risks, setting the standards, training your team, and reviewing it when conditions change. AI governance follows the same structure applied to a different domain. It carries the same weight and the same discipline, pointed at a different set of decisions.

The sequence matters, and it matters in a specific order.

The AI governance cycle

1. Inventory. Map every AI tool already in use, including the ones quietly adopted without approval.
2. Use cases. Identify the tasks and decisions where AI delivers the highest return on investment for your organisation.
3. Tool selection. Match each use case to the right AI mechanism: consumer tool, team plan, enterprise arrangement, or bespoke build.
4. Assess risk. Classify data, name accountability for AI-assisted decisions, and map current exposure.
5. Regulatory map. Identify your current obligations and what is on the horizon across your flag states, jurisdictions, and client base.
6. Set policy. Approved tools, permitted use cases, data handling rules, accountability, and how new tools get added over time.
7. Train and embed. Move the team to the defined practice through change management, not a one-day workshop.
8. Review. A standing cadence to update the inventory, reassess risk, and revise the policy as the landscape moves.

The cycle returns to inventory and runs continuously, the same way your risk management does.

You start with an inventory of what tools are already in use across the organisation. Most leaders discover more than they expected. From there, you identify the use cases: what your organisation is trying to do with AI, where the highest return on investment sits, and which problems have a clear enough shape to build a structured approach around. That picture tells you which tools or AI mechanisms are the right fit for each use case, and that is when you make deliberate tool selections rather than defaulting to whatever is most familiar. The companion question of which problems belong to AI sits inside this step.

Only at that point can you assess risk with any accuracy. You now know what you are doing, with what tools, and for what purpose. That makes it possible to ask the right questions: what kinds of information are going into these tools, what are your data handling rules, who is accountable when AI output informs a decision, and where does your exposure sit.

Then you map the regulatory landscape. What are your current obligations? What is on the horizon? This is where maritime gets particularly complex. Depending on your flag state, your client base, your port of operations, and the jurisdiction of your counterparties, you may be looking at overlapping obligations across multiple frameworks simultaneously. A vessel management company operating in Australia with European-flagged vessels and US-based ownership is not navigating one regulatory environment. It is navigating several at once. The current regulatory picture across jurisdictions is tracked in the governance reports, and the ISO/IEC 42001 management standard for maritime is becoming the reference for how the underlying system is structured.

With the risk assessment and the regulatory picture in hand, you set the policy. It covers which tools are approved, what information can be shared freely and what requires protection, who is accountable for AI-assisted decisions, and how new tools get reviewed and added over time. The policy is written against your actual situation, drawing on a generic template only as a starting structure.

Then you train. Training in this context is a change management process. The goal is to get your team using AI in the defined way, for the defined use cases, with the defined data rules, tied to the highest return on investment activities you identified at the start. That requires more than instruction. It requires embedding the new behaviour into how work gets done.

And then you review, on a standing cadence, because the landscape keeps moving.

What each step requires in practice

That cycle is governance. It runs continuously, the same way your risk management does.

Over the past few weeks I have delivered three full in-person training days with maritime organisations across Australia. From 5 to 15 per day, laptops open, getting into the tools they are already using and building skills that carry forward, because learning to work with AI is learning a way of thinking, not just learning a platform.

I relish the light bulb moment. Someone tries something they had not thought to try, the output surprises them, and you can see the shift: the realisation that what they are learning is a new way of thinking that goes with them wherever they work, well beyond the mechanics of any single tool.

What has also shifted is the conversation before the training even starts. A year ago I was still partly in the business of convincing people that AI belonged in their work. That conversation is over. The leaders sitting across from me now arrive knowing their teams are already using AI. The question they are bringing is different: I know half our organisation is already using some form of tool, and I am worried about how exposed we are.

That is a governance question, even when nobody uses that word. And navigating that path is exactly what I do.

The clearest starting point is an inventory. Before anything else, find out what AI tools are already in use across your organisation, including the ones people have quietly adopted because they make the work faster. The full picture, formal and informal, shapes every decision that follows.

If you have a team using consumer AI tools today without a policy in place, you are in the majority, and it is also the riskiest place to be sitting. The task is to move from informal use to informed use, and the path there is structured: know what you have, understand the risk, set the standard, train the people, review as you go.

For maritime operators, this matters beyond productivity. Your clients and counterparties are beginning to ask how you use AI. Your insurers may follow. The EU AI Act's transparency obligations take effect on 2 August, and while the high-risk provisions have been delayed for most categories, the obligation to disclose AI use in customer-facing communications is live from that date for any operator with EU exposure.

The governance practice you build now is the answer to those questions, before anyone has to improvise one under pressure.

If you would like to talk through where your organisation sits, you can book a conversation with me. Senior leaders working through this individually can take the same questions into a For Executives engagement, and organisations ready to structure the cycle end to end start with For Organisations. Teams who want to build the underlying skills can begin with the Academy.

Kristina Agustin is the founder of Southern Sky AI, a governance-led AI adoption practice serving maritime leaders across Australia, Asia-Pacific, the United States, and Europe.

McKinsey & Company (2024). The state of AI in 2024. McKinsey Global Institute.

European Commission (2024). EU Artificial Intelligence Act: Implementation Timeline. digital-strategy.ec.europa.eu