In 2025, Trustmarque surveyed organizations across industries on the state of their AI governance and found that only 7 percent had fully embedded AI governance into their development pipelines, even as 93 percent reported using AI in some capacity. The remaining organizations had policies, some had frameworks, and most had committees, but what they lacked was a system that enforced any of it automatically, consistently, or at the speed their AI operations actually ran. Harsh Singhal has built his career on the engineering side of that problem, working across LinkedIn, Netflix, Adobe, Koo, and now Glean to turn written governance policy into technical systems capable of detecting violations, applying controls, and supporting remediation in production.
Why Policy Alone Fails
The structural problem with governance frameworks is rarely that they are poorly written. Most organizations employ experienced people to write them carefully. The problem is the enforcement mechanism, or more precisely, the absence of one. A policy that says sensitive data should not be accessed by unauthorized users does nothing automatically when an unauthorized user accesses it, and a policy prohibiting the use of AI on regulated personal data generates no alert when an automated workflow processes that data. Generative AI has widened this gap significantly by accelerating the volume and variety of data moving through organizational systems beyond what manual oversight can realistically track.
“Organizations have known for years what their governance policies should say,” Singhal said. “The gap was always on the enforcement side. When you have AI systems, automated workflows, and millions of documents all moving simultaneously, manual review is not a viable control. You need systems that can apply policy logic in real time.“
A 2025 ModelOp benchmark report found that 44 percent of enterprise leaders say the governance process is too slow, and 58 percent cite disconnected systems as a top structural blocker. Only 14 percent enforce AI assurance at the enterprise level, which means the vast majority of organizations are operating AI systems in conditions where their stated governance policies have no reliable technical enforcement mechanism behind them.
How Technical Controls Change the Equation
Singhal’s approach, developed across multiple roles and formalized in a growing patent portfolio, combines machine learning, contextual signals, and policy logic so that governance operates as part of the system rather than as a separate audit layer applied after the fact. The key architectural difference is that his systems assess context rather than content alone. A document containing salary figures might be entirely routine in a compensation review workflow and genuinely sensitive in a different access context, and a data loss prevention tool that classifies documents by content type will treat both situations identically. A system that incorporates who is accessing the document, under what permissions, with what behavioral history, and how that data connects to other organizational signals can distinguish between the two with far greater precision.
At Glean, his work has contributed to sensitive content detection systems that use enterprise graph data, document permissions, activity signals, and infotype classifiers together to assess risk in unstructured enterprise content.
Publicly available information from Glean documents accuracy rates above 80 percent on unstructured data, where traditional data loss prevention tools have historically performed well below that threshold because they rely on pattern matching rather than the contextual signals that make sensitivity situational.
“The goal is a system that produces outputs a security team can act on with confidence,” Singhal said. “If your governance system generates too many false positives, people stop trusting it. If it misses real risk, it creates false assurance. Getting that precision right requires a system that understands context, and building that is considerably more involved than deploying a keyword classifier.“
Patents as Technical Evidence
Singhal’s patent portfolio reflects how his approach to governance engineering has developed into concrete, filed inventions. US20250371085A1 describes a system for enterprise-aware data security posture management using contextualized access intelligence, an approach that assesses data security through dynamic analysis of access relationships rather than static file classification. Two provisional patent applications extend this further, one addressing enterprise intelligence systems with adaptive planning and memory that enable more precise and adaptive governance across tasks, and another covering compile-time and runtime security assurance for automated agents and software workflows that interact with external data and tools, a direct technical response to the emerging challenge of governing AI agents operating autonomously inside organizational environments. Earlier patents, including US10491697B2 on bot detection and US20120130771A1 on chat categorization and agent performance modeling, demonstrate that his work in building reliable, policy-aware AI systems predates the current period of industry attention to AI governance by several years.
Technical Evidence in Practice
Singhal’s technical record reflects a long-running focus on building practical systems for AI governance, security, and enterprise intelligence. His work includes enterprise-aware approaches to data security posture management that rely on contextualized access intelligence, moving beyond static file classification to evaluate how information is actually accessed and used across an organization.
He has also developed work in adaptive planning and memory for enterprise intelligence systems, as well as security assurance techniques for automated agents and software workflows that interact with external data and tools.
These contributions are especially relevant as enterprises grapple with the risks and governance challenges posed by increasingly autonomous AI systems. His earlier work in areas such as bot detection, chat categorization, and agent performance modeling further shows that he was building reliable, policy-aware AI systems well before AI governance became a major industry focus.
The Regulatory Pressure Arriving Now
The European Union’s AI Act has begun enforcement in phases, placing mandatory compliance requirements on organizations deploying high-risk AI systems, including requirements for risk management, data governance, and technical documentation. Equivalent frameworks are advancing across the United States, the United Kingdom, and Asia-Pacific, and the AI governance market is projected to grow substantially through 2030 as organizations move from reactive compliance to proactive system design.
For those that have treated governance primarily as a documentation exercise, the regulatory shift creates pressure that written policy cannot answer on its own. “What the regulations are asking for is what good technical governance already does,” Singhal said. “Documented controls, measurable outcomes, systems that detect and respond. The organizations that built those systems before the pressure arrived are in a very different position from those building them now.”
