Companies Aren't Getting AI Governance Wrong. They're Building the Wrong AI Evals.

July 7, 2026
Andrew Burt

For the past two years, one narrative has dominated enterprise AI: governance is slowing AI adoption.

Engineering teams often feel governance is creating unnecessary friction. Governance teams worry engineering is moving too quickly. The debate usually centers on how to balance innovation with risk.

I think we've been asking the wrong question.

The real problem isn't AI governance. It's the way we're evaluating AI.

Today's AI evaluations - or "evals" - are creating the worst possible outcome. Companies are shipping lower-quality, riskier AI, and they're shipping it more slowly. That isn't a governance problem or an engineering problem. It's an evaluation problem.

Over the past several years, our legal engineering team at LuminosAI has spent thousands of hours building AI risk evaluations for enterprise AI systems. Along the way, we reached a conclusion that surprised us: the biggest problem with today's AI evals isn't that they miss risks. It's that they simultaneously miss the risks that matter while flagging risks that don't.

This combination of false negatives and false positives creates a vicious cycle. Engineering teams spend valuable time investigating findings that ultimately aren't meaningful, while governance teams gain confidence that important risks have been addressed even when they haven't. The result is more work, more uncertainty, and slower deployment.

The reason this happens is surprisingly simple.

Most AI evals reduce complex questions to a single prompt evaluated by a single model. They ask questions like:

  • Is this output accurate?
  • Is this response biased?
  • Is there privacy risk?

At first glance, these appear to be straightforward questions. In reality, they aren't single questions at all.

Take bias as an example. Bias can manifest through explicit language, implicit assumptions, tone, sentiment, stereotypes, omissions, or contextual reasoning. Privacy is equally multidimensional, encompassing everything from data minimization and sensitive information to contextual appropriateness and regulatory obligations. The same is true for legal compliance, safety, and nearly every other meaningful category of AI risk.

Yet many evaluation systems attempt to answer each of these categories with a single prompt and a single AI judge.

We refer to this approach as low-dimensional evaluation.

The problem isn't necessarily the underlying model. It's that the evaluation itself is attempting to compress dozens of distinct questions into one. When that happens, it shouldn't surprise us that the system both overlooks important risks and identifies problems that aren't actually there.

Our research led us to a very different conclusion.

Rather than treating privacy, bias, or compliance as single concepts, organizations should decompose each into many distinct sub-risks, evaluate those sub-risks independently, and use multiple models selected for the kinds of reasoning they perform best. We call this high-dimensional, multi-model evaluation.

This approach fundamentally changes the quality of the results. Instead of receiving a vague finding such as "potential bias detected," engineers receive specific, actionable information about exactly which aspect of a risk failed and why. Governance teams gain a much more accurate understanding of where genuine risk exists. False positives decrease. False negatives decrease. Remediation becomes faster. And AI reaches production more quickly without sacrificing safety.

One of the biggest lessons we learned is that this is not purely an engineering challenge.

Building effective AI evaluations requires expertise from multiple disciplines. Engineers understand model behavior. Lawyers understand legal standards. Privacy professionals understand responsible data handling. Compliance specialists understand regulatory expectations. Effective evaluations emerge from the combination of these perspectives rather than from any one discipline working alone.

We're still a startup, so we can't publish the proprietary techniques behind our evaluation platform. However, we believe the underlying principles are too important to keep private.

That's why we're releasing our latest white paper, A Practical Guide to Agentic & GenAI Risk Evals. In it, we describe the evaluation philosophy that has guided our work and explain why we believe the industry needs to move beyond low-dimensional evaluations toward a fundamentally different way of measuring AI risk.

Click here to download the whitepaper.

The AI industry has made extraordinary progress improving foundation models over the past several years. We believe the next major leap forward won't come from models alone. It will come from building evaluation systems that allow organizations to move both faster and more safely.

That's the future of AI governance we're working toward.

All Posts