The Fractured Application of AI Governance: A Classification Failure Across Five Frameworks, and the Case for Holistic AI GRC

The term "AI governance" appears in international treaties, national regulations, industry standards, and corporate policies. In each context, it means something fundamentally different. ISO 42001 defines a certifiable management system. NIST describes a voluntary risk culture. The EU AI Act establishes a legally binding enforcement architecture. The OECD articulates norms for national governments. Singapore offers practical accountability processes for businesses. This memorandum argues that the central problem in AI governance is not a shortage of frameworks but a classification failure. The same term is being applied to fundamentally different activities, by fundamentally different actors, at fundamentally different levels of organizational structure. The compliance architecture underneath it was built for bounded, domain-specific risks. AI risk does not stay within those boundaries. The paper traces how traditional compliance roles were designed, why AI broke the model, how the insurance market has already priced in the failure, and why the response requires integrating governance, risk management, and compliance into a unified discipline rather than treating AI as a governance problem alone.