Bridging the AI Governance Gap in Commercial Real Estate

By James C. Waddell, President, Cognitive Corp | IFMA ITC Board Member

Part 1 of 4: The Foundational Blog Series on AI Governance in the Built Environment

Your building is engaging in thousands of autonomous decisions right now. The HVAC system fine-tunes airflow based on predicted occupancy. The lighting system adjusts brightness in corridors based on motion detection. The access control system analyzes credentials against various threat models. The energy management system balances load across different areas.

Yet, what’s alarming is that none of these decisions are governed.

This situation outlines what we define as the AI Governance Gap: the disparity between the advanced autonomous capabilities of building AI systems and the essential governance frameworks that should regulate, audit, and clarify those decisions. This gap is prevalent in nearly every commercial building that has adopted smart technology over the past decade and represents a significant category of risk that many facility managers, corporate real estate (CRE) executives, and building owners have yet to fully evaluate.

The Scale of the Problem

Consider the current regulatory landscape. Financial AI is overseen by the SEC. Medical AI falls under the jurisdiction of the FDA. Automotive AI is regulated by the NHTSA. However, building AI lacks governing authority—at least for now. This regulatory void is gradually changing, notably with the upcoming EU AI Act (Regulation 2024/1689), set to enforce regulations by August 2, 2026. It categorizes building AI as high-risk critical infrastructure. Organizations that fail to establish governance frameworks risk facing penalties of up to €35 million or 7% of global annual turnover.

In 2026, a notable case study will highlight how a leading commercial real estate company faced substantial fines due to non-compliance with emerging governance regulations. This example underscores the urgency and relevance of the issue.

However, the regulatory threat is just one aspect. Operational risk could be even graver. When your building’s AI system makes a decision that could impact occupant safety, tenant comfort, or energy efficiency, three key questions must be answerable: What decision was made? Why was that decision made? Who verified the decision logic?

In most commercial buildings, the answers to these critical questions are unavailable. Here, AI systems operate as black boxes: they optimize, adjust, and learn, but do not provide explanations, refuse to escalate issues, and do not defer to human judgment when necessary.

Why Current Approaches Fail

The demand for smart buildings has led to a surge of AI-powered products in the building technology industry. Building management system (BMS) vendors have incorporated machine learning for HVAC optimization; IoT platforms are utilizing occupancy analytics; and energy management systems are applying reinforcement learning for cost reduction.

However, none of these vendors include governance in their offerings. They focus solely on capability. Capability without governance introduces substantial risk.

The NIST AI Risk Management Framework (AI 100-1, January 2023) identifies four essential functions: GOVERN, MAP, MEASURE, and MANAGE. The GOVERN function, focused on establishing governance policies and oversight mechanisms, is emphasized as a prerequisite, essential for the other three functions to function effectively. Despite this, governance remains conspicuously absent in many building AI deployments.

The consequences are predictable: buildings are becoming smarter but not necessarily safer. While they are optimizing and learning, they lack transparency and accountability. This is the essence of the AI Governance Gap.

What This Means for Your Organization

If you manage commercial real estate, healthcare facilities, data centers, cold storage, or any building type that implements autonomous AI systems, you are inevitably exposed to the Governance Gap. This exposure manifests in three key areas:

• Compliance exposure: The EU AI Act, coupled with DHS critical infrastructure frameworks and the NIST AI RMF, emphasizes the need for governed AI in buildings. Organizations retroactively implementing governance measures will incur higher costs and longer timelines than those adopting governance proactively.

• Financial exposure: Ungoverned AI decisions impacting energy usage, tenant comfort, or equipment lifecycle pose verified financial risks. For instance, if an AI system postpones maintenance to meet cost targets leading to equipment failure, the lack of governance documentation transforms into a liability.

• Safety exposure: In sectors like healthcare, defense, and critical infrastructure, ungoverned AI decisions can jeopardize human safety. If a building AI modifies ventilation in a critical area or dims lights in an emergency, accountability and consequence-aware decision-making processes shift from theoretical risks to real operational hazards.

Assessing Your Organization’s Governance Gap

To help organizations evaluate their governance frameworks, consider the following checklist:

1. Do you have a governance policy in place for all AI systems?

2. Are decision-making processes documented and auditable?

3. Is there human oversight of AI decisions in critical areas?

4. Are you able to explain the rationale behind AI decisions?

5. Have you identified potential risks stemming from ungoverned AI interactions?

6. Do you actively monitor and audit AI systems for compliance with evolving regulations?

Taking inventory of these aspects is essential for mitigating risk and ensuring compliance as governance frameworks evolve.

Next in This Series

In Part 2, we will unveil the Building Constitution—a comprehensive governance framework for building AI that effectively bridges the AI Governance Gap. This framework is structured around three key pillars: Explainable AI, Human-in-the-Loop oversight, and Bias Mitigation, and it aligns with NIST AI RMF, the EU AI Act, and DHS critical infrastructure standards.

James C. Waddell is the President of Cognitive Corp, an AI enablement company located in Chicago that focuses on the built environment. He also serves on the IFMA Information Technology Council board and speaks internationally on AI governance within facility management.

Cognitive Corp | bob@cognitivewx.info

Keywords: AI governance, building AI, Governance Gap, smart buildings, Building Constitution, NIST AI RMF, EU AI Act, explainable AI, Human-in-the-Loop oversight, Bias Mitigation, compliance risk, operational risk, financial risk