Future of the Web 2026: Chapter 4

Key findings

When an AI summary points someone to the source, the place they land is where the brand either earns the relationship or doesn’t. Most enterprises know this. Fewer know what the website needs to do once the visitor arrives.

Enterprise leaders agree on what human content requires.

The strategic debate is over among enterprise marketers. Leaders have already decided that human-feeling content is required and that AI without review is a brand risk.

Next year’s funded work is operational: governance, review systems, and editorial pipelines that let AI move fast without going unreviewed.

Trust comes from a website that feels alive.

A human-feeling tone is the price of entry. The brands earning return visits are the ones whose websites do things AI summaries structurally can’t, like polls a reader can vote in, charts that respond to a click, and content that reshuffles based on what they’re reading. These are the small delightful moments that make a site feel like a person made it. These are what bring readers back to the website. A flat AI summary has no way to deliver them.

Speed and freshness still matter for AI discovery. The brands earning return visits add interactivity on top of them, treating the website as a place to spend time rather than a place to grab a citation and leave.

Measuring what keeps people on the site (and what drives them back) is where content analytics connects to this chapter’s argument. You can’t build a site that “feels alive” if you can’t see what’s working.

See it in action: Slate

Slate built an AI-powered infinite scroll directly into its editorial infrastructure. They used AI to surface relevant follow-on content for readers without removing editorial judgment from the loop.

The feature lives inside the same publishing platform editors already use, with the same governance applied to AI-driven recommendations as to human-curated ones. AI removes the drag while editors decide what ships.

Ungoverned vs. governed AI content workflows

Two ways to manage AI in the content pipeline. The difference is where the rules are enforced.

Dimension	Ungoverned AI content	Governed AI content
Where rules live	In documents and process maps outside the platform	Enforced in the platform architecture itself
AI capability	AI can generate and publish independently	AI generates within defined limits; humans approve what ships
Human review	Required by policy, easy to bypass	Required by architecture, cannot be skipped
Audit trail	Manual, often partial	Automatic, captures every AI action and review decision
Speed of publication	Fast, but with brand-risk exposure	Fast within guardrails; nothing ships without review
Common failure mode	A bot publishes something nobody can sign off on	A workflow blocks legitimate content; tuning required
Liability profile	Increasing, under audit by procurement and legal	Compliance-ready, defensible to legal and procurement

Why AI content governance matters now

The case for AI content governance is usually made with abstractions. The concrete version is shorter: without governance, brands are absorbing risks they used to be able to manage by hand. The risks have grown faster than most enterprise governance has adapted.

Hallucinated brand-damaging content. AI tools generate factually wrong content when nobody is checking, and the wrong content reaches customers before anyone notices. Moffatt v. Air Canada, decided by the British Columbia Civil Resolution Tribunal in February 2024, is the standing example. A passenger relied on bad chatbot advice about bereavement fares, and the tribunal ruled Air Canada liable for negligent misrepresentation by its chatbot. The airline argued the chatbot was “a separate legal entity.” The tribunal rejected that and ordered Air Canada to pay damages.

Regulatory exposure. The EU AI Act entered into force on August 1, 2024 and is fully applicable by August 2, 2026, with prohibited AI practices already enforceable since February 2, 2025. Penalties scale by violation type: up to EUR 35 million or 7% of global turnover for prohibited AI practices, up to EUR 15 million or 3% for breaches of high-risk AI system requirements, and up to EUR 7.5 million or 1% for misleading authorities. Brands using AI in customer-facing content without an audit trail are now actively building legal exposure.

Customer trust erosion. WordPress VIP’s 2026 survey found 85% of enterprise leaders believe AI-generated content published without human review erodes brand trust. The brands losing the most trust right now are the ones moving fastest without governance.

Content quality drift. AI tools that work well at launch produce worse output over time as models update, prompts age, and team practices shift. Without governance, the drift goes unnoticed until a quarterly content review or a customer complaint forces a look.

Inconsistent quality across teams. In multi-brand enterprises and global operations, different teams use AI tools differently. Without governance, the experience customers get from one part of the business looks nothing like the experience they get from another. The brand becomes inconsistent across its own surfaces.

AI content governance regulations to know

The regulatory landscape for AI-generated content has reshaped fast in the past 18 months. Five areas enterprise marketing leaders need to know about.

EU AI Act. In force since August 1, 2024. Prohibited AI practices have been enforceable since February 2, 2025, with most other provisions fully applicable by August 2, 2026. It takes a risk-based approach, with the strictest rules for “high-risk” AI systems and outright prohibitions on certain uses. For content teams, the relevant obligations include transparency disclosures when AI is used to generate or manipulate text or media, documentation requirements for AI systems making consequential decisions, and the General-Purpose AI Code of Practice. Penalties scale by violation type: up to EUR 35 million or 7% of global turnover for prohibited practices, EUR 15 million or 3% for high-risk system breaches, and EUR 7.5 million or 1% for misleading regulators.

SR-26-2 (United States). On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued revised guidance on model risk management, replacing the long-standing SR-11-7. The new framework is risk-based and proportional, with regulatory expectations scaling to institution size and model-risk profile. It applies most directly to banking organizations with over $30 billion in total assets. Notably, SR-26-2 explicitly carves out generative AI and agentic AI from its scope, calling them “novel and rapidly evolving” and directing institutions to apply their existing risk management practices. The principles (model inventory, performance validation, ongoing monitoring) inform governance discussions well beyond banking.

State-level U.S. laws. California’s AB 2013, the Generative AI Training Data Transparency Act, took effect January 1, 2026. It requires generative AI developers to publish documentation about training data, including dataset sources, copyright status, and whether personal information was included. Colorado’s SB 24-205 was signed in May 2024 and was originally set to take effect February 1, 2026, before being delayed to June 30, 2026. A federal court paused enforcement in April 2026 during litigation, and in May 2026 the Colorado legislature passed SB 189 to repeal and replace the law with a narrower disclosure-based framework effective January 1, 2027. New York and other states have legislation in motion. The U.S. patchwork means enterprise content operations have to track compliance state by state.

GDPR. GDPR predates the AI era but applies directly to AI systems that process EU residents’ personal data. Article 22, on automated individual decision-making, gives consumers the right to human review of consequential AI decisions, which has direct implications for AI-generated content that influences customer outcomes.

Canada’s Directive on Automated Decision-Making and AI Strategy (2025-2027). Canada’s federal framework is government-facing but increasingly referenced by Canadian enterprises building their own governance.

The pattern across all five: governance is becoming a documented, auditable practice. Stated intentions no longer satisfy regulators.

AI content governance frameworks and examples

The category has three reference frameworks worth knowing. They overlap in principles but differ in emphasis and scope.

NIST AI Risk Management Framework (AI RMF). Published by the U.S. National Institute of Standards and Technology in January 2023, with the Generative AI Profile released in July 2024. The framework organizes governance into four functions: Govern, Map, Measure, Manage. The GenAI Profile identifies twelve risk areas specific to generative AI, including confabulation, harmful bias, and information integrity. The framework is voluntary in the U.S. but increasingly referenced in procurement requirements, and several state laws (including the now-replaced Colorado AI Act) cited NIST AI RMF alignment as a recognized affirmative defense.

OECD AI Principles. Adopted by 47 countries, including all OECD members and several non-members. The principles emphasize human-centered values, fairness, transparency, robustness, and accountability. The OECD framework is the reference point for most national AI strategies and was the basis for the G20 AI Principles.

EU Ethics Guidelines for Trustworthy AI. Published by the European Commission’s High-Level Expert Group on AI in April 2019. The guidelines define seven requirements for trustworthy AI: human agency and oversight, technical robustness and safety, privacy and data governance, transparency, diversity and non-discrimination, societal and environmental wellbeing, and accountability. The EU AI Act is built on these foundations.

The same rules govern AI and editorial.

Brands solving this use their website as the foundation under both AI and editorial work. AI scans the content, editors govern it, and both run on the same foundation, with the same standards and audit trail.

This is the line WordPress VIP holds. AI agents and human editors work within the same governance, on infrastructure brands actually own. The platform enforces both AI capability and editorial control at the architecture level, so brands don’t have to enforce them piece by piece.

“Bots are like the world’s greatest and worst intern. They’re the greatest intern because they will plow through thousands of files and they’ll look at photos all day long and they never get tired. They never complain. But they’re also the world’s worst intern in that they can delete your production database. So the challenge is to make sure that what the bots are allowed to do has guardrails, that there’s safety, that they operate under a security context with certain authorization and permissions.”

— Brian Alvey, CTO, WordPress VIP

What this means for 2027

Within the next two RFP cycles, “human in the loop” will stop being a talking point and become a procurement requirement. Platforms that can’t enforce governance in the architecture itself will become liabilities the same way unmaintained CMSes became liabilities after the data-breach era of 2017.

Companies building this foundation now will know what their AI content is earning. Everyone else will still be in legal review with content nobody can sign off on.

“MCP needs an S in it. It needs security, it needs scale, it needs auditing, it needs role-based access. It needs the things that enterprise will require because every major large entity has a CISO that’s being overcome with a tsunami of agentic requests across the org.”

— Brant Williams, Enterprise Account Executive, WordPress VIP

Continue reading

FAQs about AI content governance