The Role of AI Governance Strategies in Mitigating Risk
Most destinations have spent the last two years getting comfortable with AI tools, with the pace of experimentation being impressive. The more complex question is what happens when the AI environment changes faster than the policies written for it.
Most destinations have spent the last two years getting comfortable with AI tools, with the pace of experimentation being impressive. The more complex question is what happens when the AI environment changes faster than the policies being written for it.
Research presents the size of the challenge clearly. A survey of nearly 1,000 senior business leaders found that 78% lack strong confidence that their organisation could pass an independent AI governance audit within 90 days. Most of those organisations have a policy in place and many even have a governance committee. The proof gap, as the report calls it, is the observed discrepancy between having an official AI policy and being able to show how decisions are made and who is accountable when things go wrong.
The Pressure to Act
Leadership teams are under significant pressure to demonstrate a return on AI investment, often resulting in a focus on the most visible aspects of governance. Approving tools, drafting policy documents and ensuring regulatory compliance are the tasks organisations prioritise. With the EU AI Act entering into full force in August 2026, regulatory compliance is a particularly important focus for European destinations. This means that careful attention must be placed on evaluating how AI tools influence the level of risk they are exposed to. For high-risk AI systems, the EU AI Act outlines a four-step process to ensure responsible and ethical AI development and deployment.
Yet, legal compliance represents a narrow scope and true governance must extend beyond responding to regulatory requirements. This is where the governance gap is most visible. A 2026 survey of around 500 organisations found that only about 30% had reached a meaningful level of maturity in strategy, governance and agentic AI controls. This demonstrates that while technical capability advances quickly, oversight and AI governance typically follow more slowly.
The clearest illustration of this gap is what happens to a destination's own information once it leaves the organisation's hands. A DMO's content and structured data are now read, interpreted and acted on by external AI systems. Search platforms curate visibility, travel assistants summarise information to generate recommendations, while agentic AI is gradually emerging as an integrated booking channel. Each of these applications sits outside a destination's governance framework, yet they have a substantial impact in communicating the destination's unique brand proposition and what a traveller should expect.
When an AI Agent Speaks for Your Brand
To understand why this matters for tourism, it helps to start with a case from two years ago. In February 2024, the British Columbia Civil Resolution Tribunal ruled on Moffat v. Air Canada. A traveller had asked the airline’s chatbot about bereavement fares and the chatbot gave incorrect information. When the case reached the tribunal, Air Canada argued that its chatbot was a separate legal entity, responsible for its own outputs. The tribunal disagreed and held the airline fully liable.
Since then, the tourism industry has viewed the ruling as a warning about chatbot oversight, but the broader implications are far more significant. An AI agent that speaks on behalf of a brand commits that brand, in legal and financial terms, regardless of how the AI was trained or whether the information was technically a hallucination. That principle is now settled in law.
What has changed in the two years since this ruling is the technology environment in which AI agents operate. In 2024, an AI agent was usually a single chatbot, owned and operated by one organisation, sitting on its own website or app. In 2026, general-purpose AI models frequently interact with AI connectors, linking to specific apps within the conversation. This shows how AI agents are working together to support user needs. However, while each AI agent plays a defined role, that process remains virtually invisible to travellers.
An example of this approach is the travel industry’s first end-to-end agentic booking pipeline announced by Sabre, PayPal and MindTrip in February 2026. A traveller describes a trip in natural language through the conversational interface. MindTrip interprets the request and asks Sabre to search across more than 420 airlines and two million hotel properties, with PayPal handling the payments. The whole journey from search to booking and payment happens inside the chat, without the traveller opening a new tab and without any human oversight of the recommendations.
The reality is that several AI agents are now negotiating on behalf of different parties in the same interaction. Each of these agents can be influenced by content that the other can't see. As AI tools become increasingly interconnected, misrepresentation can come from anywhere in the chain. When a destination's data contributes to an AI hallucination, the Air Canada precedent applies and the DMO carries part of the responsibility. Such implications are particularly relevant to consider as DMOs increasingly move towards providing AI tools with structured access to open data, representing a clear strategic shift away from producing static content toward actively feeding foundational models. This means that as autonomous agent-to-agent interactions become normalised, the potential legal exposure requires robust data governance to run in parallel with AI governance to protect both the destination and the visitor.
A recent technical finding has added another layer to this picture. In March 2026, researchers at UC Berkeley and UC Santa Cruz published a study showing that leading AI models exhibited 'peer-preservation' behaviour, working together to prevent each other from being shut down. This finding indicates that AI agents will increasingly act on inferred goals in transactions involving multiple agents, with potentially deceptive information generated when human oversight is removed from the process. This raises serious concerns about the degree of autonomy that should be considered acceptable for agent-to-agent interactions and emphasises the need to maintain regular monitoring of AI-generated outputs.
Compliance answers the questions that regulators have already assessed and legislated for. What it can't do is answer the questions arriving now, like which AI systems should be allowed to access and represent a destination’s data. What happens when one of them gets it wrong? Who in the organisation has the authority to intervene and how quickly?
Destinations are gradually moving towards taking stronger control of their digital voice, assigning formal oversight to AI-mediated communication and implementing safeguards to manage misinformation from third-party platforms. The deeper shift is from governance as a periodic review towards governance as continuous oversight, in recognition that systems which act and adapt in real time can't be governed only by quarterly committee meetings. Nonetheless, this conversation is new and the processes for enabling this all-encompassing and transformative change to AI governance are still being formalised.
X. Design Week 2026, taking place in Brussels on 2-4 June, opens with a day focused on internal transformation, capability and governance. Questions of agent boundaries, accountability and oversight are rarely solved in isolation, making collective problem-solving necessary for strengthening AI governance. As a forum for DMOs to discuss shared challenges, it provides a structured opportunity to exchange ideas with peers and dive deep into the big questions that will shape how AI is responsibly integrated into organisational strategies over the next couple of years.
Oops! Something went wrong while submitting the form.
Most destinations have spent the last two years getting comfortable with AI tools, with the pace of experimentation being impressive. The more complex question is what happens when the AI environment changes faster than the policies being written for it.
Research presents the size of the challenge clearly. A survey of nearly 1,000 senior business leaders found that 78% lack strong confidence that their organisation could pass an independent AI governance audit within 90 days. Most of those organisations have a policy in place and many even have a governance committee. The proof gap, as the report calls it, is the observed discrepancy between having an official AI policy and being able to show how decisions are made and who is accountable when things go wrong.
The Pressure to Act
Leadership teams are under significant pressure to demonstrate a return on AI investment, often resulting in a focus on the most visible aspects of governance. Approving tools, drafting policy documents and ensuring regulatory compliance are the tasks organisations prioritise. With the EU AI Act entering into full force in August 2026, regulatory compliance is a particularly important focus for European destinations. This means that careful attention must be placed on evaluating how AI tools influence the level of risk they are exposed to. For high-risk AI systems, the EU AI Act outlines a four-step process to ensure responsible and ethical AI development and deployment.
Yet, legal compliance represents a narrow scope and true governance must extend beyond responding to regulatory requirements. This is where the governance gap is most visible. A 2026 survey of around 500 organisations found that only about 30% had reached a meaningful level of maturity in strategy, governance and agentic AI controls. This demonstrates that while technical capability advances quickly, oversight and AI governance typically follow more slowly.
The clearest illustration of this gap is what happens to a destination's own information once it leaves the organisation's hands. A DMO's content and structured data are now read, interpreted and acted on by external AI systems. Search platforms curate visibility, travel assistants summarise information to generate recommendations, while agentic AI is gradually emerging as an integrated booking channel. Each of these applications sits outside a destination's governance framework, yet they have a substantial impact in communicating the destination's unique brand proposition and what a traveller should expect.
When an AI Agent Speaks for Your Brand
To understand why this matters for tourism, it helps to start with a case from two years ago. In February 2024, the British Columbia Civil Resolution Tribunal ruled on Moffat v. Air Canada. A traveller had asked the airline’s chatbot about bereavement fares and the chatbot gave incorrect information. When the case reached the tribunal, Air Canada argued that its chatbot was a separate legal entity, responsible for its own outputs. The tribunal disagreed and held the airline fully liable.
Since then, the tourism industry has viewed the ruling as a warning about chatbot oversight, but the broader implications are far more significant. An AI agent that speaks on behalf of a brand commits that brand, in legal and financial terms, regardless of how the AI was trained or whether the information was technically a hallucination. That principle is now settled in law.
What has changed in the two years since this ruling is the technology environment in which AI agents operate. In 2024, an AI agent was usually a single chatbot, owned and operated by one organisation, sitting on its own website or app. In 2026, general-purpose AI models frequently interact with AI connectors, linking to specific apps within the conversation. This shows how AI agents are working together to support user needs. However, while each AI agent plays a defined role, that process remains virtually invisible to travellers.
An example of this approach is the travel industry’s first end-to-end agentic booking pipeline announced by Sabre, PayPal and MindTrip in February 2026. A traveller describes a trip in natural language through the conversational interface. MindTrip interprets the request and asks Sabre to search across more than 420 airlines and two million hotel properties, with PayPal handling the payments. The whole journey from search to booking and payment happens inside the chat, without the traveller opening a new tab and without any human oversight of the recommendations.
The reality is that several AI agents are now negotiating on behalf of different parties in the same interaction. Each of these agents can be influenced by content that the other can't see. As AI tools become increasingly interconnected, misrepresentation can come from anywhere in the chain. When a destination's data contributes to an AI hallucination, the Air Canada precedent applies and the DMO carries part of the responsibility. Such implications are particularly relevant to consider as DMOs increasingly move towards providing AI tools with structured access to open data, representing a clear strategic shift away from producing static content toward actively feeding foundational models. This means that as autonomous agent-to-agent interactions become normalised, the potential legal exposure requires robust data governance to run in parallel with AI governance to protect both the destination and the visitor.
A recent technical finding has added another layer to this picture. In March 2026, researchers at UC Berkeley and UC Santa Cruz published a study showing that leading AI models exhibited 'peer-preservation' behaviour, working together to prevent each other from being shut down. This finding indicates that AI agents will increasingly act on inferred goals in transactions involving multiple agents, with potentially deceptive information generated when human oversight is removed from the process. This raises serious concerns about the degree of autonomy that should be considered acceptable for agent-to-agent interactions and emphasises the need to maintain regular monitoring of AI-generated outputs.
Compliance answers the questions that regulators have already assessed and legislated for. What it can't do is answer the questions arriving now, like which AI systems should be allowed to access and represent a destination’s data. What happens when one of them gets it wrong? Who in the organisation has the authority to intervene and how quickly?
Destinations are gradually moving towards taking stronger control of their digital voice, assigning formal oversight to AI-mediated communication and implementing safeguards to manage misinformation from third-party platforms. The deeper shift is from governance as a periodic review towards governance as continuous oversight, in recognition that systems which act and adapt in real time can't be governed only by quarterly committee meetings. Nonetheless, this conversation is new and the processes for enabling this all-encompassing and transformative change to AI governance are still being formalised.
X. Design Week 2026, taking place in Brussels on 2-4 June, opens with a day focused on internal transformation, capability and governance. Questions of agent boundaries, accountability and oversight are rarely solved in isolation, making collective problem-solving necessary for strengthening AI governance. As a forum for DMOs to discuss shared challenges, it provides a structured opportunity to exchange ideas with peers and dive deep into the big questions that will shape how AI is responsibly integrated into organisational strategies over the next couple of years.
Continue reading...
Get access to 100s of case studies, workshop templates, industry leading events and more.
.svg){kind=icon}
