Maritime AI Governance: Why 81% Pilot, 11% Scale

Across the industry, 81% of maritime companies are piloting AI — but only 11% have the governance to scale one. That gap isn't caution; it's the difference between a demo and a deployment. Here's the practical governance a ship manager actually needs.

Mehmet Onder13 min read
Maritime AI Governance: Why 81% Pilot, 11% Scale

Here is the most honest snapshot of maritime AI I have seen. In a 2025 survey of maritime professionals, 81% said they were already running AI pilots — and only 11% had the governance in place to scale one. Read those two numbers again. They are not a contradiction. They are cause and effect.

I run a company that builds software for ship managers, so I watch which customers actually get an AI tool past the demo and into daily use across a fleet. The pattern is consistent, and it is not about the model. The companies that scale are the ones that answered the boring questions first: who owns the output, where the data goes, and how a wrong answer gets caught. That is maritime AI governance — and it is the single most underrated lever in the whole conversation.

The industry has quietly decided that governance is bureaucracy: the paperwork you do instead of innovating. That instinct is backwards. Governance is not the brake on maritime AI. It is the drivetrain — the thing that turns a promising pilot into something you can safely bet a fleet on.

The maritime AI paradox: pilots everywhere, production nowhere

The enthusiasm is real, and so is the money: the maritime AI market was worth around US$4.1 billion in 2024 and is growing at roughly 23% a year. In the same Thetius and Marcura study, 82% of respondents were optimistic that AI would improve operational efficiency. Pilots are running in chartering, in voyage planning, in procurement, in the technical office. And then they stall.

Why? Because a pilot is safe precisely because it is small. One superintendent, one vessel, one workflow, a human watching every output like a hawk. Nothing about that setup forces you to answer the hard questions. The moment you want to roll the same tool out to forty ships and two hundred users, every one of those questions comes due at once — and if you have not answered them, that is exactly where the rollout dies.

This is not a hypothetical failure mode. In the same survey, 37% of respondents said they had personally witnessed an AI project fail or cause harm, and roughly a quarter said they believe the vendor community overhypes what AI can do. These are not AI sceptics sitting on the sidelines. These are the people running the pilots, telling you what happens without a safety net.

Two contrasted statistics: 81 percent of maritime firms are running AI pilots while only 11 percent have the governance needed to scale one, with the gap between them labelled as governance. A third figure notes that 82 percent believe AI will improve operational efficiency.
Source: Thetius / Marcura, 'Beyond the Hype' (2025)

The pilot is the easy part

A useful way to think about it: the pilot proves the AI can be useful. Governance proves it can be useful safely, repeatably, and accountably — which is the only version that survives contact with a real fleet, a real audit, and a real incident. Skipping straight from a slick demo to fleet-wide deployment is how you end up in the 37%.

The 11% aren't the laggards — they're the only ones who'll scale

Here is the contrarian read the numbers are begging for. We assume the 11% with governance policies are the cautious ones, moving slowly while bolder competitors race ahead. It is the opposite. The 11% are the only companies that have removed the thing blocking scale. Everyone else is stuck in pilot purgatory, and no amount of model quality gets them out — because the blocker was never the model.

The gap runs deeper than the headline number. In the same research, only 17% of firms had a transparent process for how their AI actually makes decisions, just 23% were training staff to use these tools, and 38% named inadequate training as the single biggest barrier to scaling. That is not a technology gap. It is a governance and change-management gap wearing a technology costume.

If you are a ship manager sitting on three or four promising pilots right now, this is the good news: the work that unlocks all of them is the same work, and it is not exotic. It is governance you can write down.

Bar chart of four maritime AI governance-gap figures: 37 percent have witnessed an AI project fail or cause harm, only 17 percent have a transparent process for how AI makes decisions, only 23 percent are training staff to use AI tools, and 38 percent say weak training is the biggest barrier to scaling.
Source: Thetius / Marcura, 'Beyond the Hype' (2025)

Regulation is coming for maritime AI — slowly, then all at once

The regulators are moving, but they are behind the deployment curve, which means for the next few years the governance burden sits with you, not with a rulebook. It is worth knowing what already exists, because some of it bites sooner than people think.

Six-card framework of the instruments shaping maritime AI governance: the IMO MASS Code on autonomous-ship safety, EU AI Act Article 14 on human oversight, IMO Resolution MSC.428(98) on cyber risk in the safety management system, TMSA3 Element 13 maturity model, the NIST AI Risk Management Framework, and the certifiable ISO/IEC 42001 standard.
Sources: IMO, EU AI Act, NIST, ISO

What the rules already say

At the IMO, the first MASS Code for autonomous ships was adopted in 2026 as a non-mandatory instrument, with a mandatory version roadmapped for the end of the decade. Note the framing the IMO chose: even for genuinely autonomous vessels, the master retains overall responsibility at all times. That is a governance principle, not a technical one — accountability stays with a human. (Worth being precise here: the MASS Code governs autonomous-ship safety, not the shore-office decision-support AI most managers are actually deploying. Do not let anyone conflate the two.)

Closer to home for most operators is the EU AI Act, in force since 2024 and phasing in through 2027. Maritime AI can land in its 'high-risk' category when it acts as a safety component of equipment covered by the Marine Equipment Directive — which means some shipboard AI carries hard legal obligations, not guidance. And Article 14's definition of 'meaningful human oversight' is the sharpest one in any rulebook: the human in the loop must understand the system's limitations, resist automation bias, correctly interpret the output, and be able to override or stop it. 'A human signs off' is not oversight. Knowing exactly where the tool is blind — that is oversight.

And if you want the plainest possible warning about trusting generative AI unsupervised, it comes from a classification society, not a software vendor. Researchers from DNV and SINTEF concluded, from a real maritime case study, that large language models are not yet mature enough for safety-critical applications without human oversight, and that final decision-making must stay with human experts. When the people who certify ships tell you to keep a human in the loop, keep a human in the loop.

You already have a governance home — use it

Here is the part most vendors will not tell you, because it does not sell a new product: you do not need to invent AI governance from scratch. You almost certainly already run a governance system that AI fits inside. IMO Resolution MSC.428(98) has required cyber risk to be managed inside your ISM Safety Management System since 2021. An AI tool that touches navigation, cargo, communications, or operational technology is a cyber asset. Its risks belong in the SMS you are already audited against — not in a shiny new silo that no one maintains.

Tanker operators have an even more direct ladder. TMSA Element 13 already gives you a four-level maturity model for security and cyber governance; AI controls layer straight onto it. US-trading fleets have the Coast Guard's 2025 cybersecurity rule, which mandates the exact governance skeleton AI needs anyway: a named accountable officer, a written plan, and incident response. The lesson across all of them is the same — do not build an AI governance island. Bolt AI onto the safety and compliance governance you are already obligated to run.

What good maritime AI governance actually looks like

Strip away the jargon and maritime AI governance is a short, practical checklist. You can anchor it to the NIST AI Risk Management Framework — its Govern, Map, Measure, Manage structure maps neatly onto the SMS thinking you already do — or, if you want something certifiable, to ISO/IEC 42001, the first auditable AI management system standard, which is to AI what ISO 9001 is to quality. Either way, here is what it comes down to on the ground.

  • Name an owner and keep a register. Extend an existing role — your Cybersecurity Officer or Designated Person Ashore — rather than inventing a committee. Keep a simple register of every AI tool in use, its purpose, its risk tier, and who signed it off. A register is also how you kill 'shadow AI' — the tools your teams are already pasting confidential data into without telling anyone.
  • Define human-in-the-loop per use case. State plainly, for each tool, whether the AI advises or decides. The industry's own instinct is clear: 70% said AI should recommend while a human makes the final call. Match Article 14 — the overseer must understand the tool's blind spots and be able to override it — and require a second reviewer for high-stakes decisions.
  • Demand source-grounding and an audit trail. Reject black-box answers for anything safety- or commercially-critical. Prefer tools that cite where each answer came from, so an officer can check the reasoning and apply judgement. Log the input, the output, and the human decision taken — so that after an incident you can actually answer: what did the system recommend, who reviewed it, and on what authority did they act? DNV's guidance for trustworthy AI makes the same point from the assurance side: link every claim to verifiable evidence, and treat assurance as continuous rather than a one-time sign-off. A demo is not evidence.
  • Govern and isolate your data. Inventory what feeds each tool and classify it — crew personal data, commercial and charter data, OT telemetry. Decide what is allowed to leave your environment. Set data-quality checks, because garbage in, garbage out is the binding constraint on every one of these systems. Good AI is a downstream benefit of clean, complete, well-kept data.
  • Do real vendor due diligence. Given that a quarter of your peers distrust vendor claims and more than a third have seen a project fail, take nothing on the strength of a demo. Ask five questions and get the answers in the contract.

Those five vendor questions, because they are the ones that separate a serious supplier from a risky one:

  1. Where is our data processed and stored?
  2. Do you train your models on our data — ever?
  3. What documented evidence do you have for the tool's accuracy, and how is it validated over time?
  4. Who is liable when the model gets it wrong?
  5. On the day we leave, can we export all of our data and history — with no lock-in?

If a vendor cannot answer those cleanly, you have not found a governance gap in your organisation. You have found one in theirs.

Two-panel governance summary. The left panel is a six-item maritime AI governance checklist: name an owner and keep a register, human-in-the-loop per use case, source-grounding plus an audit trail, govern and isolate data, vendor due diligence, and validate before rollout. The right panel lists five questions to ask any AI vendor, covering where data is processed, whether models are trained on your data, accuracy evidence, liability, and data export on exit.

Governance built in, not bolted on

I will be direct about the fact that this is the lens we built our own product through, because it is the whole reason this article exists. When we designed Navatom AI, the assistant inside our ship-management platform, the checklist above was the spec — not a compliance afterthought.

So it works the way the governance argument demands. It proposes; a person approves — the assistant drafts, and nothing is written to your records until someone reviews and confirms it. Every answer is grounded in your own documents and the regulations, and it cites its source, so an officer can check the reasoning rather than trust an oracle. It is tenant-isolated and permission-aware — it only ever sees your company's data, filtered by each user's own access. Your data is never used to train a model. And every interaction is logged and auditable, so the trail the checklist asks for already exists.

I am not going to tell you those choices make our AI smarter than anyone else's. I am telling you they are what make it safe to actually deploy — which, if the survey is right, is the thing 89% of the market has not solved yet. Governance was not a feature we added. It was the shape of the thing from the start.

The bottom line

Maritime AI is not going to be won by whoever has the flashiest pilot. It will be won by whoever can safely put AI into daily use across a whole fleet — and that is a governance problem long before it is a technology one.

  • The gap is governance, not capability. 81% pilot, 11% scale. The blocker is who owns the output, not how good the model is.
  • The 11% are the leaders, not the laggards. They answered the boring questions, so they are the ones who get to go fleet-wide.
  • You already have a home for it. Fold AI into your ISM SMS and cyber governance — MSC.428(98), TMSA Element 13 — instead of building a silo.
  • Keep a human in the loop, on purpose. Even the IMO and the classification societies say the human stays responsible. Design for it; do not apologise for it.
  • Governance fits on a page. An owner, a register, human-in-the-loop per use case, source-grounding, an audit trail, data isolation, and five hard questions for every vendor.

If you are already piloting AI — and the odds say you are — the next move is not another pilot. It is writing down the one-page governance that lets the pilots you already have grow up. If you want to see what an assistant built to that standard looks like in practice, that is exactly what we set out to build with Navatom AI.

Frequently asked questions

Is maritime AI governance just more paperwork?

No — and the framing is the trap. Governance is the set of decisions that let you scale a pilot without getting burned: who owns the output, where the data goes, how errors get caught. Companies that skip it do not move faster; they get stuck in pilots, which is why 81% are piloting and only 11% are scaling. Done well, the core of it fits on a single page.

Does the EU AI Act actually apply to my fleet's AI?

It can. The EU AI Act classifies some maritime AI as 'high-risk' when it acts as a safety component of equipment covered by the Marine Equipment Directive, which brings real obligations — including documented human oversight under Article 14. Shore-office decision-support tools are generally lower-risk, but if you trade to the EU you should map each AI use to its risk tier rather than assume none of it counts.

Who should own AI governance — IT or the DPA?

Neither in isolation, and you should not create a new committee for it. The most workable pattern is to extend an existing accountable role — your Cybersecurity Officer or Designated Person Ashore — and manage AI risk inside the ISM Safety Management System you already run, with IT and the technical office feeding it. Accountability should sit with a named person, not a function.

We're already running AI pilots. What's the first governance step?

Make a register. List every AI tool in use across the company, what it is for, what data it touches, and who approved it. That single act surfaces your shadow AI, tells you which tools are high-risk, and gives you the spine to add human-in-the-loop rules, an audit trail, and vendor due diligence on top. You cannot govern what you have not written down.