Responsible enterprise AI governance is lagging behind adoption

At a glance

What this is: This is a governance analysis arguing that enterprise AI adoption is moving faster than the policies, oversight, and visibility needed to control it.

Why it matters: It matters because identity teams now have to govern AI systems and AI agents alongside human and machine identities without waiting for a separate framework to catch up.

By the numbers:

• The current generative AI adoption rate of 54.6% exceeds the 19.7% adoption rate of the personal computer three years after the first mass-market computer, and the internet's 30.1% adoption rate three years after the internet was opened to commercial traffic.

👉 Read Delinea's analysis of enterprise AI governance and shadow AI

Context

Enterprise AI governance fails first at visibility, then at accountability. Organisations are embedding AI systems and agents into workflows faster than they can inventory where those systems exist, what data they touch, and which teams own the risk. That makes AI governance an identity and access problem as much as a policy problem.

The article treats AI as a programme-level control issue, not a standalone technology issue. For IAM, IGA, PAM, and security leaders, the practical question is how to extend existing governance models to AI systems, shadow AI, and AI agents before unmanaged use becomes the default operating model.

NHIMG's position is that AI governance should be anchored in the same discipline used for other identity populations: discover, classify, assign ownership, review access, and audit behaviour. The organisations that fail here are not missing documentation. They are missing control coverage.

Key questions

Q: How should security teams govern AI systems that are embedded across business workflows?

A: Treat AI systems as governed assets with named ownership, approved use cases, and reviewable access boundaries. Bring them into existing identity, risk, and audit processes instead of managing them as one-off technology exceptions. The goal is to make AI usage visible, accountable, and testable across the full lifecycle.

Q: Why does shadow AI create such a large governance problem?

A: Shadow AI creates a governance problem because organisations cannot control systems they cannot see. Unknown tools can access data, influence decisions, and create risk without any approved ownership or review cadence. Discovery is therefore the first security control, not an administrative afterthought.

Q: How do organisations make AI policies enforceable instead of symbolic?

A: Pair policy with inventory, logging, and audit evidence. A policy becomes enforceable when the organisation can show which AI systems exist, who owns them, what they can access, and whether actual usage matches approved intent. Without that evidence chain, policy is only documentation.

Q: Who should be accountable for enterprise AI governance?

A: Accountability should sit with a named owner for each AI system, supported by a cross-functional governance structure that includes security, legal, IT, and business leadership. The committee can coordinate decisions, but each AI use case still needs a clear operational owner for approvals and oversight.

Technical breakdown

AI governance committee and operating model

A formal AI governance committee is the article's core operating model. It is meant to coordinate policy, risk, legal, IT, operations, and business owners so AI decisions are not made in isolated silos. In identity terms, that committee becomes the control plane for assigning ownership of AI systems, approving use cases, and defining who can authorise changes to models, data access, and deployment boundaries. Without that structure, AI oversight fragments across teams and no one owns the lifecycle.

Practical implication: assign a named governance owner for every AI system and route approvals through a repeatable committee process.

Shadow AI discovery and inventory

Shadow AI is the unmanaged use of AI tools, models, and agents outside approved channels. The technical problem is discovery, because organisations cannot govern systems they cannot see. Inventory tools need to identify AI use across applications, platforms, and embedded features, then classify which systems are sanctioned, which are experimental, and which are completely unknown. That creates the basis for risk triage, access review, and policy enforcement across the AI estate.

Practical implication: build an AI inventory process that continuously discovers unsanctioned tools and maps them to an accountable owner.

Training, oversight, and AI use policy enforcement

Policy alone does not change behaviour. The article argues for recurring awareness programmes that teach employees, partners, and customers how to use AI responsibly, similar to privacy and compliance training. Technically, that means policies must be paired with monitoring, logging, and auditability so the organisation can prove whether approved AI use matches approved intent. Governance becomes operational only when the policy, the workflow, and the evidence chain line up.

Practical implication: connect AI use policies to logging and audit trails so training outcomes can be verified, not assumed.

NHI Mgmt Group analysis

AI governance is now an identity governance problem, not just an AI policy problem. The article is strongest when it treats AI as something that must be discovered, owned, reviewed, and audited like any other identity-bearing system. That is the correct framing because AI tools and agents consume access, touch data, and trigger actions inside business processes. Practitioners should treat AI inventory and ownership as core governance controls, not optional documentation.

Shadow AI creates a control gap that traditional IT governance was never designed to absorb. The article correctly identifies visibility as the first failure mode. If teams cannot enumerate where AI is embedded, they cannot assign access boundaries, review risk, or enforce accountability. The implication is that governance programmes need discovery and classification first, before policy language can mean anything operationally.

Responsible AI governance succeeds when it is adapted from established lifecycle controls rather than invented from scratch. The article’s best point is that steering committees, PMOs, risk classification, and recurring training already exist as governance patterns. The field does not need a new philosophy so much as a disciplined extension of existing identity and risk management practices into AI systems. Practitioners should reuse lifecycle governance logic and extend it to AI-specific assets.

AI oversight fails when accountability is implied rather than assigned. The article repeatedly gestures toward cross-functional governance, but the real lesson is that AI systems need explicit owners for approval, monitoring, and audit response. Without that, AI risk gets distributed across legal, IT, business, and security until no function can prove control. Practitioners should require named accountability for every AI use case.

Visibility without enforcement only creates a better catalog of unmanaged risk. Inventory is necessary, but it is not sufficient. Once AI systems are known, organisations still need policy enforcement, access review, and audit evidence to confirm that actual use matches approved use. Practitioners should connect discovery to governance action, or the programme becomes descriptive rather than controlling.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to the same survey.
• For a broader control model, see OWASP NHI Top 10 for agentic risk framing and control priorities.

What this signals

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, the near-term governance challenge is not theoretical. Teams need to assume that AI access will be granted faster than identity processes can mature, and build controls that can absorb that mismatch.

Shadow AI governance debt: unmanaged AI use behaves like shadow IT with a faster risk curve, because embedded models and agents can spread across workflows before security even knows they exist. That is why discovery, classification, and ownership need to move into the programme operating model, not stay in periodic reviews.

For identity teams, the practical signal is that AI governance will increasingly sit alongside lifecycle management, access review, and privileged access oversight. The organisations that adapt existing identity controls fastest will have the clearest path to governing AI without creating a parallel security bureaucracy.

For practitioners

• Build an enterprise AI inventory Map approved, experimental, and unsanctioned AI tools across SaaS applications, internal platforms, and embedded product features. Require owners, business purpose, data access scope, and review cadence for each system.
• Assign named ownership for every AI system Make one function accountable for each AI use case, including policy approval, access oversight, logging, and incident response. Shared accountability without a single owner usually becomes no accountability.
• Integrate AI use into existing governance cycles Add AI systems to access reviews, risk registers, and lifecycle governance processes already used for other enterprise assets. Reuse the committee and PMO model rather than building a parallel process.
• Expand training beyond policy publication Deliver recurring awareness training for employees, partners, and customers, then verify adherence through logging, monitoring, and audit trails. Policy only works when the organisation can measure whether behaviour changed.

Key takeaways

• Enterprise AI governance fails when visibility, ownership, and auditability are treated as separate problems.
• The scale of AI adoption is already large enough that unmanaged use can become the default if discovery lags behind deployment.
• Practitioners should extend existing identity and risk governance into AI systems now, rather than waiting for a purpose-built programme to emerge.

Key terms

• Shadow AI: AI tools, models, or agents used without formal approval, visibility, or governance. In practice, it is the AI equivalent of shadow IT, but the risk is broader because unmanaged systems can touch data, influence decisions, and execute actions before security teams know they exist.
• AI governance committee: A cross-functional body that coordinates how AI use is approved, monitored, and audited across the organisation. It is the operating structure that turns policy into accountable decisions by assigning ownership, setting review rules, and ensuring AI systems stay within approved risk boundaries.
• Responsible AI governance: The set of policies, controls, and oversight processes used to manage AI risk in a business context. It combines approval, inventory, training, monitoring, and auditability so AI use can be explained, verified, and challenged throughout its lifecycle.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Delinea: Responsible governance in the age of enterprise AI. Read the original.