Notifications
Clear all
Topic starter
04/06/2026 3:00 pm
TL;DR: Enterprise AI use is expanding faster than organisations can prove business value, while governance friction, shadow AI, and weak measurement keep pilots from scaling, according to WitnessAI. The underlying problem is that legacy approval and audit models were built for deterministic software, not for runtime AI activity that needs continuous control and evidence.
NHIMG editorial — based on content published by WitnessAI: AI adoption, governance, and the operational gap between AI investment and measurable impact
By the numbers:
- Gartner projects worldwide AI spending will reach $2.52 trillion in 2026.
- MIT’s NANDA Initiative found that roughly 5% of AI pilot programs drive rapid revenue acceleration.
- Nearly 60% of employees use unapproved AI tools at work, even when approved alternatives exist.
Questions worth separating out
Q: How should organisations govern AI usage when employees use unapproved tools?
A: Organisations should start with visibility, not enforcement.
Q: Why do AI projects often fail to show measurable business value?
A: AI projects often fail because measurement is an afterthought.
Q: What breaks when AI governance relies only on approval workflows?
A: Approval-only governance breaks when usage shifts outside sanctioned channels.
Practitioner guidance
- Instrument AI usage at the network layer Map where AI activity actually occurs across browsers, desktop applications, IDEs, embedded copilots, and API-driven workflows.
- Replace binary AI approval decisions with context-based controls Use allow, warn, block, and route actions so teams can govern high-risk use without forcing a department-wide ban that drives shadow AI.
- Capture interaction-level audit trails Log prompts, responses, policy decisions, and the context needed to explain enforcement outcomes.
What's in the full article
WitnessAI's full analysis covers the operational detail this post intentionally leaves for the source:
- Network discovery methods for finding AI usage in native apps, IDEs, embedded copilots, and agent workflows
- Policy action design for allow, warn, block, and route decisions in real enterprise environments
- Audit trail expectations for prompts, responses, and policy enforcement evidence
- Runtime prompt-injection and data-exposure protections at the point of interaction
👉 Read WitnessAI's analysis of the AI adoption-impact gap and runtime AI governance →
AI adoption-impact gap: what IAM and security teams need to fix?
Explore further
04/06/2026 3:13 pm
AI adoption without interaction-level governance is a control illusion: enterprises can count deployments, but they cannot reliably govern what they cannot observe at the point of use. This is why approval-heavy programmes stall while informal usage expands elsewhere. The implication is that security leaders should stop treating usage telemetry as a nice-to-have and start treating it as a prerequisite for control.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who should own accountability for runtime AI controls and audit trails?
A: Accountability should be shared across security, compliance, AI platform owners, and identity teams, with each function owning a distinct part of the control chain. Runtime AI controls are operational safeguards, while audit trails provide evidence that those safeguards actually worked during production use.
👉 Read our full editorial: AI adoption is outrunning governance and measurable business value
