AI governance gaps and what they mean for enterprise security teams

TL;DR: AI governance is becoming a board-level risk because 88% of organisations now use AI in at least one business function, yet many still have no clear ownership or enforcement path, according to WitnessAI. The governance model is breaking where adoption, visibility, and accountability no longer line up, so AI risk management must move from policy drafting to runtime control.

NHIMG editorial — based on content published by WitnessAI: AI governance challenges are now the defining risk category for enterprises scaling AI

By the numbers:

• 88% of organizations report regular use of AI in at least one business function.
• 78% of employees admit to using AI tools that their employer has not approved.
• 98% of organizations have a relationship with at least one third-party vendor that experienced a breach in the last two years.

Questions worth separating out

Q: How should organisations govern AI use when responsibility is split across security, legal, HR, and compliance?

A: Organisations should create one enforced AI governance path with explicit decision rights, not a loose committee structure.

Q: Why do legacy security tools struggle to control AI-related data exposure?

A: Legacy tools were built for files, patterns, and known application flows, while AI risk often lives in prompts, responses, and session context.

Q: What breaks when AI agents are treated like normal human users in governance programmes?

A: Human-centric governance assumes access is stable enough to review later and that authorisation is tied to a person’s session and behaviour.

Practitioner guidance

• Assign one accountable AI governance owner Create a decision-making path that lets one named function approve, block, or escalate AI use cases.
• Map AI controls to conversational risk, not file risk Review whether your current DLP, CASB, and endpoint stack can inspect prompts, responses, and multi-turn context.
• Discover shadow AI across all user surfaces Build discovery that covers browser tools, native desktop apps, IDEs, embedded copilots, and model access that bypasses browser-only monitoring.

What's in the full article

WitnessAI's full article covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of the three-module Observe, Control, and Protect model and how it maps to enterprise deployment stages.
• Specific examples of how intent-based detection differs from keyword-based DLP when users paste sensitive material into AI tools.
• Discovery and enforcement details for shadow AI across browser apps, IDEs, and desktop tools that endpoint-only monitoring misses.
• Agent and MCP server discovery guidance for teams beginning to inventory autonomous and semi-autonomous AI usage.

👉 Read WitnessAI's guide to the six enterprise AI governance challenges →

AI governance gaps and what they mean for enterprise security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →