Notifications
Clear all
Topic starter
06/06/2026 1:37 am
TL;DR: Enterprise AI spending was 1.6 times AI security investment in 2024 and was projected to reach 2.6 times by 2025, while 69% of organisations suspect or have evidence of prohibited public GenAI use, according to WitnessAI's analysis. Traditional compliance models were built for static systems, but AI policy compliance now has to govern behavioural risk across humans, copilots, and autonomous agents.
NHIMG editorial — based on content published by WitnessAI: AI policy compliance in an organization governs every AI interaction
By the numbers:
- In 2024, enterprise spending on AI adoption was 1.6 times that on AI security, and that ratio was projected to widen to 2.6 by 2025.
- 69% of enterprises suspect or have evidence that employees are using prohibited public GenAI tools.
- Only 31% of organisations have formal, comprehensive AI policies.
Questions worth separating out
Q: How should organisations enforce AI policy compliance across employee and agent use?
A: Start by classifying AI usage by identity type, data sensitivity, and execution context, then enforce policy at runtime rather than only through written rules.
Q: Why do traditional DLP and CASB tools fall short for AI policy compliance?
A: They are designed for files, keywords, and known channels, while AI interactions are conversational and often span multiple turns.
Q: What do security teams get wrong about shadow AI governance?
A: They often treat shadow AI as a banned-app problem when it is usually an identity and accountability problem.
Practitioner guidance
- Classify AI use by account type and data class Separate consumer AI, enterprise AI, embedded copilots, and agentic workflows into distinct policy categories.
- Replace keyword-only filtering with intent-aware controls Use behavioural classification to detect risky prompts, responses, and uploads based on purpose and context rather than trigger words.
- Build runtime intervention into high-risk sessions Set escalation paths that can warn, block, or route AI interactions before irreversible action occurs.
What's in the full article
WitnessAI's full article covers the operational detail this post intentionally leaves for the source:
- How the vendor's intent-based classification behaves across prompts, responses, and multi-turn conversations.
- The platform's four-action enforcement model, including allow, warn, block, and route decisions.
- Discovery coverage for more than 4,000 AI applications, including agent and MCP server detection.
- Implementation guidance for pairing runtime controls with audit trails and compliance reporting.
👉 Read WitnessAI's analysis of AI policy compliance and runtime governance →
AI policy compliance for employees and agents: where controls fail?
Explore further
06/06/2026 2:51 am
AI policy compliance fails when organisations confuse software governance with behavioural governance. Traditional compliance assumes the system can be evaluated as a bounded asset, but AI use is conversational, distributed, and often non-deterministic. That means the control target is the interaction itself, not the model or the app in isolation. Practitioners should treat AI policy as an active governance layer, not a document exercise.
A few things that frame the scale:
- Three-quarters of companies plan to deploy agentic AI within two years, yet only one in five has a mature governance model for autonomous agents, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: Who is accountable when an AI agent makes a risky decision?
A: Accountability should rest with the organisation that authorised the agent, the human owner of the workflow, and the control process that allowed the behaviour. If an agent can act independently, the programme must preserve attribution, action logs, and policy decisions so audit and remediation are possible after the event.
👉 Read our full editorial: AI policy compliance is outpacing enterprise governance models
