TL;DR: Enterprise GenAI adoption is being slowed less by model capability than by trust, regulatory complexity, and missing governance, with only 7% of enterprises having embedded governance programmes as of mid-2025, according to Knostic's analysis. That makes continuous monitoring, internal sandboxes, and access controls for AI outputs operational necessities rather than optional safeguards.
NHIMG editorial — based on content published by Knostic: Fast Facts on Enterprise AI adoption
By the numbers:
- only 7% of enterprise adopters had fully embedded governance programs with continuous KPI monitoring
- enterprise adoption rates jumped from 55% in 2023 to 75% in 2024
- only 46% of users are willing to trust AI
Questions worth separating out
Q: How should security teams govern GenAI access to sensitive business knowledge?
A: Security teams should govern GenAI access by mapping personas, tasks, and data classes to explicit policy boundaries.
Q: Why do traditional IAM controls fall short for enterprise AI adoption?
A: Traditional IAM controls fall short because they were built around direct access to applications and data, not inference-driven exposure.
Q: How can organisations know if AI governance is actually working?
A: They can measure whether AI governance is working by tracking oversharing, blocked prompts, hallucination frequency, and how often outputs stay inside the approved persona and data boundary.
Practitioner guidance
- Define AI personas and access boundaries Map each GenAI use case to the persona, task, and data classes it may touch.
- Build a sandbox-first rollout model Require synthetic or masked data in internal sandboxes before any GenAI workflow reaches production systems.
- Instrument AI monitoring for oversharing Log prompts, retrieved context, blocked outputs, and exception paths so security and compliance can review where the model exceeded expected boundaries.
What's in the full article
Knostic's full article covers the operational detail this post intentionally leaves for the source:
- Prompt simulation examples that show how oversharing appears in enterprise AI workflows.
- A deeper walkthrough of continuous monitoring metrics for hallucination, leakage, and control drift.
- Practical examples of persona-based access controls in Microsoft 365 and Glean environments.
- Benchmarks and adoption metrics that teams can use for internal rollout planning.
👉 Read Knostic's analysis of enterprise GenAI adoption and governance gaps →
GenAI adoption and governance gaps: what IAM teams need to know?
Explore further
Governance failure, not model failure, is the real adoption bottleneck. The article's core evidence points to a familiar pattern in identity security: enterprises can deploy AI faster than they can govern access to it. That means the decision problem is no longer whether GenAI is technically viable, but whether the organisation can control inference, output, and accountability at scale. Practitioners should treat GenAI rollout as a governance programme with identity controls attached, not the other way around.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- A separate finding shows that 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, which is why policy scope matters as much as model quality.
A question worth separating out:
Q: What should teams do before putting GenAI into production?
A: Teams should validate the use case in an internal sandbox using masked or synthetic data, then test retrieval scope, output handling, and exception workflows before granting production access. Production should begin only after the team can show that the model stays within policy under realistic conditions.
👉 Read our full editorial: Enterprise GenAI adoption is stalled by governance gaps