TL;DR: Enterprise GenAI adoption is accelerating, with Gartner cited in Kong's survey finding more than 80% of enterprises will have deployed GenAI applications or used GenAI APIs by 2026, while 72% of respondents expect LLM spending to rise in the next year. The governance gap is that budget growth is outrunning security and compliance readiness, not just model choice.
NHIMG editorial — based on content published by Kong: 72% Say Enterprise GenAI Spending Going Up in 2025, Study Finds
By the numbers:
- 80% of enterprises will have deployed generative AI, erative AI applications or used GenAI APIs by 2026, up from just 5% in 2023.
- 72% of respondents say they anticipate an increase in their organization's LLM spending in the year ahead.
- 37% say they're currently spending more than $250,000 USD a year on LLMs.
Questions worth separating out
Q: How should security teams govern enterprise GenAI access at scale?
A: Treat GenAI access as an identity programme, not a feature toggle.
Q: Why do GenAI programmes create new identity risk even when the models change?
A: Because the operational risk sits in the identities that call the models, not only in the models themselves.
Q: What breaks when LLM access is not tied to lifecycle management?
A: Access persists after pilots end, integrations move, or vendors change, and that leaves old credentials in circulation.
Practitioner guidance
- Map every model-facing identity Build an inventory of service accounts, API keys, tokens, and federated identities used to call LLMs, then assign a business owner and a defined purpose to each one.
- Bind GenAI approvals to lifecycle events Require re-approval when a model provider changes, a new integration is added, or an application moves environments so access does not persist beyond the intended deployment state.
- Scope credentials to specific use cases Limit each integration token to the minimum model, data source, and workflow it needs, and separate production access from experimentation and testing.
What's in the full article
Kong's full research covers the operational detail this post intentionally leaves for the source:
- Survey methodology and respondent mix across 550 Kong users, engineers, and IT decision-makers.
- Detailed breakdown of spending expectations and current LLM budget bands by the organisations surveyed.
- Model usage comparisons across Google, OpenAI, Anthropic, Meta, IBM, and DeepSeek in early 2025.
- Direct commentary on the adoption barriers respondents associate with security and compliance.
👉 Read Kong's survey findings on enterprise GenAI spending and adoption →
Genai spending is rising fast, but are controls keeping up?
Explore further
Enterprise GenAI spending is becoming an identity governance problem before it is a model strategy problem. The article shows budget expansion, faster adoption, and rising operational use, but those are all only sustainable if identities, credentials, and access paths are governed with the same discipline as human access. Once LLMs are embedded in workflows, the control question shifts from procurement to entitlement management. Practitioners should treat GenAI scale as a governance workload, not a software feature rollout.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should own governance when GenAI usage spans IT, compliance, and developers?
A: Ownership should sit with the programme that controls identity and access, not with a single tool team. Compliance needs visibility, developers need usable patterns, and security needs revocation authority. A shared governance model works best when each model-facing identity has one accountable owner and one review path.
👉 Read our full editorial: Enterprise genai spending is rising faster than governance