TL;DR: AI governance remains uneven despite broad awareness, with only 25% of organisations fully implementing programs, 27% of boards adding it to committee charters, and 97% of AI-related breach victims lacking proper access controls, according to Knostic’s source article. Policy alone is no longer the issue; enforcement, accountability, and measurable controls now determine whether governance actually reduces risk.
NHIMG editorial — based on content published by Knostic: What This Blog Post on AI Governance Statistics Covers
By the numbers:
- Only 25% of organizations have fully implemented AI governance programs.
- Just 27% of boards have formally incorporated AI governance into committee charters.
- 97% of AI-related breach victims have been shown to lack proper access controls.
Questions worth separating out
Q: What breaks when AI governance exists on paper but not in enforcement?
A: Policy-only governance fails when teams cannot technically restrict access, log decisions, or revoke permissions in the systems AI actually uses.
Q: Who is accountable when AI governance fails in an enterprise?
A: Accountability should sit with the business and security owners who can enforce controls, approve exceptions, and explain residual risk to leadership.
Q: What do security teams get wrong about AI governance maturity?
A: Teams often equate a policy, charter, or framework with real maturity.
Practitioner guidance
- Implement enforceable AI access controls Bind GenAI access to specific roles, data scopes, and approval paths so policy is enforced at the point of use rather than in a static document.
- Link board oversight to operational metrics Report policy hit rates, exception volumes, access violations, and remediation age to the committee or executive owner responsible for AI governance.
- Classify AI service accounts and tokens as governed identities Inventory the credentials, service accounts, and delegated tokens used by AI pipelines, then apply lifecycle controls for issuance, rotation, and revocation.
What's in the full article
Knostic's full article covers the operational detail this post intentionally leaves for the source:
- The underlying methodology behind the AI governance statistics and how the figures were selected for recency and traceability.
- The full set of governance categories and the evidence behind each board, KPI, and enforcement claim.
- The source-specific breakdown of GenAI governance trends across policy, oversight, and technical control maturity.
- The original research links and supporting references used to assemble the statistic set.
👉 Read Knostic's analysis of AI governance statistics and control maturity →
AI governance statistics: where policy still fails in practice?
Explore further
AI governance has crossed from policy design into control enforcement. The article’s numbers show that many organisations can describe governance but cannot operationalise it. That gap matters because AI risk is now created in live access decisions, not in static policy documents. For practitioners, the lesson is that governance maturity should be measured by enforced controls, not by the existence of a policy library.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How should IAM and security teams govern AI systems as identities?
A: They should inventory AI credentials, map each system to an owner, scope access tightly, and define revocation and review triggers just as they would for other non-human identities. The goal is to make AI access observable and reversible, so the organisation can prove what the system was allowed to do.
👉 Read our full editorial: AI governance statistics expose the gap between policy and enforcement