TL;DR: Organizations lose AI ROI when governance cannot keep up with rapid AI adoption, with shadow tools, undocumented retraining, and fragmented approvals creating fire drills and eroding executive confidence, according to OneTrust. The practical answer is not slower innovation, but inventory, workflow automation, lifecycle controls, and runtime assurance that make AI governable at scale.
NHIMG editorial — based on content published by OneTrust: Why Organizations Lose AI ROI (and How Data Teams Can Drive Visibility)
By the numbers:
- Organizations with real-time monitoring are 34% more likely to see improvements in revenue growth and 65% more likely to see improved cost savings, according to a 2025 survey from EY.
Questions worth separating out
Q: How should security teams implement AI governance without slowing delivery?
A: Security teams should start with a central inventory, then automate intake, approvals, and evidence capture so governance becomes part of the delivery process.
Q: Why do AI programmes lose ROI when governance is weak?
A: AI programmes lose ROI when teams cannot prove what exists, who owns it, how it is used, or whether it still operates within policy.
Q: What do security teams get wrong about AI governance at runtime?
A: Many teams assume governance ends at deployment, but AI systems continue to change through drift, new data, and shifting usage patterns.
Practitioner guidance
- Build a central AI inventory Record every model, system, vendor, use case, owner, data source, and risk tier in one place so teams can answer where AI is running without manual archaeology.
- Automate intake and approvals Route new AI initiatives through a standard workflow that triggers the right reviews based on risk tier, data sensitivity, and business purpose, then preserve the evidence for audit.
- Embed governance into deployment pipelines Connect policy checks to data pipelines, model releases, and vendor onboarding so controls are enforced before a system reaches production.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- A step-by-step view of how data teams should build and maintain a centralized AI inventory.
- Practical examples of how to structure multi-stakeholder AI approval workflows and evidence capture.
- Specific guidance on embedding governance into data pipelines, model deployment, and vendor management.
- Runtime assurance patterns for policy enforcement, monitoring, and audit readiness.
👉 Read OneTrust's analysis of why AI governance gaps are eroding enterprise ROI →
AI governance visibility gaps: what data teams need to fix?
Explore further
AI governance debt is becoming a first-order security problem: the longer organisations wait to inventory systems, assign ownership, and enforce intake, the more control gaps compound. What begins as scattered experimentation becomes a durable governance backlog that security and compliance teams inherit later. The practical conclusion is that visibility work must be treated as foundational programme architecture, not a reporting exercise.
A few things that frame the scale:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who is accountable when AI systems make decisions through service accounts or workflows?
A: Accountability should sit with the business owner of the use case, supported by the technical owner of the system and the control owners who approve access, data use, and policy enforcement. If AI can trigger action, the associated service accounts and workflow roles must also have named ownership. Otherwise, responsibility becomes diffuse and governance breaks down.
👉 Read our full editorial: AI governance visibility gaps are eroding enterprise ROI