TL;DR: AI approval cycles can stretch from under two minutes of user adoption to eleven weeks of security review, driving Shadow AI and pilot purgatory when governance cannot keep pace with business demand, according to WitnessAI. The core problem is not AI usage itself but the mismatch between manual review models and the velocity of modern AI adoption.
NHIMG editorial — based on content published by WitnessAI: the AI approval cycle problem and how to compress it
By the numbers:
- 69% of cybersecurity leaders had evidence of, or suspected, employees using public GenAI tools at work.
Questions worth separating out
Q: How should security teams speed up AI approval without weakening governance?
A: Use risk-tiered review lanes, clear production authority, and sanctioned catalogs for common low-risk use cases.
Q: Why do AI projects get stuck in pilot purgatory?
A: They usually stall because approval authority is unclear and manual review processes cannot keep pace with business demand.
Q: What do security teams get wrong about AI governance reviews?
A: They often treat every use case as if it needs the same level of scrutiny.
Practitioner guidance
- Define AI risk tiers before review begins Separate low-risk productivity use cases from higher-risk systems that touch sensitive data, external vendors, or write access.
- Create a sanctioned AI catalog for repeat use cases Maintain a pre-approved inventory of common tools and approved patterns so business teams have a safe path that does not require a fresh review every time they want to reuse a known workflow.
- Assign explicit production authority for AI approvals Name who can move a use case from pilot to production, and document the decision rights across security, legal, compliance, risk, and data governance so projects do not stall in ambiguity.
What's in the full article
WitnessAI's full research covers the operational detail this post intentionally leaves for the source:
- Detailed examples of how the two-lane review model is structured across low-risk and high-risk AI use cases
- Operational guidance on runtime controls that evaluate prompts, responses, and intent at the point of interaction
- Examples of how a pre-approved catalog can reduce repeat reviews for common AI requests
- More detail on how audit trails and visibility support governance evidence across AI activity
👉 Read WitnessAI's analysis of the AI approval cycle problem →
AI approval cycle delays: what it means for governance teams?
Explore further
AI approval delay is a governance failure, not a user-behaviour anomaly. The article shows that when approval takes eleven weeks while adoption takes minutes, employees route around the sanctioned process and create Shadow AI. That is a control design problem, because the enterprise is asking manual review to govern a deployment velocity it cannot physically absorb. Practitioners should treat approval latency as a signal that the governance model is out of phase with the business.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why approval and runtime governance both matter.
A question worth separating out:
Q: Who should own AI production approval in the enterprise?
A: A single function should not own it alone. Security, legal, compliance, risk, and data governance each have a role, but one clearly named decision owner must be able to approve the move from pilot to production. Without that authority, governance becomes a queue instead of a control.
👉 Read our full editorial: AI approval cycles are slowing enterprise AI adoption