Smarsh: AI governance lags deployment at most enterprises

WorkAI.TV Editorial Desk
3 Min Read

Share with your CISO

A joint study from Smarsh and FTI Consulting puts a precise number on a problem most compliance teams already feel in their gut: 55% of enterprises are running AI in production, but only 26% have governance frameworks keeping pace with that deployment. The 2026 Enterprise AI Trends Study surveyed regulated industries and found that just 30% of organizations can detect shadow AI, the unauthorized tools employees adopt outside approved workflows, while 62% are actively investing in AI and ML capabilities.

What this means for your business

The 29-point gap between deployment and governance isn’t evenly distributed across industries. If your organization operates in financial services, healthcare, or any sector where communications records carry regulatory weight, that gap isn’t an operational inconvenience, it’s a direct examination risk. The shadow AI number is the sharper edge here: seven in ten enterprises cannot see what AI tools their employees are actually using, which means supervision and recordkeeping obligations are being violated in ways no one can quantify yet.

The study’s reframe of communications data deserves real scrutiny. Smarsh, whose core business is communications compliance archiving, argues that archived communications are no longer just a regulatory burden but a foundation for AI workloads and business intelligence. That framing clearly serves a vendor trying to expand its platform’s value proposition, but the underlying logic isn’t wrong for that reason. If you’re feeding enterprise AI systems with communications data that was never governed for quality, you’re introducing model risk alongside the compliance risk you already carry. The two problems compound rather than run in parallel.

The finding that compliance leaders are moving into AI strategy decisions, influencing vendor selection before deployment rather than reviewing outcomes after an audit, is the structural shift worth watching. Most enterprises built procurement workflows where legal and compliance reviewed contracts, not architecture. If that sequence doesn’t change, governance frameworks will always chase deployment rather than shape it. The CISO who still gets called in after the AI vendor is signed has already lost the position this study says the role is supposed to occupy.

Concept deep-dive: Shadow AI

Shadow AI refers to AI tools employees adopt and use without IT or compliance approval, the same way “shadow IT” described unauthorized SaaS subscriptions a decade ago. It exists because sanctioned procurement cycles are slow and productivity pressure is immediate. The business risk is specific: interactions with unsanctioned AI tools generate records that may never be captured, reviewed, or producible in a regulatory inquiry, creating supervision blind spots that regulators in financial services are already beginning to examine.

Based on reporting from Smarsh: AI governance lags deployment at most enterprises, originally published 2026-07-16 07:28:00.

TAGGED:
Share This Article