- Enterprise AI is scaling fast, but governance isn’t keeping up
- Weak governance is tied to security breaches, compliance problems and costly AI agent incidents
- Enterprises need guardrails, registries and proportional governance before agentic AI spirals
Big Tech became infamous for the “move fast and break things” motto that defined the sector in the late aughts and early 2010s. Now, it seems enterprises are adopting a similar mindset in their rush to deploy agentic AI at scale. More than three-quarters (77%) of enterprise technology leaders said AI adoption is outpacing governance capabilities, a new IBM report found.
The results of the IBM report, based on a survey of 2,000 C-Suite-level technology leaders, were rather bleak. According to the report, 80% of respondents said they’re facing AI-oriented transformation mandates, with enterprises expected to deploy an average of 1661 agents by 2027. But just 11% said they’re fully prepared for the scale of what they’re being asked to deploy.
“As AI scales, systems make decisions continuously, autonomously, and at volumes no human-centered governance model can realistically supervise,” the IBM report noted. The only plausible way to adapt, as ADNOC Group Chief Technology and Innovation Officer Dena Almansoori put it in the report, is a shift in governance tactics from “gates to guardrails.”
And yet governance isn’t keeping pace with AI rollouts. In addition to the statistic above about AI adoption outpacing governance, the IBM report found 70% of executives said internal teams are deploying AI faster than IT can track it and two-thirds said they’re responsible for outcomes in systems they don’t fully control.
IBM’s findings mirror those of an earlier report from the Thompson Reuters Foundation’s AI Company Data Initiative (AICDI). That study found 87% of companies have not publicly committed to any named AI governance framework, and only 12.4% said they have a policy in place to ensure a human oversees AI systems.
Among Communications Services companies, 65% reported having a formal AI strategy but only 34% said they follow at least one AI framework.
“References to policies, committees and high-level oversight appear more frequently than evidence of operational controls, dedicated resources, escalation pathways or monitoring mechanisms that would allow external stakeholders to understand how risks are managed once AI is deployed,” the AICDI report noted.
Similarly, a recent Gartner report found that just 24% of organizations with a central GenAI strategy – and only 4% of those without said strategy – think they have the right agentic AI governance structures in place.
Rising risks and the risk of failure
IBM’s report notes that a lack of governance is contributing to a rise in risks. In 2025, it noted enterprises faced an average of 54 AI agent incidents, 17% of which were “high severity.” Those incidents caused a range of business impacts, including data exposure or security breaches (37%), cascading system failures (33%) and compliance issues (17%).
“In organizations with weak governance, more agents mean proportionally more incidents,” the report noted.
But those aren’t the only kinds of risks businesses face when unleashing ungoverned AI. They could also end up throwing away investment dollars.
Gartner last month predicted that 40% of enterprises will demote or altogether ditch some of their autonomous AI agents due to governance failures by 2027. It separately warned 60% of organizations could fail to hit value targets for AI use cases next year thanks to incohesive governance frameworks.
Getting a grip on governance
So, with the alarm bells ringing, what’s an enterprise to do? Well, IBM recommended enterprises stop treating policy documents like active controls and start establishing minimum requirements agents must meet before going into production.
“If an agent or model isn’t registered, owned, observable and stoppable, it doesn’t deploy,” IBM recommended.
It also suggested building a unified AI agent registry with information on who owns each, what each agent can access and how it’s monitored. Longer-term objectives include automating one governance control at a time – like model evaluation or deployment approval – and integrating these into monitoring platforms.
But Gartner also pointed out that some AI agents will need more governance than others.
“Enterprises are treating AI agent governance as binary, either locked down or fully trusted, and that is the root cause of failure,” Shiva Varma, Senior Director Analyst at Gartner said in a statement “When the same controls are applied indiscriminately, organizations encounter two common failure modes: over-restriction of simple agents…or under-restriction of more autonomous agents.”
Gartner advocated for a proportional approach across four autonomy levels spanning agents that observe, advise, act with approval and act autonomously.