AI's Biggest Enterprise Risk May No Longer Be the Models: Study

News

1. Beyond Apps: The Rise of the Agent-First World

2. OpenAI, Anthropic & Microsoft CEOs Call for Stricter Laws Against AI Biothreats

3. Sharjah Moves to Operationalize Agentic AI Across Government Functions

4. UAE Expands AI Push With New Leadership Development Program

5. From Agent Devices to Quantum Chips: Microsoft's Biggest Build 2026 Announcements

6. Smart Tech Set to Drive Egypt's Airport Overhaul

As AI fades into the background of everyday work, a new challenge is emerging: managing how employees interact with systems they barely notice.

New research from Optro (formerly AuditBoard), titled ‘Human behavior: The AI risk surface GRC can’t ignore,’ suggests that organizations are entering a new phase of AI adoption in which governance gaps, human behavior, and limited visibility into third-party AI capabilities pose greater risks than headline-grabbing concerns about model failures.

The findings from over 800 IT, security, audit, and governance, risk, and compliance (GRC) professionals arrive as AI adoption shifts from standalone generative AI applications to AI-enabled features embedded in enterprise software. 

While 63% of surveyed organizations reported using generative AI tools, nearly as many (56%) are already relying on AI capabilities integrated into vendor platforms. The distinction matters because employees often do not recognize embedded functionality as AI, creating governance blind spots that many organizations are ill-equipped to manage.

Nearly half (44%) of respondents expressed concern about employees’ lack of awareness regarding AI embedded within enterprise applications. According to Guru Sethupathy, general manager of AI Governance at Optro, many of today’s risks stem from routine workplace behaviors rather than technical failures.

“At this early stage, AI risk is being driven as much by human behavior as it is by the technology itself,” Sethupathy said. 

The findings point to a widening disconnect between the pace of AI deployment and the maturity of governance structures designed to oversee it.

Only 34% of organizations maintain a formal inventory of AI models, while just 31% have established AI-specific incident response procedures. Meanwhile, 64% of audit, risk, compliance, and IT leaders reported limited confidence in their organization’s ability to monitor third-party cyber risks, including those introduced through vendor AI systems.

The challenge reflects a broader shift in enterprise risk management.

Historically, governance frameworks have been designed around relatively stable technologies and periodic risk assessments. AI, particularly as organizations begin experimenting with autonomous agents and continuously learning systems, introduces risks that evolve in real time.

Security leaders appear increasingly concerned that governance mechanisms are lagging behind emerging threats. At the same time, organizations face a practical constraint: a shortage of expertise and operational capacity needed to oversee rapidly expanding AI deployments.

Among chief information security officers surveyed, nearly one-quarter identified a lack of personnel with AI security expertise as their biggest obstacle to effective governance. The result is a growing recognition that AI may be required not only as an object of governance but also as a tool for governance itself. This dual role positions AI as both a source of risk and a potential solution. 

The companies that succeed, Sethupathy argues, will be those that can build trust and speed simultaneously.

“AI sits on both sides of the risk coin,” he said. “It will significantly increase the surface area of risk for all organizations, and at the same time, AI will be a critical component of the governance stack.”

For enterprise leaders, the implication is becoming clearer: the next generation of AI governance will depend less on controlling individual models and more on understanding how AI permeates systems, workflows, vendors, and employee decision-making across the organization.