AI Governance Gap Widens as Enterprises Report Security Incidents | eWeek

AI Governance Gap Widens as Enterprises Report Security Incidents

Enterprise AI governance gap dashboard showing AI systems, audit trails, access controls, warning indicators, and network visibility inside a data center

Enterprise AI adoption is putting new pressure on governance, visibility, and security controls. Image: Generated via Google's Nano Banana 2

Écrit par
eWEEK Staff
eWEEK Staff
Jul 8, 2026
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Enterprise AI is moving from pilot projects into production faster than many companies can secure it.

A July 7, 2026, DigiCert report found that 78% of surveyed organizations experienced AI-related incidents or identified AI-related vulnerabilities. Because the findings are self-reported, they should be read as a snapshot of enterprise security experience, not independently verified incident telemetry.

The report, based on a May 2026 survey of 1,001 IT and cybersecurity decision-makers in the United States, United Kingdom, and Australia, found that 75% of organizations deployed four or more AI-powered systems in the six months before the survey. Almost half lacked centralized visibility into AI systems and activity, according to the DigiCert report.

That leaves CISOs, CIOs, and platform leaders managing AI tools already embedded in support, software development, security operations, and internal workflows without consistent visibility, ownership, or response processes.

Security risks now span users, apps, and infrastructure

Separate Gartner research adds security context. In a survey of 302 cybersecurity leaders across North America, EMEA, and Asia-Pacific, Gartner found that 62% of organizations experienced a deepfake attack involving social engineering or automated process exploitation in the previous 12 months, according to an ITPro summary of the findings.

That human-facing risk includes phishing, impersonation, voice cloning, synthetic media, and attempts to manipulate employees or automated business processes. Older awareness programs may not be enough for attacks that imitate trusted voices, personalize lures, or use AI to scale phishing across large victim pools.

Application and infrastructure teams face their own exposure. Gartner’s survey found that 32% of respondents experienced adversarial prompting attacks, while 29% experienced attacks on AI application infrastructure, putting model-serving environments, APIs, data stores, vector databases, and access controls inside the AI security discussion.

AI controls lag behind production use

DigiCert found that 90% of organizations discuss AI governance at the executive or board level, but only about half have formal AI governance programs. Forty-seven percent also said they cannot fully trace AI decisions back to the models and source data that produced them.

That traceability gap affects audits, compliance reviews, and incident response. If a model exposes sensitive data, produces a flawed recommendation, or acts through an automated workflow, teams need to know which system was involved, what data it accessed, and who owns the response.

The same issue applies to AI agents and other non-human actors, which need monitoring, access limits, audit logs, and stopping mechanisms as they gain access to enterprise tools. Organizations also need a clear way to revoke trust after a compromise.

Regulated sectors face an added standards challenge. On April 7, 2026, NIST released a concept note for an AI RMF Profile on trustworthy AI in critical infrastructure, but that profile is not yet a final reference point.

Enterprises do not need a separate AI security universe. They need AI controls mapped into existing programs: visibility into AI systems and agents, adversarial testing for applications, traceability back to models and data sources, and incident-response planning for autonomous attack workflows.

Without inventories, access controls, traceability, and response plans, board-level concern will not translate into defensible AI security.

Read more: Researchers have also shown how an AI worm can choose its own attack path, underscoring why enterprise threat models need to account for more autonomous malware behavior.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.