The people charged with catching ungoverned AI inside the enterprise have now said, on the record, that they cannot.
A survey released this month by Optro, the GRC platform formerly known as AuditBoard, polled 822 audit, GRC, and IT decision-makers at companies with at least $100 million in revenue. Fifty-nine percent are concerned about shadow AI: employees running unapproved tools outside any sanctioned channel. Sixty-two percent worry about sensitive data flowing into those tools. Then the control side of the ledger: 18 percent work in organizations that actively block unauthorized AI domains, 34 percent have an AI model inventory, and 31 percent have AI incident response procedures. The same survey records 82 percent reporting a rise in AI-enabled attacks over the past year.
The gap matters because concern is not a control. An organization where six in ten risk leaders are worried and fewer than two in ten have structural defenses has not underestimated the risk. It has measured the risk accurately and declined to fund the response. Diligent's parallel survey of 309 senior governance professionals explains why: 46 percent say their workload has grown with no added headcount, and 52 percent say their boards still treat governance as administrative rather than strategic.
This is where the Governance Boundary Principle earns its keep. Blocking domains, building the model inventory, writing the incident playbook: that is management's work. Knowing whether that architecture exists, and refusing to accept documented concern as a substitute for it, is the board's.
The question worth carrying into your next meeting: if your risk leaders were surveyed anonymously tomorrow, would they describe your AI controls, or their AI worries?