AI Governance Gaps Exposed: Why 72% of Enterprises Overestimate Their Control

Most enterprises believe they have AI under control—only to discover their governance is more illusion than reality. A recent VentureBeat survey of 40 companies found that 72% rely on two or more "primary" AI platforms, often layered on top of existing vendor ecosystems. This sprawl isn’t just inefficient; it’s widening security gaps at a time when AI-powered attacks are growing more sophisticated.

The vendor dependency paradox: building around imperfection

For large organizations, the temptation to offload AI development to hyperscalers is strong. Mass General Brigham (MGB), one of Massachusetts’ largest employers, initially embraced AI experimentation across its workforce of 90,000. But unchecked proof-of-concept projects led to chaos, prompting CTO Nallan “Sri” Sriraman to hit pause last year. Instead of building proprietary solutions, MGB chose to wait for enterprise software giants like Microsoft, Google, and Epic to mature their AI offerings.

The strategy made sense—why reinvent the wheel when industry leaders are investing billions? Yet even this approach has forced MGB into a contradiction. To mitigate risks like protected health information (PHI) leaks from Microsoft Copilot, the health system developed a custom "skin" around the tool. This workaround, now supporting up to 30,000 users, ensures sensitive data doesn’t spill back to Copilot’s underlying model provider, OpenAI.

Sriraman framed it bluntly: "Why are we building it ourselves? Leverage it." But the leverage comes at a cost. Vendors like Microsoft, Epic, Workday, and ServiceNow are now embedding AI agents into their platforms—each operating differently. MGB must now invest in a centralized "control plane" to orchestrate these agents, a layer of complexity most enterprises aren’t prepared for.

The governance mirage: confidence without control

The disconnect between perception and reality extends beyond individual companies. VentureBeat’s first-quarter research, spanning surveys of 40–70 respondents per topic area, paints a troubling picture. While 56% of enterprises claim confidence in detecting misbehaving AI models, the mechanisms to back up that confidence are often missing.

Nearly a third of organizations lack any systematic process to flag AI malfunctions until users report issues or audits uncover problems. In an era where 34% of generative AI incidents stem from telemetry leaks and the average global breach now costs $4.4 million, reactive detection is a losing strategy. The risks are real, yet too many companies are flying blind.

Ownership of AI governance is another weak point. While 43% say a central team holds responsibility, the reality is far murkier:

• 23% report governance is either unclear or contested between teams.
• 20% admit platform teams govern AI independently, creating silos.
• 6% have no formal ownership at all.
• The remainder are unsure who’s in charge.

The top barrier to effective governance? A stunning 29% cite the lack of a single accountable owner, closely followed by vendor opacity. Without clear accountability, enterprises struggle to demand transparency from providers—a critical gap when vendor claims about security and compliance often outpace reality.

The sprawl trap: lock-in, creep, and the day-two bill

The risks of AI sprawl extend beyond governance failures. Enterprises risk vendor lock-in as they integrate multiple AI platforms, each with proprietary tools and APIs. This fragmentation creates operational nightmares, especially as vendors add AI agents that operate in isolation.

Brian Gracely, Senior Director at Red Hat, highlighted the long-term costs of this approach during the VentureBeat Boston event. "The day-two bill is real," Gracely warned. "Once you’ve deployed these systems, untangling them becomes exponentially harder—and more expensive."

The alternative—centralized orchestration—requires significant investment, as MGB’s experience shows. Yet without it, enterprises face a cycle of reactive fixes, patchwork solutions, and escalating security risks. The message is clear: AI governance isn’t a set-and-forget task. It demands proactive ownership, vendor transparency, and a willingness to adapt as the landscape evolves.

As Sriraman put it, the AI marketplace remains "nascent." The rules are still being written, and the stakes couldn’t be higher. For enterprises, the choice isn’t just about adopting AI—it’s about mastering it before it masters them.