New research from Optro (formerly AuditBoard) reveals that the greatest artificial intelligence (AI) risks facing enterprises no longer stem primarily from catastrophic model failures, but from the accumulation of everyday employee interactions with increasingly invisible AI systems operating across the organisation.
“At this early stage, AI risk is being driven as much by human behaviour, as it is from the technology itself,” said Guru Sethupathy, GM of AI Governance at Optro. “Lack of sufficient review of AI output, moving too quickly without sufficient guardrails and shadow AI are examples of human behaviours that increase the surface area of AI risks.”
While much of the AI governance conversation remains focused on generative AI tools, the research identifies embedded AI inside enterprise software platforms as an equally significant, and potentially more dangerous, source of exposure. More than half (56%) of organisations already use embedded AI capabilities within vendor tools, approaching the adoption levels of generative AI itself (63%). Yet unlike standalone AI tools, employees often do not recognise embedded functionality as “AI usage,” creating major governance blind spots. Forty-four percent of respondents said they are concerned about employees’ lack of awareness regarding AI embedded inside enterprise tools.
At the same time, most governance, risk and compliance (GRC) structures appear fundamentally unprepared for this new reality. Only 34% of organisations maintain a formal AI model inventory, while just 31% have implemented AI incident response procedures. Nearly two-thirds (64%) of audit, GRC and IT decision-makers said they feel only somewhat confident, or outright unconfident, in their organisation’s visibility into third-party cyber risk, including risks introduced through vendor AI capabilities.
The research also reveals growing concern among security leaders that current governance approaches are failing to keep pace with emerging AI-enabled threats. More than a third of respondents (35%) believe overly permissive AI governance policies will accelerate AI-enabled social engineering and impersonation attacks.
“Traditional GRC frameworks are static and slow to update, but that is insufficient to keep up with how quickly AI technology and risks are evolving. For instance, few standards or guardrails consider agentic AI and need to be quickly updated to stay relevant. At many companies, governance is a point-in-time exercise, meanwhile AI risks are evolving in real time,” said Sethupathy.
The Future of GRC AI Governance
The report further indicates that organisations are rapidly approaching the limits of human-led governance models. Across security, audit and compliance functions, respondents consistently identified shortages in AI expertise, continuous monitoring capabilities and operational capacity as major barriers to effective oversight. Among CISOs, 23% said a lack of personnel with expertise in AI security and emerging risks represents their single biggest obstacle.
This suggests practitioners could greatly benefit from implementing emerging AI-powered technologies such as autonomous agents. Optro’s recent acquisition of Midship directly addresses this demand, deploying AI agents capable of automating up to 87% of manual controls tasks.
“AI sits on both sides of the risk coin—it will significantly increase the surface area of risk for all organisations, and at the same time, AI will be a critical component of the governance stack,” added Sethupathy. “We believe smart AI Governance will be a differentiator, enabling speed and trust.”