Only 13% of IT and security professionals say they have full visibility into the AI tools active inside their organisation, exposing a governance gap at the centre of corporate risk, compliance, and audit control.
New research from Drata found that 87% of respondents are attempting to govern AI use they cannot fully see. The company’s State of GRC in the Age of AI report was conducted by Wakefield Research and surveyed 300 IT and security professionals on AI adoption, risk, and governance habits.
The findings suggest that AI adoption inside governance, risk, and compliance functions has outpaced oversight, accountability, and procurement discipline. Drata said 71% of organisations reported that an AI tool used for GRC had led to a failed audit or lapsed regulatory standard at least once.
The research also found that 86% of teams agree many GRC-focused AI tools are not enterprise ready, while 83% said they are not fully prepared for the coming wave of AI integration. Three-quarters of organisations are discontinuing underperforming AI tools faster than they used to, and more than half revert to manual processes when shortcomings are exposed.
Matt Hillary, CISO and SVP of security at Drata, said: “The horizontal AI platform era in GRC is over.”
Drata’s data points to a change in procurement preference. Sixty-four per cent of respondents prefer targeted agentic AI systems over broad all-in-one platforms. Among risk-focused buyers, that figure rises to 70%, suggesting buyers want specific, repeatable, and defensible outcomes rather than broad promises of automation.
AI governance is increasingly becoming a board-level operating concern. That can already be seen in the adoption of governed AI agents in core enterprise workflows and in growing expectations around board-level cyber governance. Drata’s research adds a compliance layer: organisations may be deploying AI into functions designed to control risk before they have control over the AI itself.
Visibility is the starting point. Governance depends on inventory. Companies need to know which tools are being used, by whom, with what data, for which process, under which contractual terms, and with what audit trail. Without that baseline, policies can become theoretical and security controls can miss actual usage.
GRC is particularly exposed because its outputs influence audit evidence, vendor reviews, control testing, compliance documentation, risk assessments, and regulatory readiness. If AI tools generate incomplete, inaccurate, or poorly evidenced material, the organisation may not discover the weakness until an audit or compliance review has already identified a gap.
The return to manual processes is also instructive. AI is often bought to reduce workload, speed evidence collection, and improve control monitoring. If weak tools create audit failures, teams may add human review after the fact, increasing work rather than reducing it. That can weaken confidence in AI procurement more broadly.
Agentic systems may address some of that frustration if they are narrowly scoped, auditable, and accountable for defined outcomes. A targeted agent handling evidence mapping, vendor questionnaire support, or policy change tracking may be easier to test than a broad platform promising to transform the entire GRC function.
Agentic AI also creates new control demands. Each agent needs access management, logging, data boundaries, escalation rules, testing, procurement review, and ownership. If those disciplines are weak, a targeted tool can still create exposure.
Buyers need to ask vendors not only what AI can automate, but how outputs are evidenced, how errors are handled, how models are secured, how data is used, and who is accountable when an outcome fails. Trust centres, clear ownership, and transparent vendor security information may become more important as AI is embedded into compliance workflows.
GRC teams have long existed to create confidence in systems, controls, and accountability. Drata’s research suggests the next test is whether they can apply the same discipline to the AI tools now entering their own function.




You must be logged in to post a comment.