Enterprise AI Adoption Is Outpacing Governance Implementation

Unsurprisingly, Artificial Intelligence (AI) was a key discussion topic at the World Economic Forum (WEF) 2026, reflecting the growing concern around the use of AI, especially shadow AI, and the deployment of agentic systems within enterprises vastly outpacing the setup and installation of robust governance frameworks. Shadow AI, or the unapproved/unvetted use of AI tools, creates a major security risk for enterprises as employees use these tools to automate significant portions of their jobs. Massachusetts Institute of Technology’s (MIT) State of AI in Business 2025 report found that while 40% of surveyed companies had purchased Large Language Model (LLM) subscriptions, 90% of their employees regularly utilized LLMs, often leveraging their own personal LLM subscriptions. Risks surrounding proliferation of shadow AI within an enterprise include:

• Data Leakage: Prompts into unapproved LLMs risk the leak of confidential information, and it is extremely difficult to validate that this has not been retained by the LLM platform. Furthermore, this could also result in issues surrounding data residency, as data processing may occur outside of sovereign regulatory requirements.
• Lack of Oversight: Unlike approved enterprise applications, shadow AI use does not provide any visibility into what has been accessed, or when. If there is an incident, there is no way to investigate the cause.
• Compliance Requirement Violations: A lot of data must be stored, processed, and accessed in accordance with compliance regulations. Feeding this data into external LLMs could easily violate these rules, exposing organizations to legal risks.

Announcements from both government and enterprise domains reinforced the heightened scrutiny of how agentic systems are integrated within enterprise workflows. Singapore’s Minister for Digital Development & Information announced the launch of an Agentic AI governance framework built upon the foundations of the Model AI Governance Framework for Generative AI (MGF) for AI, which was introduced in 2020. This document provides a comprehensive framework with suggested best practices for both technical and operational aspects of AI governance for enterprises to mitigate risks.

Also announced at WEF, IBM and Etisalat (e&) announced a strategic collaboration to help e& advance toward an enterprise-grade Agentic AI foundation, focusing on policy, risk, and compliance as e& moves beyond chatbots toward governed AI systems. They introduced an Agentic AI solution built on IBM watsonx.Orchestrate to help employees and auditors quickly access and interpret legal, regulatory, and compliance information.

Taken together, these announcements underscore the growing disconnect in the operationalization and governance of Agentic AI. This increases operational risk for enterprises as systems act across tools, data sources, and foundation models, without a coherent way to enforce policy compliance at runtime. According to a recent survey by Okta, while 91% of organizations already use AI agents, only 10% of respondents believe their organization has a well-developed strategy/roadmap for AI governance.

The operational risks of deploying agentic systems within an enterprise and the increased focus on governance has positioned Independent Software Vendors (ISVs) as key partners for foundation model developers in strengthening the penetration of their models within enterprises in a governed fashion, including the following partnerships:

• Snowflake and OpenAI signed a US$200 million agreement to deliver advanced AI capabilities to enterprises through a joint Go-to-Market (GTM) and innovation strategy. OpenAI’s models are now natively available on Snowflake’s Cortex AI platform, as well as leveraging Snowflake’s Horizon Catalog for governance and uptime Service-Level Agreement (SLA) guarantees.
• ServiceNow has signed partnerships with both OpenAI and Anthropic to provide model access within the ServiceNow AI Platform, allowing the model to access enterprise data, while respecting governance and permissions. Anthropic’s Claude model is now the default model for ServiceNow Build Agent, with the coding capabilities of the model now exposed to developers in a governed environment.

Foundation model developers do recognize that such partnerships are not enough for enterprises and have also established close partnerships with management consulting firms such as Boston Consulting Group (BCG), or built an in-house consulting arm like OpenAI has, to help enterprises build their governance strategy from the ground up and strengthen their own GTM strategy. This implies that ISV platforms are currently not sufficiently easy to use for enterprises establishing a governance framework, so model developers are going around them to aide enterprises directly.

These ISV-led governance frameworks will become increasingly important as regulatory pressure mounts. For example, with the EU AI Act’s provisions set to become enforceable this year and Korea’s Basic AI Act, enterprises deploying agentic systems within their workflows face growing compliance requirements around risk assessment, transparency, and human oversight. ISVs embedding governance controls into their platforms are enabling enterprises to adopt AI without forcing them to build parallel governance infrastructure. However, the lack of a uniform AI governance definition between ISVs is likely to cause significant friction with enterprises in the long term, with interoperability across different models for multi-agent systems and their own requirements in how model governance is established, potentially causing model lock-in and migration strain.

The growing importance of governance and guardrails within AI platforms that enterprises choose to deploy is set to place greater scrutiny on ISVs and horizontal platform providers. Platforms such as Google Cloud’s Vertex AI, AWS Bedrock, IBM’s watsonx, and Microsoft’s Azure AI Foundry already have some governance capabilities, and these undoubtedly will have to grow beyond data governance in the short term.

Looking ahead, enterprises will no longer evaluate platforms on model availability, but on the maturity of its governance strategy for its vertical. For domain-specific platform providers to differentiate, they must quickly move to invest in use case-level governance capabilities. This includes tiered human-in-the-loop frameworks that define autonomy escalation thresholds based on risk level, prebuilt playbooks for regulated verticals, and role-based access controls tailored to agentic workflows. Domain-specific platform providers are uniquely positioned to quickly embed such guardrails, while horizontal players cannot afford to modify and tailor their platforms without having dedicated consulting teams, rapidly escalating their own costs. They will rely on their own partnerships, such as Amazon’s newly established AWS McKinsey Group (AMG) to help adoption, so domain-specific players must move quickly to capture their current advantage.