In the governance, risk, and compliance community, there is a recurring temptation to treat AI as a technology trend — something that compliance teams will eventually catch up to, once the regulatory picture clarifies and the tooling matures. This temptation should be resisted. The data from 2024–2026 do not describe a technology trend. They describe a governance gap that is widening faster than organizations are closing it, with regulatory enforcement closing in from multiple directions simultaneously.
This essay surveys the forces driving that gap. It draws on public regulatory filings, enforcement records, securities disclosures, and industry survey data to map where the pressure is coming from and what it demands. It connects to the structural analysis in The Four Blind Spots of Force-Fitting AI Into Traditional Governance — the regulatory pressure cataloged here is, in many cases, a direct response to exactly the governance failures that essay identifies. It also connects to the vocabulary problem analyzed in The 2026 GRC-AI Lexicon — navigating the regulatory landscape requires fluency in AI terminology that many GRC functions are still building.
The AI Incident Database is the closest thing the industry currently has to a standardized catalog of real-world AI failures. Its 2025 figures — 362 verified incidents, a fifty-six percent increase over 2024 — are significant for two reasons. First, the absolute number understates the true incidence rate: the AIID captures incidents that become publicly known, while a substantial proportion of AI failures in enterprise settings are handled quietly. Second, the distribution across categories is telling. The largest growth categories in 2025 were discriminatory output (cases where AI systems produced or amplified biased decisions with documented harm), autonomous action incidents (cases where AI systems took consequential actions beyond their intended scope), and factual error incidents in professional service delivery.
Against this backdrop, the Drata State of GRC 2025 survey found that the average enterprise operates under eight compliance frameworks simultaneously — and that 51% of compliance professionals cite increasing regulatory complexity as the primary driver of budget pressure in their function. The same survey found that AI governance was the fastest-growing new compliance category but remained the most underfunded relative to its assessed risk exposure. The organizations managing eight frameworks simultaneously have not yet found the bandwidth to build a ninth.
Executive Order 14365, signed on December 11, 2025, directed federal agencies to accelerate AI adoption across government operations while establishing a governance framework that requires AI risk assessments, model governance documentation, and vendor certification standards for AI systems serving the federal government. For GRC professionals in private sector organizations, EO 14365 matters because its vendor requirements propagate downstream: any organization selling AI-enabled services to federal agencies must satisfy the governance documentation and risk assessment standards the Order establishes.
EO 14365 also signaled a directional shift in the federal approach to AI risk: accelerate deployment while governing the risks, rather than constrain deployment pending governance development. This is a materially different posture from the Biden-era EO 14110, which had emphasized safety evaluation before deployment for frontier models. The shift means that the federal regulatory backstop that some organizations had counted on — the assumption that federal agencies would constrain the pace of AI deployment — is weaker in 2026 than it was in 2024.
The US AI Action Plan, developed through an interagency process under EO 14365, outlined the federal government's approach to maintaining US leadership in AI while managing risk. Its governance implications for private sector organizations include: a strengthening of NIST's AI Risk Management Framework as the de facto US standard for AI governance; increased emphasis on sector-specific AI standards (financial services, healthcare, critical infrastructure); and a parallel track approach — federal agency adoption of AI with governance requirements that then inform private sector expectations.
The contrast with the EU AI Act is instructive. The EU approach is prescriptive: it defines risk tiers, specifies requirements for each tier, and creates a single enforcement structure. The US approach remains principles-based and sector-fragmented, with NIST's AI RMF providing voluntary guidance that different agencies and sectors are adopting at different paces. For organizations operating in both jurisdictions, this creates the compliance challenge of satisfying a prescriptive framework (EU) while navigating a fragmented one (US) — without the benefit of a single consolidated standard that satisfies both.
In November 2025, a coalition of thirty-six state attorneys general sent a coordinated letter to federal leadership demanding AI legislation that would establish minimum consumer protection standards, require transparency in AI-driven decisions affecting consumers, and create private rights of action for AI-related harms. The letter was explicitly a response to what the AGs characterized as the inadequacy of existing federal law — specifically, that the FTC's unfair and deceptive practices authority, while applicable in principle to AI misconduct, operates only at the regulatory enforcement level and creates no private right of action for consumers harmed by AI system failures.
The significance of the letter for GRC professionals is twofold. First, it signals that state-level enforcement of AI-related consumer harms is a live and growing risk — the AGs were not waiting for federal action; they were using the letter to establish a public record while simultaneously pursuing enforcement actions under existing state consumer protection statutes. California's AG Rob Bonta had already issued a cease-and-desist to xAI over Grok's image generation outputs. Second, the thirty-six-state coalition represents a scale of coordinated state action that has historically preceded federal legislation — the same coalition dynamic appeared in the early years of state data breach notification law and state-level opioid litigation before federal action consolidated the framework.
Beyond enforcement action, state legislatures entered 2026 with more than three hundred AI-related bills introduced across forty-four states. The categories most relevant to GRC practice include: automated decision-making transparency requirements (requiring disclosure when AI is used in consequential decisions affecting individuals); algorithmic impact assessment mandates for high-stakes AI deployments; AI bias audit requirements for employment-related AI systems; and data governance requirements for AI training data. The patchwork quality of state AI law — with inconsistent definitions, varying thresholds, and overlapping jurisdictions — is itself a compliance management challenge that has not been absorbed into most organizations' compliance management systems.
The Stanford RegLab's 2025 analysis of state AI legislation found that the average organization with operations in fifteen or more states was potentially subject to seven to twelve distinct AI governance obligations under state law — a compliance burden that most compliance functions were not yet systematically tracking. The implications for compliance staffing and compliance technology investment are significant.
The SEC's climate disclosure rule, finalized in 2024, was effectively killed by court challenge and subsequent agency action in 2025 — a development that some governance professionals interpreted as a signal that the disclosure-driven approach to emerging risk would be constrained. The AI disclosure picture is more nuanced. The SEC's guidance on material risk disclosure has been interpreted by securities counsel as requiring disclosure of material AI-related risks in 10-K filings, and the dramatic jump in AI risk disclosure rates (from 12% to 72% of S&P 500 companies in two years) reflects legal counsel acting on that interpretation. The SEC has not issued specific AI disclosure guidance equivalent to its climate disclosure rules, but the existing materiality framework creates disclosure obligations for organizations with significant AI risk exposure.
The disclosure-without-governance pattern — acknowledging AI as a material risk in SEC filings without building the governance infrastructure to manage the disclosed risk — is the board reality problem examined below.
The Federal Trade Commission's enforcement posture on AI has been active. The agency's Section 5 unfair and deceptive practices authority applies to AI marketing claims, AI-driven consumer harm, and AI-enabled deceptive practices. The Workado consent order established clear expectations for AI service providers: no material misrepresentations about AI output accuracy, mandatory disclosure of AI involvement in service delivery, and ongoing monitoring requirements. For enterprise AI governance, Workado's significance is that it established the FTC's willingness to apply its existing authority to AI-specific conduct — without waiting for new AI legislation.
The FTC has also pursued AI-related enforcement in the context of its Reverse CFIUS-style authority over technology acquisitions with AI implications — scrutinizing deals where AI capability acquisition raises competitive concerns. The implication for GRC functions is that AI M&A due diligence now requires regulatory risk assessment as a standard component, not just an emerging practice.
The Consumer Financial Protection Bureau has been among the most active agencies in applying existing law to AI-specific practices. The CFPB's guidance on adverse action notices — the requirement under the Fair Credit Reporting Act and Equal Credit Opportunity Act that lenders provide specific reasons for credit denials — has been interpreted to require that adverse action notices for AI-driven credit decisions be sufficiently specific to be meaningful, not simply references to "our model" or "algorithmic assessment."
The governance implication is direct: organizations using AI in credit, insurance, employment, or other consequential decisions must be able to generate human-comprehensible adverse action explanations — which in turn requires that the AI system architecture support explainability at the individual decision level, not merely at the model level. This is a technical requirement with compliance consequences, and it creates a governance interface between the model risk function and the compliance function that many organizations have not yet built.
The Financial Stability Board's 2025 report on AI in financial services identified AI hardware concentration risk as an emerging systemic concern: the fact that a substantial proportion of the world's AI inference capacity runs on a small number of hardware platforms from a small number of vendors creates a concentration of systemic risk that the FSB analogized to the concentration risks it monitors in clearing and settlement infrastructure. For financial services GRC teams, the FSB's analysis creates a new dimension of vendor risk management: the resilience of the AI provider's underlying hardware infrastructure, and the systemic implications of disruption at the infrastructure layer.
Blackstone's Jonathan Gray made a widely-cited observation in early 2026 that AI infrastructure concentration — specifically, the dependence of financial services AI on a small number of cloud GPU providers — represented an underappreciated systemic risk that boards had not yet fully internalized. The observation resonated because it was coming from a practitioner in one of the world's largest investment organizations, not from a regulatory body.
The jump from 12% to 72% of S&P 500 companies disclosing AI as a material risk in their 10-K filings between 2023 and 2025-2026 is striking. What is equally striking is what did not change at the same pace: board composition (the proportion of boards with AI-specific expertise), internal audit coverage of AI (the proportion of internal audit functions with AI-specific audit programs), and model risk management infrastructure (the proportion of organizations with formal model governance programs extending beyond the financial services sector, where model risk management is a regulatory requirement).
The disclosure-governance gap — acknowledging AI risk formally while lacking the governance infrastructure to manage it — is not primarily a disclosure problem. It is a governance capability problem. Organizations that have disclosed AI as a material risk but have not built the controls, oversight structures, and accountability mechanisms to manage that risk are not simply in violation of good governance practice. They are exposed to the argument, in a post-incident context, that they knew the risk was material and failed to act — a particularly unfavorable posture from the perspective of securities litigation and regulatory enforcement.
The Drata State of GRC 2025 survey finding that organizations average eight compliance frameworks simultaneously provides context for why the governance capability gap persists. Building a ninth framework — AI governance — requires organizational capacity that is already fully committed to managing the existing eight. The compliance function that is simultaneously managing SOC 2, ISO 27001, HIPAA, GDPR, SOX, PCI-DSS, NIST CSF, and FedRAMP does not have obvious bandwidth for a comprehensive AI governance program.
The resolution to the eight-frameworks problem is not to add AI governance as a ninth standalone framework but to integrate AI governance into existing frameworks — extending model risk management to cover non-financial AI, adding AI-specific controls to the organization's information security framework, and incorporating AI behavioral monitoring into the existing internal audit program. The organizations that are making the most governance progress are the ones that are integrating rather than layering.
The Cycore 2025 compliance budget survey found that 51% of compliance professionals cited the increasing complexity of the regulatory environment as the primary driver of budget pressure. The survey also found that AI governance was the compliance category with the largest gap between assessed risk and allocated budget — organizations recognized the risk but had not converted recognition into resources. The budget gap matters for GRC career professionals: it creates demand for individuals who can build AI governance programs efficiently, integrating with existing frameworks rather than building from scratch.
The regulatory landscape described above creates a convergent set of demands on GRC functions. They are not all at the same urgency level, and the appropriate prioritization depends on an organization's sector, geography, and current AI deployment profile. But several elements are common across virtually all enterprise GRC contexts.
The starting point is integrating AI-specific risks into existing risk registers — not as a separate AI risk register, but as AI-specific entries within the existing register structure. This means identifying each AI system currently deployed, documenting its purpose and decision scope, assessing the risk profile (including the scale multiplier discussed in the blind spots analysis), and mapping the existing controls against the AI-specific risk categories: hallucination, model drift, emergent behavior, adversarial input, and autonomous action scope.
Most organizations' AI risk is primarily vendor risk — they are deploying AI systems built by third-party providers rather than building their own models. This means that vendor risk management is the highest-leverage governance investment for most GRC functions. The specific vendor governance requirements — baseline performance benchmarks, drift monitoring rights, model update notice provisions, liability allocation for output errors — are analyzed in detail in The Fight for AI Credit Justice. The organizational capability to execute this vendor governance program is typically located in the intersection of the GRC function, legal, and procurement.
Regulatory requirements converging from the EU AI Act, CFPB adverse action guidance, FTC enforcement activity, and sector-specific frameworks (FDA for healthcare AI, OCC/Fed for banking AI) all imply some version of the model audit trail concept: a documented record of model behavior over time that enables post-hoc accountability. Building this infrastructure before it is legally required — as a proactive governance investment — is substantially easier than building it in response to an enforcement action or incident investigation.
The disconnect between the pace of AI system behavior and the cadence of board oversight cycles, analyzed as the fourth blind spot in The Four Blind Spots, creates a specific demand on GRC functions: building the information architecture that bridges AI operational monitoring and board reporting. This means defining the AI risk metrics that boards receive, the escalation triggers that activate board-level attention, and the ongoing monitoring indicators that assure boards that AI systems are behaving within their intended parameters.
For GRC professionals building these capabilities, the Governance & Compliance blog provides ongoing coverage of regulatory developments, while ExecSearches Compliance Jobs lists active roles in this emerging governance function. The vocabulary needed to execute this work precisely is in The 2026 GRC-AI Lexicon, and the intellectual property implications that AI governance must also address are in The Intelligent Plagiarism.
Executive Order 14365, signed December 11, 2025, directed federal agencies to accelerate AI adoption while establishing governance requirements including AI risk assessments, model governance documentation, and vendor certification standards. For private sector organizations, it matters because its vendor requirements propagate to any company selling AI-enabled services to federal agencies — and because it signals the federal government's posture: accelerate deployment, manage the risk, rather than constrain deployment pending safety resolution.
In November 2025, 36 state AGs sent a coordinated letter demanding federal AI legislation establishing minimum consumer protection standards, AI decision transparency requirements, and private rights of action for AI-related harms. The letter signals that state-level enforcement is a live risk — states are not waiting for federal action. California AG Rob Bonta had already issued a cease-and-desist to xAI over Grok's image generation outputs, providing a preview of state enforcement posture.
Approximately 72% of S&P 500 companies cite AI as a material risk factor in their 10-K filings, up from approximately 12% in 2023. This disclosure surge has outpaced the development of internal governance structures — creating a disclosure-governance gap that is itself a legal risk: organizations that disclosed AI as material but failed to build governance infrastructure are exposed to the argument that they knew the risk and didn't act.
Prohibited AI practices became applicable February 2026. GPAI model obligations and most high-risk AI system requirements under Annex III apply from August 2026. Full provisions apply by August 2027. The Act applies to any organization placing AI systems on the EU market or affecting people in the EU — regardless of where the organization is headquartered. Non-EU organizations with EU operations, customers, or data subjects are in scope.
The Workado order established that AI service providers cannot make material misrepresentations about output accuracy, cannot characterize AI output as human-generated work product, and must maintain ongoing monitoring and audit programs. For GRC teams, Workado confirmed that the FTC's existing Section 5 authority is an active enforcement mechanism for AI product claims — no new AI legislation is required for the FTC to act.
GRCcareers.ai publishes ongoing analysis of the AI governance career landscape. For active role listings, visit the ExecSearches Compliance Jobs hub. The Governance & Compliance blog covers regulatory developments relevant to compliance professionals navigating the AI transition.