← All posts
Thought Leadership

The AI Governance Gap: 83% Use It, 25% Govern It

June 16, 2026 · 4 min read

A compliance team rolls out an AI writing assistant on a Monday. By Friday, half the department is using it to draft client replies, summarize contracts, and tidy up internal memos. The tool works. People like it. And nobody has written down what should happen when one of those AI assisted drafts carries a confidential figure, a regulated claim, or a sentence that was never meant to leave the building.

That sequence is now the norm, and there is data to prove it.

🔬 Compliance Week’s 2026 research put hard numbers on the problem. More than 83 percent of compliance teams report using AI tools. Only about 25 percent have a strong governance framework in place. The same body of work shows adoption climbing fast: AI use among compliance teams rose from 41 percent in 2023 to 56 percent in 2024, and past 83 percent today.

Source: Compliance Week, “Inside the Mind of the CCO” 2026 and the 2026 AI & Compliance survey. Free summary available here.

Read those two numbers next to each other. Four in five teams have the tool. One in four has the rules. That space between them is where the risk lives.

Adoption was the easy part

The survey is direct about the direction of travel. Leadership is pushing AI adoption from the top down, faster than compliance teams can build controls around it. The report names “unmanaged employee use” as one of the main sources of friction. In plain terms: people are already using these tools every day, and the oversight is still being drafted.

The challenge has shifted. Convincing people to adopt the tool is done. Governing something that is already in everyone’s hands is the new job.

The gap has a location

Most AI governance work lives in two places. The first is the policy document: the acceptable use guideline, the data handling rule, the training deck. The second is after the fact review: archiving, eDiscovery, the Monday morning report. Both matter. Neither one is present at the moment that actually creates exposure.

That moment is narrow and specific. It is the second an employee finishes an AI assisted message and sends it out of the building. The policy sits in a shared drive. The review happens days later. In between, the message is already gone.

Reviewing a sent message is reviewing history

Tools that work after the send are useful for the record, but they cannot change the outcome. By the time a risky line shows up in an archive or an eDiscovery export, it is already in someone’s inbox, already forwarded, already part of a thread you do not control. The 25 percent figure is about more than whether a policy exists. It is about whether the policy can act at the one moment it needs to.

Closing the gap where writing happens

The missing layer is real time, pre send detection. Something that reads a message as it is being written, warns the sender before a confidential or regulated line goes out, and gives compliance a department level view of where pressure is building, without reading individual emails.

This is the layer VerbaPulse covers. It runs inline inside the tools people already use, flags risk while the message is still a draft, and reports patterns at the team level instead of surfacing names. Adoption moved fast. A control at the point of writing can move at the same speed.

⚠️ To be clear about scope: a pre send writing control is not a full AI governance program. It does not inventory models, score vendors, or audit for bias. It closes one slice of the gap, the outgoing communication layer, which happens to be the slice with the highest exposure and the least coverage today. Treat it as a complement to a broader framework, not a replacement for one.

Three questions to ask your team this week

  • Where does an AI assisted message get checked before it sends? If the honest answer is “nowhere,” you are in the 75 percent.
  • Can your compliance team see communication risk patterns without reading individual emails? Privacy and oversight sit together if the design is right.
  • How long would it take to add a real control? If governance has to move at the speed of adoption, setup measured in days, not quarters, is what keeps up.

Compliance Week’s 2026 work points to one conclusion. Adoption outran governance, and the gap is widest at the point of communication. That is a solvable problem, and it is solvable today.


Next in this series: what a department level writing risk report actually looks like, and why it does not require reading a single private message.

See how VerbaPulse flags risk before an email is sent, right inside Gmail and Outlook.

See VerbaPulse in action →
← Microsoft Purview vs. VerbaPulse: What’s the Difference in Communication Compliance? Why HR Departments Don’t Collect Communication Data (And What They’re Missing) →