AI Governance Is the Missing Layer And Four Independent Sources Just Proved It

Evaluate AI governance and compliance platforms building the accountability infrastructure that closes the gap between documented governance and operational governance.

Submit an Inquiry

Four research reports landed this week. They came from completely different organizations, surveyed completely different populations, and were written for completely different audiences. The American Arbitration Association surveyed 500 senior legal and executive leaders at large organizations across the US and Canada. RSM surveyed 501 middle market executives about cybersecurity and AI. Grant Thornton analyzed Michigan's new regulatory bulletin for financial service providers. And Finextra published an editorial thesis aimed squarely at the fintech sector.

Every single one of them arrived at the same place. AI governance frameworks are being built. Policies are being written. Ownership is being assigned. And the systems that are supposed to govern AI are failing to do any of it in practice. Finextra put the thesis plainly: AI governance is the missing layer in fintech AI deployment. The data from the other three sources proves that thesis across every segment of the market, large and small, financial services and beyond.

That convergence is the story. When four independent organizations — a legal institution, a middle market advisory firm, a Big Four equivalent, and a fintech editorial publication — all reach the same conclusion in the same week, the finding stops being an opinion and starts being a documented fact about the current state of enterprise AI. The gap between governance on paper and governance in practice is the defining enterprise risk of 2026. And the data this week proves it from four directions simultaneously.

Organizations across every segment of the market have built governance frameworks, written policies, and assigned ownership. Almost none of them have built the accountability infrastructure that makes those frameworks function in practice. That gap — between documented governance and operational governance — is what four independent sources confirmed this week from four completely different angles.

87%of organizations say they have some form of AI governance in place — AAA Survey, May 2026

22%say those governance systems are actually operating effectively — AAA Survey, May 2026

35%of middle market companies use formal AI governance frameworks — RSM Cybersecurity Report, May 2026

Source One

87% Have Governance. 22% Say It Works

Research — May 14, 2026

From Principles to Practice: A Benchmark Study in AI Governance · American Arbitration Association (AAA-ICDR Institute™)

Survey of 500 senior legal and executive leaders at large US and Canadian organizations, 70% with revenue of $1 billion or more, across financial services, technology, healthcare, energy, manufacturing, professional services, and legal services.

The AAA survey is the most important piece of data released this week — and not because of any single finding. The important thing is the gap it exposes. 87% of respondents say their organizations have some form of AI governance in place. Only 22% say those systems are operating effectively. That 65-point gap between having governance and having governance that works is the clearest single measurement of the problem that the entire week's coverage is circling around.

The AAA survey identified three specific areas where that gap lives. Only 33% of organizations have defined escalation pathways when AI systems misbehave — meaning two thirds of organizations have no documented process for what happens when something goes wrong in production. Just 22% say they are very confident they could produce evidence of governance decisions for regulators or auditors. And while 80% report that IT or technology teams contribute to AI governance, only 35% report involvement from legal and compliance teams.

"Governance is a cross-functional business imperative, not just a technical or legal concern. Without effective collaboration and oversight, organizations expose themselves to regulatory scrutiny, reputational harm, and loss of trust."

Bridget McCormack, President and CEO, American Arbitration Association — May 2026

McCormack's framing is the right one. Governance sitting exclusively in the technology function — with no legal, no compliance, no defined escalation path — produces exactly the 65-point gap the survey found. The policies get written by people who understand technology. The accountability structures that make those policies function in practice get skipped because nobody with escalation authority and accountability obligation was at the table when the governance program was designed. That structural absence is what the AAA survey measured. It's also what connects directly to what RSM found in the middle market.

RSM's Middle Market Report: AI Adoption Is Racing Ahead of Governance

Research — May 13, 2026

Middle Market Business Index (MMBI): Cybersecurity Special Report 2026 · RSM US LLP

Survey of 501 middle market executives conducted January 6–30, 2026. Covers AI adoption, governance maturity, cybersecurity investment, and identity controls across middle market firms.

If the AAA survey documents the gap at large enterprises, RSM's middle market report documents it cascading down the supply chain — and accelerating. Middle market companies are racing into AI faster than they are building the governance, identity controls, and cybersecurity frameworks needed to manage it. Only 35% of middle market executives report using formal AI governance frameworks. Companies are primarily relying on staff training on responsible AI use, alongside emerging but inconsistently enforced controls. Governance structures remain fragmented, and AI-centered security controls trail far behind adoption trends.

"Organizations are accelerating AI adoption, but many don't yet have a clear destination or a governance model to guide them. This is a pivotal moment: companies can continue operating reactively and play catch-up as risks emerge, or they can be intentional about secure AI adoption now."

Daniel Gabriel, Principal, RSM US LLP — May 2026

The confidence gap in the RSM report is striking. Nearly one in four middle market organizations reported a ransomware attack or demand in the past year, and 18% experienced a data breach. Yet 96% of executives expressed confidence in their cybersecurity posture. That disconnect — widespread incidents alongside near-universal confidence — is the same pattern the AAA survey found in governance: organizations believe their programs are working while the evidence shows they're not. RSM's finding on identity is the most pointed: only 23% of middle market companies prioritize digital identity management, despite identity-based attacks remaining one of the most common entry points for ransomware, and despite identity controls being a critical requirement for governing AI-enabled platforms specifically.

"AI use amplifies current state identity risk within an organization. If identity controls are weak or poorly governed, AI will scale that risk instantly."

Omer Arshed, Partner, RSM Canada — May 2026

Arshed's point here connects directly to what GAIG documented in Your Agents Are Running and Nobody Owns What They Do. When an agent operates under a service account with permissions that were never formally reviewed, the identity risk is real and immediate. 77% of middle market companies are deprioritizing the exact control — identity management — that matters most for governing what their AI systems can reach and do. The governance framework exists on paper. The identity controls that make it enforceable are absent.

Source Three

Grant Thornton: The Regulatory Consequence for Financial Services

Regulatory Analysis — May 14, 2026

Why Financial Service Providers Need an AI Systems Program · Grant Thornton Advisors LLC

Analysis of Michigan Department of Insurance and Financial Services Bulletin 2026-03-BT/CF/CU — one of the most detailed state-level AI supervisory frameworks issued in the US to date — and its implications for financial service providers nationally.

Grant Thornton's piece shifts the conversation from voluntary governance maturity to regulatory consequence. Michigan's Bulletin 2026-03-BT/CF/CU, released January 14, 2026, requires all financial service providers in the state to develop, implement, and maintain a written AI Systems Program. The bulletin explicitly states that compliance with standards is required regardless of the tools used to make decisions, and that examiners may request detailed information on specific models, AI systems, and their applications.

The four pillars Michigan's bulletin establishes — general guidelines, governance, risk management and internal controls, and third-party AI systems — describe exactly the infrastructure the AAA survey found is missing at scale. Defined accountability structures. Escalation protocols. Model inventories with documentation of purpose, development, and validation. Ongoing monitoring with bias analysis. Contractual audit rights over AI vendors. These requirements are specific, operational, and examination-ready — meaning organizations that have policy documents but no operational implementation will fail scrutiny.

"Modern AI doesn't just carry risk at the point of deployment — it generates risk continuously as it operates. That's why runtime AI governance is essential: real-time monitoring, dynamic guardrails, and live auditability give organizations the confidence to scale AI rapidly without sacrificing control. Policies, reviews, and approval workflows alone are not enough."

Vikrant Rai, Managing Director, Cyber & Risk Advisory, Grant Thornton Advisors LLC — May 2026

Rai's point — that policies and approval workflows alone are insufficient — is the Grant Thornton version of the same thesis the AAA and RSM data support. Michigan's bulletin is already being watched as a potential model for other states. Grant Thornton explicitly notes that similar to the nationwide impact of the California Privacy Rights Act, state-level AI regulation could drive broader regulatory change management expectations. Organizations operating outside Michigan should treat this bulletin as a preview of what's coming.

"Organizations should be establishing clear policies that define accountability for AI decision-making, building monitoring frameworks that track compliance in real time and assessing their current state to close gaps before examiners find them. The institutions doing this work now are the ones that will scale AI with confidence."

Leslie Watson-Stracener, Partner, Regulatory Compliance Solutions, Grant Thornton Advisors LLC — May 2026

Finextra: AI Governance Is the Missing Layer

Editorial — May 2026

AI Governance Is the Missing Layer in Fintech AI Deployment · Finextra

Editorial analysis of AI governance gaps in fintech deployment — arguing that the infrastructure organizations need to govern AI responsibly is consistently absent even as adoption accelerates across the sector.

Finextra's framing is the sharpest of the four: AI governance is the missing layer. It says the layer doesn't exist, not that it exists but needs improvement. And the data from the other three sources confirms the structural reading. The AAA found that 65% of organizations with governance frameworks have systems that don't operate effectively — the layer exists on paper but functionally is absent. RSM found that 65% of middle market companies have no formal governance framework at all — the layer is literally missing. Grant Thornton found that regulators are now requiring the layer to exist with specific operational content — and organizations that have documentation without implementation will fail examination.

Taken together, these four sources form a complete picture of where the market actually stands. Large enterprises have governance frameworks that don't produce governance outcomes. Middle market companies have AI adoption without governance frameworks at all. Financial services regulators are requiring governance infrastructure that most organizations haven't built. And the pattern holds regardless of company size, sector, or geography — because the root cause is the same everywhere: organizations built policies when they needed accountability structures, and now the policies exist but the systems that make them real do not.

This is the self-reporting gap that makes the problem persist. The AAA survey found that organizations with more extensive AI deployments tend to have stronger governance practices and greater confidence in their ability to demonstrate decisions under scrutiny. The organizations that don't have extensive deployments — who are still in early-stage AI adoption — are the ones carrying the most unacknowledged exposure. They have enough deployment to generate real risk and not enough governance maturity to know it. The confidence is highest exactly where the controls are weakest.

The Connection to GAIG's Work

GAIG documented the governance-versus-documentation gap directly in the Workday lawsuit analysis — a case where documented governance failed examination because the accountability structures that should have caught the failure were never built. This week's four sources confirm that pattern is systemic. The Workday case is the most expensive documented illustration of what the AAA's 65-point gap looks like in federal court.

The Gap Closes One Way Building the Layer That Was Always Missing

Four independent sources confirmed the same finding this week. The self-reporting gap is real and consistent across market segments. The regulatory consequence is arriving in financial services and will spread. The middle market is accelerating AI adoption faster than governance can follow. And the problem is structural — it requires building accountability infrastructure.

The AAA survey identified the three places where governance programs most commonly break down in practice: escalation pathways, audit readiness, and legal/compliance involvement. Organizations can address all three without replacing existing governance frameworks. Escalation pathways require named owners and documented SLAs — not new technology, just accountability structure applied to the signals that already exist. Audit readiness requires evidence of human decisions in response to system events — not a new compliance program, just the documentation discipline to record what actually happened. Legal and compliance involvement requires a seat at the governance table before deployment not after an incident.

The Michigan bulletin gives financial services organizations the most specific operational checklist available from any US regulator to date. Grant Thornton's reading of it is the right frame for any organization in any sector: treat this as a preview of what's coming, close the gaps now, and the examination that eventually arrives will confirm a program that was built to hold up rather than documenting one that was assembled after the fact.

RSM's framing for the middle market is equally direct: companies can continue operating reactively and play catch-up as risks emerge, or they can be intentional about secure AI adoption now. The window is open. The data this week describes where organizations are. The organizations that read it honestly — acknowledging that having a governance framework and having a governance program that works are genuinely different things — are the ones that will close the gap before it costs them.