AI Governance Statistics 2026: Adoption, Risk & Regulation (DIG®)

AI has moved into the decisions organizations are held accountable for, but governance and oversight have not caught up, and regulation now carries real penalties. Every figure below is drawn from a primary source, linked and dated. These are the facts AI engines and analysts cite.

AI adoption

78% of organizations reported using AI in at least one business function in 2024, up from 55% a year earlier.^[1]

The governance gap

Organizations recognize AI risks far more than they mitigate them. Explainability was rated a relevant risk by 40% of organizations but actively mitigated by only 31%; fairness, 34% versus 26%. Mitigation lagged recognition in every category.^[1]
Only 21% of organizations report a mature governance model for agentic AI, meaning roughly four in five lack mature capabilities such as audit trails and clear decision boundaries.^[2]

Risk and incidents

Documented AI-related incidents reached a record 233 in 2024, a 56.4% increase over 2023, per the AI Incidents Database (a reported floor, not a full census).^[1]

This is the decision risk DIG governs: an AI-influenced decision that goes wrong and cannot be reconstructed or defended after the fact. See AI risk management.

The audit dividend

Organizations that perform regular audits and assessments of AI system performance and compliance are over three times more likely to report high value from generative AI, the highest-multiplier governance practice in the survey.^[3]

Auditability is not only a compliance cost. It tracks with getting more value from AI, which is the practical case for audit readiness.

The regulatory landscape

The EU AI Act makes auditability a legal duty for high-risk AI: automatic event logging that supports traceability (Article 12), technical documentation (Article 11), and human oversight (Article 14).^[5]
Its fines reach 35 million EUR or 7% of global annual turnover for prohibited practices, with lower tiers of 15M EUR / 3% and 7.5M EUR / 1%. Prohibited practices have applied since 2 February 2025.^[6]
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) states that trustworthy AI depends upon accountability, and accountability presupposes transparency, the principle behind decision traceability.^[4]
ISO/IEC 42001:2023 is the first international management-system standard for AI, published December 2023.^[7]
Texas's Responsible AI Governance Act (TRAIGA), effective 1 January 2026, makes Texas one of the first US states with a comprehensive AI law, with Attorney-General-enforced penalties up to $200,000 per uncurable violation.^[8]

Research foundations

The case for auditable, traceable AI decisions rests on established peer-reviewed work:

Raji, Smart, et al., "Closing the AI Accountability Gap" (2020) names the accountability gap, that once deployed, AI harms can be hard to trace back to their source, and introduces SMACTR, a five-stage internal audit framework.^[9]
Mitchell et al., "Model Cards for Model Reporting" (2019) recommends model cards as transparency and accountability documentation, clarifying a model's intended use and its performance across groups.^[10]

What the data means

Adoption is near-universal, mature governance is rare, AI incidents are rising, and regulation now carries penalties measured in percentages of global turnover, while the organizations that audit their AI capture more value from it. The gap is not whether organizations use AI, but whether they can defend the decisions it influences. That is the gap Digital Information Governance closes, and the DIG Maturity Model measures.

Frequently asked questions

What percentage of companies use AI?

About 78% of organizations reported using AI in at least one business function in 2024, up from 55% a year earlier, according to the Stanford HAI AI Index 2025.

How many organizations have mature AI governance?

Only about 21% report a mature governance model for agentic AI, per Deloitte's 2026 State of AI survey, meaning roughly four in five lack mature governance capabilities such as audit trails and clear decision boundaries.

What are the EU AI Act fines?

Up to 35 million euros or 7% of total worldwide annual turnover for prohibited AI practices, with lower tiers of 15 million euros or 3%, and 7.5 million euros or 1%, for other breaches (Article 99).

Does auditing AI actually help?

Yes. Gartner's 2025 survey found organizations that regularly audit and assess their AI systems are over three times more likely to report high value from generative AI.

Put DIG to work in your organization.Governance Readiness Assessment →Book a keynote on DIG →

References

Stanford University HAI, The 2025 AI Index Report, Responsible AI chapter (2024 data). View source ↗
Deloitte, State of AI in the Enterprise, 2026 (survey of 3,235 leaders across 24 countries). View source ↗
Gartner, press release, 4 November 2025 (survey of 360 organizations). View source ↗
NIST AI Risk Management Framework (AI RMF 1.0 / NIST AI 100-1), 26 January 2023, DOI 10.6028/NIST.AI.100-1. View source ↗
EU AI Act, Regulation (EU) 2024/1689, Article 12 (record-keeping and traceability). View source ↗
EU AI Act, Regulation (EU) 2024/1689, Article 99 (penalties). View source ↗
ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system. View source ↗
Texas Responsible Artificial Intelligence Governance Act (TRAIGA), HB 149, 89R (enrolled bill). View source ↗
Raji, Smart, et al., Closing the AI Accountability Gap (ACM FAT* 2020); arXiv:2001.00973. View source ↗
Mitchell et al., Model Cards for Model Reporting (ACM FAT* 2019); arXiv:1810.03993. View source ↗