New research from CultureAI has revealed a growing gap between how AI is used in practice and how organisations believe it’s being controlled. Worryingly, the report revealed that while 72% of organisations believe they have full visibility into AI usage, 65% still report detecting unauthorised shadow AI, revealing a structural gap between perceived control and operational reality.
The research, titled The State of Enterprise AI Usage: The Illusion of Control, was conducted by Censuswide, features insights from 300 senior technology, security, and risk leaders from across North America and Europe.
Unsurprisingly, AI is widely used across teams, with 67% of security leaders reporting wide use across the organisation and 27% use in specific functions. Currently, AI use is most notably focused on core functions like data analysis and RevOps (72%), software development and engineering (59%), and customer support (43%). Yet, the vast majority of respondents (91%) expect AI usage to grow across their entire organisation over the next 12 months, with 41% expecting significant growth. However, risk scales with usage. As exposure grows faster than controls, an organisation often has little time to prepare.
Nearly three-quarters (72%) of respondents report full visibility into AI usage, while 28% report only partial or no visibility. However, nearly two-thirds (65%) of respondents reported detection of unauthorised AI usage (shadow AI). This means that many tools, personal accounts, and embedded AI features remain invisible to traditional controls.
Most organisations express strong confidence in their visibility and governance posture, with formal frameworks, policies, and oversight committees now being common. However, unauthorised AI usage, limited detection and inconsistent enforcement capabilities remain widespread, creating an illusion of control: governance exists, but behaviour frequently escapes it.
Leaders consistently identify high-impact concerns such as compliance exposure (56%), data leakage via prompts and uploads (52%), credential compromise (40%), and intellectual property loss (39%). Despite this, nearly half (46%) of respondents rate AI risk as moderate or lower. Whilst organisations acknowledge AI risk, these risks are rarely escalated. This apparent contradiction reveals that leaders are not dismissing AI risk, but they are struggling to accurately quantify it in an environment where damage often occurs without an obvious breach, alert, or outage.
Most organisations have policies, committees, and training in place, but lack mechanisms that operate in real time at the point where AI risk is actually created: prompts, uploads, and embedded AI features inside SaaS tools. Nearly two-thirds (62%) of organisations report they have already implemented a formal AI governance framework, while a further third are actively developing one. Similarly, over two-thirds (67%) say they have established an AI or risk committee with explicit oversight responsibilities. However, this confidence sits alongside clear operational gaps, with 20% of respondents acknowledging that their policies are not actively enforced and more than a third lacking dedicated AI detection capabilities altogether.
Oliver Simonnet, Lead Cybersecurity Researcher at CultureAI, said: “Generative AI is now embedded across everyday workflows, often beyond traditional IT oversight. While many organisations believe they have governance frameworks in place, our research reveals a widening gap between perceived control and operational reality. The most significant AI risks in 2026 aren’t theoretical; they’re practical, high-probability risks tied to everyday use. Policies set intent, but without real-time enforcement at the point of use, risk is created quietly and at scale. To adopt AI at scale responsibly, businesses must move beyond policy and implement real-time, enforceable controls where risk is actually created.”
