Introduction
What separates organizations whose AI governance actually works from those whose policies sit on a shelf?
A new benchmark study from the AAA-ICDR Institute™, “From Principles to Practice: A Benchmark Study in AI Governance,” sets out to answer that question. The report draws on a quantitative survey of 500 senior legal and executive leaders (general counsel, technology leaders, and C-suite executives) at organizations with annual revenues of $100 million or more. In-depth qualitative interviews with leaders across sectors supplemented the survey.
The findings illuminate the current state of AI governance, the structural reasons frameworks fail to translate into practice, and what distinguishes more mature programs. The central tension: AI adoption has raced ahead, but governance has not kept pace. Nearly nine in 10 organizations have a formal governance framework, but only about one in five say it actually works. Closing that gap, the data suggests, involves setting accountability, sustaining cross-functional collaboration, and embedding governance across the full AI lifecycle.
Good AI governance is not a one-time, set-it-and-forget-it activity. It’s an ongoing practice.
AI Adoption Is Widespread. Governance Maturity Is Not.
According to the survey, 74% of organizations are implementing AI at a moderate or extensive level, and 30% say it has become integral to operations. Only 26% still limit use to pilots or isolated applications.
What has not kept pace is governance. While 87% of organizations have formal AI governance principles or policies in place, only 22% say those structures work effectively in practice. Most respondents (56%) describe their governance as having good structures but inconsistent execution. Another 20% see a significant gap between policies and practices. Frameworks exist on paper. Operational discipline often does not.
The headline gap: 87% of organizations have a governance framework. Just 22% say it actually works.
Trust Hinges on Provable Governance
Governance is as much about building trust as it is about mitigating risk. And most organizations cannot yet convincingly demonstrate either. Only 22% of respondents are very confident they could produce sufficient evidence of their AI governance decisions to regulators, auditors, or courts if required. Another 72% are only somewhat confident.
This is not a hypothetical concern. As regulatory scrutiny intensifies, the inability to show one's work creates direct exposure to legal, reputational, and commercial risk. There is, however, an encouraging signal in the data: among organizations with extensive AI deployment, confidence in audit readiness jumps to 61%. Experience seems to clarify just how much rigor effective governance actually demands.
Cross-Functional Collaboration Is the Top Differentiator
When asked what most separates organizations with effective AI governance from those that struggle, 68% of respondents cited strong collaboration among legal, technical, and business teams. It was the single highest-cited differentiator in the survey.
Achieving that collaboration is another matter. Only 11% of respondents describe the relationship between their legal and technical teams as highly collaborative, while 23% describe it as minimal or narrow. Governance participation skews heavily toward IT, with IT contributing to AI governance decisions in 80% of organizations. In contrast, legal and compliance teams are involved in just 35%.
The consequence is governance that may satisfy an internal audit but struggles under broader regulatory scrutiny at the state, federal, and international levels. One senior legal professional at a global pharmaceutical company described it this way: the digital team often gets "70% of the way" through scoping a new system before legal is brought in — leaving the remaining 30% as gaps that legal and compliance have to surface late in the process.
80% of organizations involve IT in AI governance. Just 35% involve legal and compliance.
The Failure to Operationalize Is Not a Resources Problem
The natural assumption when governance falls short is that the organization needs more budget, more staff, or better tools. The data does not support that explanation. Only 6% of respondents identify adequate resources as the factor that most separates effective governance from ineffective governance, the lowest-ranked option in the survey.
Instead, the breakdowns concentrate in execution-critical areas: incident response and escalation (58%), risk classification and scoping (57%), and technical requirements definition (57%). These are not peripheral failures. They are core governance functions, and the data indicates they are not consistently embedded into day-to-day workflows.
Governance Collapses Further Along in the AI Lifecycle
Perhaps the most striking pattern in the research is the drop-off in governance attention as an AI system moves from concept to retirement. Most organizations apply governance during the development and testing phase (72%), but coverage drops sharply once a system goes live. Only 37% apply governance protocols at deployment readiness, 44% at post-deployment monitoring, and just 4% at retirement or decommissioning.
The picture for incident handling tells a similar story. Only 33% of organizations have a clear escalation process with defined resolution pathways when AI systems misbehave, while 42% handle incidents informally on a case-by-case basis. Moreover, only 28% have a systematic process for integrating lessons learned back into their governance frameworks. Without that feedback loop, organizations are not building institutional knowledge from the issues they encounter. They handle each one in isolation and often forget the lessons learned.
72% govern during development. Only 4% govern at retirement.
Maturity Correlates with More Complete Governance
The organizations farthest along in their AI deployment also tend to have the most rigorous governance. Among those with extensive AI deployment, 63% have a clear escalation process, compared with just 3% of organizations with limited deployment. Sixty percent systematically integrate lessons learned, versus 0% in the low-maturity group. And 100% of extensively deployed organizations describe the relationship between their legal and tech teams as at least moderately collaborative.
These organizations treat governance as a continuous, adaptive discipline rather than a one-time policy exercise. They build feedback loops, train staff regularly, and adapt their frameworks as the technology and its risks evolve. As one senior legal professional at a global pharmaceutical company put it, "Living governance is a lot more challenging than just policy setting."
The point, reinforced throughout the qualitative interviews, is that operational governance also depends on the people who are meant to use it actually understanding it. A senior executive at a global energy company framed it bluntly: "You can put whatever controls fit your particular company's needs, but unless you train people on it, it doesn't matter what your governance says."
Demand For External Guidance Is High
Given the difficulty of building governance in-house, it is not surprising that 72% of organizations have already sought or plan to seek external guidance on AI governance. That figure rises to 89% among organizations with extensive AI deployment.
Even more interesting is what those organizations are looking for in their external advisors. Only 11% rate neutrality as a top factor in credibility. By contrast, respondents prioritize deep technical understanding of AI systems (62%), transparency about the advisor's own governance practices (61%), and practical implementation experience (56%). Organizations want practitioners, not theorists — advisors who have built and operated AI governance in the real world.
The Bottom Line
Organizations broadly understand what effective AI governance requires. They have clearly named the differentiators: cross-functional collaboration, dedicated governance roles, executive sponsorship, and practical, adaptable frameworks. The challenge is doing all of that consistently, operationally, and across the full lifecycle of the systems they are deploying.
Frameworks alone are not enough. What separates the organizations pulling ahead is sustained practice: governance treated as an operational discipline, legal and technical functions working together rather than in silos, and the ability to demonstrate, not just assert, that AI systems are being managed responsibly. In a landscape where the technology is moving this fast, that commitment is what builds the kind of trust that regulators, partners, customers, and employees will increasingly require.
See What Effective AI Governance Looks Like in Practice
Learn what organizations with more mature AI governance programs are doing differently and what organizations that want to emulate them need to close the gap.