When AI governance is viewed by industry or functional role, the differences can be subtle. But slicing the same survey data by an organization’s maturity level in AI implementation produces a clearer picture: organizations using AI extensively are more likely to report governance practices that are enforceable, documented, cross-functional, and supported by clear evidence of compliance.
These findings come from the American Arbitration Association® (AAA®) report "From Principles to Practice," a benchmark study in AI governance based on a survey of 500 senior legal and executive leaders across the United States and Canada at organizations with annual revenues of $100 million or more. The survey groups respondents’ organizations into three AI maturity levels: extensive use, moderate use, and limited use.
The lesson to be drawn from the data is that organizations should not wait until AI is deeply embedded before they determine an effective way to govern it. Governance should be built alongside AI systems, not treated as an afterthought. Organizations still early in their AI journey have a golden opportunity to build discipline before a tangle of fragmented tools, unclear ownership, and undocumented decisions becomes hard to unwind.
The Governance Gap Widens with Lack of AI Experience
Sixty percent of organizations using AI extensively report an actively enforced AI governance framework, compared with 5% of moderate users and 1% of limited users. The same divide appears in lifecycle maturity: 45% of the most AI-mature organizations report advanced governance, with regular monitoring and continuous improvement, while 11% of moderate users and none of the limited users say the same.
The gap goes much deeper than superficial policies and procedures. Ninety-four percent of those using AI extensively say AI governance principles have been translated into technical controls, compared with 62% of moderate users and 29% of limited users. And 58% of organizations using AI extensively say governance works effectively in practice; that falls to 10% among moderate users and to zero among limited users.
Governance Should Mature Alongside AI Adoption
More mature organizations look different in that governance tends to be already baked in. Extensive AI users are far more likely to rely primarily on formal oversight processes, integrate functional expertise equally and effectively, document governance roles, and have clear paths for incident escalation with well-defined decision-making authority.
AI governance fails when execution does not mirror policy. A framework may set out the right principles, but someone still has to decide who owns the risk, whether controls are sufficient, how a disputed output is escalated, and what evidence is preserved. Building good governance habits early is easier than retrofitting them after AI use spreads.
Evidence-Collection Is the True Test of AI Maturity
The clearest mark of AI maturity is not extensive use of AI. Rather, it is being able to point to comprehensive evidence that the use of AI is being appropriately governed. Sixty-one percent of extensive AI users report a comprehensive AI systems inventory, compared with 5% of moderate users and 2% of limited users. The same 61% of extensive users are very confident they could produce complete and auditable evidence of governance decisions, while only 7% of moderate users and no limited users report that level of confidence.
Extensive AI users are also more likely to close the loop when issues arise. Sixty percent say that lessons from AI governance issues consistently drive framework updates, compared with 24% of moderate users and 0% of limited users. For organizations still early in adoption, that is a roadmap: start tracking use cases, documenting decisions, and learning from issues now, while the governance system is still manageable.
Governance Activity Is Not the Same As Governance Maturity
AI governance committee involvement does not rise steadily with implementation maturity, and having oversight checkpoints across the AI lifecycle is not the same as having mature governance. Limited AI users are more likely than extensive users to report ongoing monitoring after deployment, which may reflect narrower AI portfolios or different interpretations of monitoring.
What separates AI-mature organizations is the connection among activity, authority, evidence, and continuous improvement. A committee, checkpoint, or monitoring practice matters most when it is tied to documented decisions, clear ownership, and a learning process that changes the governance framework over time.
Takeaway
AI governance should not be treated as a cleanup project after adoption accelerates. Organizations earlier in their AI journey should build the basics now: a reliable inventory, documented roles, clear escalation, technical translation, evidence collection, and feedback loops. Those disciplines are easier to establish before AI becomes integral to operations, and they let governance scale with maturity rather than chase it from behind.
Download the Full Report
Download "From Principles to Practice" to learn what organizations with more mature AI governance programs are doing differently, including how they connect legal, technical, and business teams, assign clear authority, and document governance decisions for regulators, auditors, courts, and other stakeholders.