AI is spreading across enterprise risk functions, but confidence in those systems remains uneven, according to AuditBoard. More than half of organizations report implementing AI-specific tools, and many are training teams in machine learning skills. Yet, few feel prepared for the governance requirements that will come with new AI regulations.
AI experimentation increased in May and June 2025, then dropped in July as acceptance rates fell and decision times lengthened. That volatility shows how many teams are eager to test new tools but lack governance structures that build lasting trust in their results.
The middle maturity trap
Across industries, many organizations are caught in what AuditBoard calls the “middle maturity trap.” Teams are active, frameworks are updated, and risks are logged, but progress fades after early success.
When boards include risk oversight as a standing agenda item and align on shared performance goals, activity becomes consistent and forward-looking. When governance and ownership are unclear, adoption slows and collaboration fades.
Control maturity depends on governance
Controls translate policy into daily practice, but adoption speed and reliability often lag. In May 2025, teams acted quickly on suggested controls. By June, response times slowed, and July showed only partial recovery.
Many boards still treat risk oversight as an occasional topic. About half of enterprises do not include it as a regular agenda item. Leaders who tie control adoption to governance structures maintain consistent progress, while others rely on last-minute compliance.
As expectations expand across AI, cybersecurity, and environmental reporting, the ability to adopt controls will shape resilience.
Frameworks expand, depth still lacking
Many enterprises are adopting or updating risk frameworks, but implementation depth varies. The typical organization maps its controls to several frameworks, while leading firms embed thousands of requirements into daily operations.
The report warns that “surface compliance” is common. Breadth without depth leaves gaps that only appear during audits or disruptions. Mature programs treat frameworks as living systems that evolve with business and regulatory change.
Collaboration remains fragile
Collaboration among audit, risk, compliance, and information security teams is often inconsistent. In July 2025, telemetry showed a brief rise in cross-functional activity, followed by a drop.
Teams tend to coordinate only during audits or regulatory events. Leaders make collaboration routine through joint meetings and shared performance goals.
Enterprises that build collaboration into workflows identify and resolve risks faster. Those relying on ad hoc coordination face duplicated work and slower responses.
Risk logging remains a weak spot
The discipline of logging risks and tracking issues is still uneven. In many cases, teams create action plans without recording a related risk first, showing a reactive habit rather than structured management.
Organizations that assess risks several times a year perform better. Continuous monitoring improves visibility and strengthens remediation. Until risk capture becomes a steady management habit, enterprises will struggle to anticipate problems early.
Governance defines maturity
AuditBoard groups its findings into five dimensions: AI and automation, control maturity, frameworks and coverage, collaboration, and risk and issue discipline. Governance ties the entire system together, setting the structure that makes collaboration, control adoption, and risk discipline sustainable.
Enterprises that define ownership and maintain regular reviews make steady progress. They link audit, risk, compliance, and information security under shared goals rather than separate structures.
For organizations still navigating the middle maturity trap, the path forward is to strengthen governance clarity, execution discipline, and integration. As AI reshapes risk and regulation grows more complex, consistency will separate mature programs from reactive ones.
From oversight to foresight
The findings show that many organizations are investing heavily in risk management and AI, but maturity depends less on technology and more on integration. Advanced organizations use governance to connect teams and turn data into foresight.
AuditBoard’s research suggests that as AI becomes more embedded in enterprise systems, risk leaders will need to move beyond activity and focus on consistency. Those that do will be better positioned to anticipate change and turn risk management into a strategic advantage.
“Our data shows that enterprises are eager to experiment and invest, but the intent is not translating into reliable execution. The key difference between leaders and laggards is not budget, but the discipline to embed governance, ownership, and cadence across all risk dimensions,” said Happy Wang, Chief Product and Technology Officer at AuditBoard.
