AI governance gaps flagged

A lot of companies now trust artificial intelligence systems to act on the company’s behalf, but OutSystems says only 36% have a centralized artificial intelligence strategy and only 12% use a centralized platform to manage the sprawl. In the same survey of 1,900 information technology leaders, 94% said they are worried about that sprawl. (outsystems.com) That gap sounds bureaucratic until you picture what “governance” actually is. It is the boring rulebook that decides who can ship an artificial intelligence tool, what data it can touch, how its outputs get checked, and who gets blamed when it breaks. (nist.gov) The reason companies skip that rulebook is speed. OutSystems says 40% of organizations already see immediate returns from artificial intelligence in information technology development and productivity, so teams keep adding tools before anyone has finished drawing the map. (outsystems.com) That is how you end up with the artificial intelligence version of shadow information technology. One team plugs a chatbot into customer records, another uses a coding assistant on production software, and a third buys an agent tool with a corporate card, all under different rules. (outsystems.com) OutSystems has been warning about the same pattern for more than a year. Its December 4, 2024 application development survey found 62% of respondents already saw security and governance concerns from generative artificial intelligence, even while 81% were using it to help write code. (outsystems.com) Code is a good place to see the risk because bad governance there turns into real systems fast. In that 2024 survey, only 40% of respondents said they “mostly” trust generative artificial intelligence to write code without human help, and half said integrating artificial intelligence into existing workflows was significantly complex. (outsystems.com) Regulators are building their own rulebooks now, which makes internal gaps more expensive. The European Union’s Artificial Intelligence Act entered into force on August 1, 2024 and uses a risk-based system that puts different duties on developers and deployers depending on how the tool is used. (digital-strategy.ec.europa.eu) In the United States, the National Institute of Standards and Technology built its Artificial Intelligence Risk Management Framework around four jobs: govern, map, measure, and manage. The point is simple: you cannot control a system you have not inventoried, tested, and assigned to an owner. (nist.gov) When companies miss those basics, the damage usually shows up as a security bill before it shows up as a philosophy debate. IBM said the global average cost of a data breach reached $4.88 million in 2024, and more than one-third of breaches involved shadow data sitting outside normal controls. (ibm.com) So the OutSystems survey is less a warning about future artificial intelligence and more a snapshot of current enterprise behavior. Companies have moved from pilots to production, but many are still running with dozens of tools and no single dashboard, no shared policy, and no agreed answer to who is in charge. (outsystems.com)