The next AI governance problem is not theoretical – it is already inside the business. Employees are using copilots, SaaS agents and browser-based AI tools to get real work done, often before IT, security or leadership have decided what good use actually looks like.
But how can organisations support the evolving ways people work whilst maintaining visibility and control across an increasingly decentralized technology landscape?
Menlo Security reported a 68% surge in shadow generative AI usage in 2025, with 68% of employees using free-tier AI tools via personal accounts and 57% of those users inputting sensitive data. Reco’s 2025 State of Shadow AI report found that organisations manage an average of 490 SaaS applications, with only 47% formally authorised, creating a large and largely ungoverned attack surface for AI adoption.
That is why this cannot be treated as a compliance clean-up exercise. The issue is no longer just who is using which tool, but which systems are being touched, which decisions are being shaped, and which workflows are quietly being re-engineered. As AI begins to act rather than simply suggest, the question becomes: where does accountability now sit? In that context, governance has to become an operating discipline—built into the flow of work, not bolted on at the end.
This is also where the conversation needs to get more action-focused. Too much AI governance content still lives at the level of policy principles, risk lists and abstract frameworks. Those matter, but they do not tell a CIO, CISO or transformation lead what to do on Monday morning when three teams are already using copilots, one function has bought its own agent platform, and nobody can explain, in plain language, what is connected to what. That’s why WSAI brings you C-Suite enterprise leaders who are at the coal-face of these issues, demonstrating what has worked for them in practice, and offering actionable insights for safe, governed deployment.
The most useful mental shift is this: AI governance should not be designed as a brake on adoption. It should be designed as the set of controls that makes production-grade adoption possible. That is especially true as businesses move from assistants that draft and summarise toward agents that retrieve data, call tools, route work and trigger actions inside enterprise systems.
This is where several WSAI 2026 sessions are critical, such as “Orchestrating Agentic AI: Control, scale, and enterprise value,” “Why most AI strategies fail: The human side of scaling AI,” and “Engineering responsible AI systems at scale”. They all point toward the same conclusion: the hard part is not proving AI can work. It is building the controls, trust and operating discipline that let it work safely at scale.
Most organisations do not have an AI strategy problem first. They have a visibility problem. You cannot govern what you cannot see. And right now, a surprising amount of AI usage sits in the browser, in unsanctioned SaaS tools, in personal accounts, or inside isolated team-level deployments.
The good news is that this is becoming more operationally possible. Several operators, such as Microsoft, now offer solutions where IT teams can curate which agents employees can install, apply granular access controls and track adoption across the organisation. That kind of internal AI catalogue matters because it creates a path out of chaos: not blanket bans, but visible, managed distribution.
A practical test for leaders is simple: can the organisation produce, within 30 days, a clear view of its top AI tools, top AI-enabled workflows, top data exposures and top ungoverned agents? If not, the governance conversation is still too abstract.
Many organisations are still trying to govern AI with approved-tool lists. That is understandable, but it is increasingly the wrong level of control. The real question is not whether ChatGPT, Copilot or another agentic tool is allowed in the abstract. The real question is which workflows can tolerate which kinds of autonomy, with which kinds of data, under which levels of human review.
This is where policy-by-workflow becomes much more useful than policy-by-tool. A low-risk internal drafting workflow is not the same as a customer-facing claims decision. A research assistant with read-only access is not the same as an agent that can trigger payments, update records or change supplier terms. Governance has to reflect those differences in consequence, not just vendor names.
Governance should be proportionate, practical and rooted in consequences for people, not just systems. If the efficiency trap is about protecting human capability, and the new operating model is about redesigning work around humans and agents, then governance is the mechanism that decides where those boundaries actually sit.
At minimum, organisations need to be able to answer six questions for any serious copilot or agent:
Who can access it?If those questions cannot be answered clearly, the system is not governed, however polished the policy document may be.
This is where “governance-in-the-flow” becomes real. The control points should sit where work happens: identity and permissions at access, policy at data retrieval, validation before action, logging through execution, evaluation after outcomes, and escalation when thresholds are breached. In other words, the enterprise needs safety rails around actions, not just guidance around prompts.
What good looks like is not a world with zero experimentation. It is a world where experimentation is visible, risk is graded, and scaling happens through governed pathways rather than side doors. The companies getting ahead are not those with the loosest rules or the loudest AI messaging. They are the ones building managed routes into adoption: Expedia Group with secure environments for internal AI experimentation and measurable workflow impact, H&M Group with responsible AI frameworks and project-level checklists, and EY with an enterprise-scale agentic AI operating system designed around governance, orchestration and trust (all of whom you can see on the WSAI stage and in the InspiredMinds! Community Hub).
That is also what makes this such a practical leadership issue. Deloitte’s enterprise reporting has noted that early blanket restrictions are giving way to more nuanced governance frameworks based on use-case risk, data sensitivity and output consequentiality. The shift is important because it signals a move away from “can we allow AI?” toward a more serious question: “how do we allow the right AI, in the right workflows, with the right controls?”
The next stage of AI maturity will not be won by the organisations that simply roll out more copilots or agents. It will be won by those that make AI legible inside the business: visible enough to manage, governed enough to trust, and embedded enough to create real value without letting risk disappear into the workflow. For leaders trying to move from shadow AI to governed deployment, the WSAI AI Workforce Playbook offers a practical starting point for redesigning workflows, controls and human oversight around real enterprise use cases.
Leave us your comments below! We read you! 👇
Inside the InspiredMinds! Community Hub, you’ll find deeper insights, expert perspectives, and practical discussions from the people building and deploying AI across Europe and beyond.
World Summit AI USA