Summary
- Only 13% of Drata’s respondents were fully confident they could see every AI tool in use.
- The survey covers 300 US professionals at large organisations and cannot be treated as a UK or European market measure.
- Its findings reinforce established concerns around shadow AI, incomplete inventories, and weak accountability for automated compliance work.
Companies are buying artificial intelligence to automate governance, risk, and compliance work without first establishing reliable visibility over the AI systems already operating inside their organisations, according to research commissioned by Drata.
Drata found that only 13% of respondents were fully confident they could identify every AI tool being used by employees. Meanwhile, 71% said an AI system used for GRC work had contributed to a failed audit or a lapse in regulatory status on at least one occasion.
Wakefield Research surveyed 300 US IT and security professionals working for companies with between 1,000 and 20,000 employees across fintech, retail, health technology, and software. The findings therefore reflect a vendor-sponsored US sample rather than a representative measure of UK or European organisations.
Even with that limitation, the State of GRC in the Age of AI report identifies a control problem that extends across regulated markets: an organisation cannot govern software it has not inventoried, and automation does not transfer accountability for an incorrect compliance decision.
Shadow AI extends a familiar software problem
Employees have long adopted cloud applications, browser extensions, file-sharing services, and collaboration tools without formal approval. Generative AI increases the exposure because access is simple, capabilities change quickly, and sensitive information can be entered into an external service within seconds.
A useful inventory needs to cover more than public chatbots. AI functions are appearing inside productivity suites, security tools, customer platforms, development environments, and specialist compliance products, which means an organisation may use dozens of models indirectly through software purchased for another purpose.
Traditional vendor registers can therefore miss essential information. Security and compliance teams need to know which model or service is involved, what data it receives, where processing occurs, whether its output influences decisions, how information is retained, and what changes when the supplier updates the system.
Drata also found that 86% of respondents regarded many GRC-focused AI products as unready for enterprise use. The result should be read with the company’s commercial position in mind, because Drata sells governance and compliance technology while arguing for targeted agents and trust-management platforms. The numbers indicate customer sentiment rather than independently proving that a particular product architecture will solve the problem.
Automation relocates work rather than removing it
Three-quarters of respondents said their organisations were discontinuing underperforming AI tools more quickly than before, while more than half increased human review or returned to manual processes when weaknesses emerged. Buyers appear to be moving from experimentation towards a harder assessment of operational value rather than abandoning AI altogether.
Compliance contains repetitive evidence collection and document comparison that can be automated, but it also requires interpretation, exceptions, and judgement where regulations apply differently across products, jurisdictions, and operating models.
An AI system may identify that a control document exists without establishing whether the control works in practice. It may draft a convincing policy while overlooking that employees do not follow it, or classify evidence incorrectly while leaving the organisation responsible for the audit result.
Narrowly defined agents can be easier to test than broad platforms because their tasks and success criteria are more contained. An agent that is described as owning an outcome nevertheless remains software rather than a legally accountable person, so every automated process still needs a named executive, control owner, and escalation route.
UK and European companies face additional requirements through data-protection law, the EU AI Act, DORA, NIS2, the Cyber Resilience Act, and sector-specific rules. Those frameworks govern different activities, but they increase the value of reusable controls instead of separate compliance projects for every obligation.
The survey reinforces an established direction rather than uncovering a sudden procurement shift. Organisations have struggled with software inventories, assurance evidence, and automated decision-making for years; AI increases the speed and opacity of those weaknesses while introducing another category of vendor promise.
The first control remains unglamorous but indispensable: identify what is running, understand the information it uses, record the decisions it affects, assign an owner, and test what happens when it is wrong. Without that foundation, adding AI to GRC can automate the production of assurance while leaving the underlying exposure intact.










