Research highlights growing AI-related risks driven by employee behaviour, limited visibility, and outdated governance frameworks
A new study from Optro, formerly known as AuditBoard, has revealed that embedded artificial intelligence (AI) tools are rapidly becoming a significant source of enterprise risk, with 56% of organisations already using AI capabilities built into vendor platforms and business applications.
The research, titled Human Behavior: The AI Risk Surface GRC Can’t Ignore, suggests that many enterprises are struggling to govern AI effectively as adoption accelerates beyond traditional generative AI tools. While 63% of organisations report using generative AI, the study found that embedded AI is approaching similar adoption levels, creating new governance challenges because employees often do not recognize these capabilities as AI usage.
According to the report, 44% of respondents expressed concern about employees’ lack of awareness regarding AI embedded within enterprise software. This lack of visibility is creating governance blind spots that many organisations are ill-equipped to manage.
“At this early stage, AI risk is being driven as much by human behaviour as it is from the technology itself. Lack of sufficient review of AI output, moving too quickly without sufficient guardrails, and shadow AI are examples of behaviours that increase the surface area of AI risks.”
— Guru Sethupathy, GM of AI Governance, Optro
The findings indicate that governance, risk, and compliance (GRC) programs are lagging behind AI adoption. Only 34% of organisations maintain a formal inventory of AI models, while just 31% have implemented AI-specific incident response procedures. In addition, 64% of audit, GRC, and IT decision-makers said they are only somewhat confident or not confident at all in their organisation’s visibility into third-party cyber risks, including those introduced through vendor-supplied AI capabilities.
The study also highlights concerns around emerging AI-enabled threats. More than one-third of respondents (35%) believe that overly permissive AI governance policies could contribute to a rise in AI-powered social engineering and impersonation attacks.
“Traditional GRC frameworks are static and slow to update, but that is insufficient to keep up with how quickly AI technology and risks are evolving,” said Guru Sethupathy, GM of AI Governance at Optro. “At many companies, governance is a point-in-time exercise, while AI risks are evolving in real time.”
The report further points to growing skills shortages within security and compliance teams. Among CISOs surveyed, 23% identified the lack of personnel with expertise in AI security and emerging risks as their most significant challenge.
Optro believes AI itself will become an essential part of future governance strategies, helping organizations automate risk management, compliance monitoring, and control assessments as AI adoption continues to expand across the enterprise.
