A significant and growing chasm exists between the rapid adoption of artificial intelligence (AI) tools within organizations and the ability of governance, risk, and compliance (GRC) functions to effectively manage the associated risks. Recent surveys highlight widespread concerns among audit, GRC, and IT decision-makers regarding employee data input into AI, the prevalence of unapproved "shadow AI," and a lagging response in implementing essential safeguards. This disconnect is not only creating new vulnerabilities but also contributing to an alarming increase in AI-enabled cyberattacks.
The Pervasive Shadow of AI: Unseen Risks in the Enterprise
Data from a comprehensive survey conducted by GRC software provider Optro (formerly AuditBoard) reveals a stark reality: nearly two-thirds of audit, GRC, and IT decision-makers (62%) express apprehension about employees feeding sensitive corporate data into AI tools. This concern is further amplified by the widespread use of "shadow AI," where employees utilize unapproved AI applications without the knowledge or oversight of IT and governance departments. A substantial 59% of respondents indicated worry over this phenomenon.
The survey, which polled 822 leaders at companies generating at least $100 million in annual revenue and employing a minimum of 250 individuals, painted a concerning picture of preparedness. Despite acknowledged anxieties, a mere 18% of organizations reported actively blocking unauthorized AI domains. The inventory of AI models, a crucial step in understanding and managing AI assets, was only maintained by 34% of companies. Furthermore, a paltry 31% have established formal AI incident response procedures, leaving them ill-equipped to handle potential breaches or misuse.
Optro’s report emphasized the insidious nature of these AI-related risks, describing them as "daily behavior patterns happening right now, across every function, in tools often invisible to governance teams." This lack of visibility and control is directly contributing to a surge in sophisticated cyber threats.
The Alarming Rise of AI-Enabled Attacks
The Optro survey’s findings are further underscored by a significant uptick in AI-enabled attacks. A staggering 82% of respondents reported an increase in such attacks over the past year, with 39% noting a substantial escalation. The nature of these attacks is also evolving. Social engineering, a tactic that leverages psychological manipulation to trick individuals into divulging sensitive information or performing actions that benefit the attacker, has emerged as the top threat, with 61% of respondents observing an increase in its prevalence. This suggests that attackers are increasingly leveraging AI to craft more personalized, convincing, and scalable social engineering campaigns.
The implications of these trends are profound. Organizations that fail to adequately govern their AI usage risk not only data breaches and reputational damage but also significant financial losses due to operational disruptions and the costs associated with responding to and recovering from attacks. The rapid evolution of AI necessitates a proactive and agile approach to risk management, a challenge that many companies appear to be struggling to meet.
Governance Professionals Overwhelmed by Expanding Mandates and Limited Resources
Compounding the challenges presented by AI, governance professionals are grappling with an ever-expanding scope of responsibilities, often without a commensurate increase in team size. A recent survey by GRC software company Diligent revealed that nearly three-quarters (74%) of governance professionals reported their work’s scope had broadened significantly in the past two years. Alarmingly, almost half (46%) indicated that their workloads had increased without any corresponding growth in headcount.
Diligent’s survey, which included 309 senior governance practitioners from North America, Latin America, Asia Pacific, the Middle East, and Europe, pointed to technology gaps and escalating regulatory complexity as key drivers behind this amplified workload. Approximately 47% of respondents cited these two factors as the most significant barriers to effective governance.
The increasing complexity of the regulatory landscape, coupled with the rapid integration of new technologies like AI, places an immense burden on existing governance teams. This strain can lead to a dilution of focus, increased risk of oversight failures, and a diminished capacity to implement necessary controls and policies. The ability of governance functions to keep pace with these evolving demands is critical for maintaining organizational integrity and compliance.
UK Organizations Lagging Behind New Anti-Money Laundering Regulations
Across the Atlantic, a significant portion of UK compliance professionals are expressing concerns about their organizations’ readiness for upcoming amendments to national Anti-Money Laundering (AML) regulations. A survey conducted by VinciWorks, a provider of compliance eLearning and software, found that more than half of UK compliance professionals do not believe their organizations are adequately prepared for the new rules, which are slated to come into effect in late June or early July of 2026.
The survey revealed that 57% of compliance professionals polled stated their organizations had either not begun preparations or were uncertain about their progress concerning the 2026 amendments to money laundering and terrorist financing regulations. Only a small fraction, approximately 4%, reported having new policies already in place.
VinciWorks surveyed 334 compliance professionals across the UK’s legal, financial services, and accounting sectors. Despite the apparent lack of readiness for the regulatory changes, a surprising level of confidence exists regarding the efficacy of current AML training. More than three-quarters (77%) of respondents believe that existing AML training programs can be adapted to address the upcoming amendments.
However, Nick Henderson-Mayo, head of compliance at VinciWorks, cautioned against complacency. He stated, "The confidence figures look reassuring until you set them alongside the readiness data. That gap could be where firms get caught. Regulators do not accept good intentions as a defence." This sentiment highlights a potential disconnect between perceived preparedness and actual implementation, a gap that could lead to significant compliance failures and penalties. The upcoming AML regulations are a crucial component of the UK’s strategy to combat financial crime, and a lack of preparedness could undermine these efforts.
Chief Legal Officers See Significant Compensation Growth
In a contrasting trend, Chief Legal Officers (CLOs) within major publicly traded companies in the United States have experienced substantial increases in their compensation. According to a joint survey by The Conference Board, Major, Lindsey & Africa, and ESGAUGE, CLOs at S&P 500 and Russell 3000 companies saw double-digit percentage increases in their pay packages between 2022 and 2025.
The median compensation for CLOs at S&P 500 companies surged from $3.3 million to $4.2 million, representing a 27% rise. Similarly, CLOs at Russell 3000 companies experienced an 11% increase, with median compensation growing from $1.9 million to $2.1 million during the same period.
The study also noted a growing trend of companies opting to hire CLOs from external sources rather than promoting from within. The proportion of external hires rose from 50% to nearly 60%, suggesting a demand for specialized experience and a willingness to recruit from a broader talent pool.
The survey also shed light on gender-based compensation disparities. While the share of women CLOs in S&P 500 companies remained relatively stagnant at around 40%, it saw a modest increase from 33% to 35% at Russell 3000 companies. Notably, among S&P 500 companies, women CLOs earned less than their male counterparts, with a median compensation of $3.8 million compared to $4.2 million. However, at Russell 3000 companies, the median compensation for both women and men CLOs was equal at $2.1 million. This data suggests that while progress is being made in gender representation within legal leadership, pay equity remains an area for continued focus. The rising compensation for CLOs reflects the increasing strategic importance and complexity of legal and compliance functions within large corporations.
