Nearly 90% of Companies Lack a Named AI Governance Framework, Survey Finds; Complaint Mechanisms Present at Just 2.3%

The Corporate AI Governance Report 2025 from AICDI Global Insights presents a detailed quantitative baseline of corporate AI governance maturity across a global company sample. The headline figures are stark: fewer than 1 in 8 organizations have documented human oversight policies for AI systems, and fewer than 1 in 40 maintain a formal complaints channel dedicated to AI-related harms or disputes. The report examines four structural dimensions where gaps are most pronounced: board-level oversight of AI risk, escalation pathways for AI incidents and failures, workforce mechanisms for raising AI-related grievances, and the adoption of any named governance framework such as ISO 42001, the NIST AI RMF, or the EU AI Act compliance requirements. The 90% figure for framework non-adoption is particularly significant because most emerging regulations, from the EU AI Act to Colorado SB 205 and the Texas Responsible AI Governance Act, explicitly require or strongly expect documented, named governance programs as a prerequisite for demonstrating compliance.

The governance challenge exposed by these findings is not merely a documentation problem. It reflects the absence of foundational program infrastructure that compliance, legal, and risk functions need before they can operationalize any specific regulatory requirement. Human oversight policies, for example, are a prerequisite control for high-risk AI applications under the EU AI Act and are implied by the NIST AI RMF's GOVERN and MANAGE functions. When only 13% of organizations have formalized such policies, the vast majority are operating without the baseline controls that regulators will audit first. The complaints mechanism gap is equally serious: a 2.3% adoption rate means that almost no organizations have implemented the stakeholder redress functions that the EU AI Act mandates for high-risk systems under Articles 13 and 26, that the UNESCO Recommendation on the Ethics of AI identifies as a core accountability requirement, and that consumer protection regulators such as the FTC are increasingly treating as an expectation for AI-driven services. The board oversight gap compounds both: without governance accountability at the executive and board level, neither human oversight policies nor complaint mechanisms are likely to be resourced, maintained, or enforced even when they nominally exist on paper.

Compliance teams should benchmark their organization against the four dimensions identified in the report and treat each gap as a discrete workstream with an owner and timeline. Organizations that have not yet adopted a named framework should use the ai-governance-program-from-scratch playbook to select and document a primary framework, because framework selection is the decision that unlocks downstream control-mapping, audit readiness, and regulatory gap analysis. The human-oversight-for-high-risk-ai-decisions and effective-human-in-the-loop playbook controls directly address the 13% oversight policy gap; compliance teams without a current policy should draft one and route it through legal and the relevant business line owners before the EU AI Act's August 2026 high-risk system deadlines. On complaints mechanisms, no standard playbook control yet covers the design and operation of an AI-specific grievance and redress channel for external stakeholders; teams should engage their compliance, HR, and customer affairs functions to scope and build one, referencing EU AI Act Article 13 transparency requirements and any applicable consumer protection obligations as the design baseline. Board oversight accountability should be formalized through the ai-governance-ownership playbook, which establishes the escalation chain from operational teams to senior leadership, and compliance teams should verify that AI risk appears as a standing agenda item at both the risk committee and board level before the next reporting cycle.