AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2025-05-30

Nearly 90% of Companies Lack a Named AI Governance Framework, Survey Finds; Complaint Mechanisms Present at Just 2.3%

Source

Corporate AI Governance Report 2025

AICDI Global Insights

Via AICDI Global Insights

What happened

The Corporate AI Governance Report 2025 was published by AICDI Global Insights and presents a quantitative baseline of corporate AI governance maturity across a global company sample. The report finds that 87% of companies have not publicly committed to a named AI governance framework such as ISO 42001, the NIST AI RMF, or EU AI Act compliance requirements. Only 13% of organizations maintain documented human oversight policies for AI systems, and just 2.3% have a dedicated complaints mechanism for AI-related harms or disputes. The report examines four structural dimensions: board-level oversight of AI risk, escalation pathways for AI incidents, workforce grievance mechanisms, and formal framework adoption. The findings are especially significant given that emerging regulations including the EU AI Act, Colorado SB 205, and the Texas Responsible AI Governance Act explicitly require or strongly expect documented governance programs as a prerequisite for demonstrating compliance.

Why it matters

  • ·Regulatory exposure is acute: the EU AI Act's August 2026 high-risk system deadlines require documented human oversight policies and stakeholder redress mechanisms under Articles 13 and 26, and the 87% framework non-adoption rate means most organizations cannot yet demonstrate the baseline compliance posture regulators will audit first.
  • ·Operational impact is compounded by the absence of foundational program infrastructure, since human oversight policies and escalation pathways are prerequisite controls for operationalizing any specific regulatory requirement, and without them compliance, legal, and risk functions have no structure from which to build.
  • ·Organizational risk is heightened by the board oversight gap: without governance accountability at the executive and board level, neither human oversight policies nor complaint mechanisms are likely to be resourced or enforced, leaving organizations exposed to enforcement action and reputational harm even when nominal controls exist on paper.

Governance controls affected

CMP-003Voluntary AI Framework Obligation MappingCMP-007EU AI Act Conformity Assessment and FRIA ProcessHOC-001AI Risk ClassificationHOC-002Human Approval RequirementsHOC-004Meaningful Human Review StandardHOC-006Escalation Path for AI DecisionsIRC-001AI Incident Response Playbook

What to do now

  • Benchmark your organization against the four governance dimensions in the report (framework adoption, human oversight policy, complaints mechanism, and board oversight) and assign a named owner and remediation timeline to each identified gap.
  • Select and formally document a primary AI governance framework (such as ISO 42001 or the NIST AI RMF) to unlock downstream control-mapping, audit readiness, and regulatory gap analysis ahead of EU AI Act enforcement timelines.
  • Draft a human oversight policy for high-risk AI applications, route it through legal and relevant business line owners, and publish it internally before the EU AI Act's August 2026 high-risk system deadlines.
  • Engage compliance, HR, and customer affairs functions to scope and build a dedicated AI-specific grievance and redress channel for external stakeholders, using EU AI Act Article 13 transparency requirements and applicable consumer protection obligations as the design baseline.
  • Verify that AI risk appears as a standing agenda item at both the risk committee and board level, and formalize the escalation chain from operational AI teams to senior leadership before the next reporting cycle.

What to watch next

Compliance teams should monitor the enforcement posture of EU regulators as the August 2026 high-risk system deadline approaches, paying particular attention to whether national market surveillance authorities begin issuing guidance on how they will audit framework adoption and oversight policy documentation. Developments under Colorado SB 205 and the Texas Responsible AI Governance Act should also be tracked, as both frameworks may issue implementing rules that set more specific expectations for complaints mechanisms and board-level accountability. The FTC's evolving treatment of AI-driven consumer services as subject to existing redress obligations is an additional signal worth monitoring for organizations with consumer-facing AI deployments.