AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

← News
Research2026-05-06

Most Companies Still Building Basic AI Governance Frameworks, S&P Global Report Finds

What happened

S&P Global published The AI Governance Challenge, a special report examining enterprise AI governance maturity across global organizations. The report argues that effective AI governance must be anchored in five core principles: transparency, fairness, privacy, adaptability, and accountability, and cannot be reduced to rule-based checklists. It identifies recurring structural elements across leading governance frameworks, including human oversight mechanisms, ethical use policies, and safety protocols, citing IBM's AI ethics board as a concrete institutional model. The report finds that many companies are still in early-stage governance construction, a gap that has become more consequential as regulatory bodies across multiple jurisdictions move from voluntary guidance to enforceable requirements. The EU AI Act, for example, began applying its prohibited AI provisions and AI literacy requirements in February 2026, while frameworks in Singapore, Japan, and the United Kingdom continue to mature. The report's risk-based methodology mirrors approaches embedded in the NIST AI Risk Management Framework and ISO/IEC 42001:2023.

Why it matters

  • ·Organizations that remain in early-stage governance construction face direct regulatory exposure as enforceable requirements under the EU AI Act and sector-specific rules in financial services, healthcare, and critical infrastructure now explicitly mandate documented human oversight and bias monitoring processes.
  • ·The absence of formally designated accountability structures, such as an AI ethics committee or a named executive-level AI risk owner, is increasingly treated as a governance deficiency by regulators and auditors, creating operational liability for compliance and risk teams that have not yet formalized these roles.
  • ·Institutional investors are beginning to incorporate AI governance maturity into ESG assessments, meaning that disclosure gaps identified in benchmarking reports like this one can carry reputational and valuation consequences that extend well beyond direct regulatory risk.

Governance controls affected

BRD-002AI Governance Committee Charter and Decision RightsCMP-010AI Use in Regulatory Reporting and Risk ModelingDGC-004Data Quality and Bias AssessmentHOC-001AI Risk ClassificationHOC-002Human Approval RequirementsHOC-004Meaningful Human Review StandardMON-003Bias and Fairness Monitoring

What to do now

  • Assess your organization's current AI governance maturity against the five principles outlined in the S&P Global report (transparency, fairness, privacy, adaptability, and accountability) and document identified gaps.
  • Formally designate an AI ethics committee or a named executive-level AI risk owner, and record this accountability structure in your governance documentation to address the deficiency pattern identified in the report.
  • Review and update your AI risk classification inventory to confirm that high-impact AI systems in regulated sectors are tiered appropriately under a risk-based framework aligned with NIST AI RMF or ISO/IEC 42001:2023.
  • Verify that human oversight mechanisms and bias monitoring processes are documented and operational for AI systems subject to the EU AI Act, sector-specific financial services rules, or healthcare regulations.
  • Prepare or refresh AI governance disclosures for board, audit committee, and investor reporting to reflect current maturity levels, given that ESG-focused investors are treating these disclosures as valuation-relevant.

What to watch next

Compliance teams should monitor the continued rollout of EU AI Act obligations, including upcoming requirements for high-risk AI systems that follow the February 2026 initial application date, as well as evolving national-level frameworks in Singapore, Japan, and the United Kingdom that are expected to add specificity and enforcement mechanisms. The SEC and sector regulators in financial services and healthcare are also signaling increased scrutiny of AI governance disclosures, and enforcement actions targeting inadequate human oversight or undocumented accountability structures could emerge as early benchmarks. Organizations should also track whether institutional investor coalitions begin issuing formal AI governance scoring criteria that reference reports such as this one, as such criteria could rapidly shift disclosure expectations beyond what current regulatory minimums require.