AI Governance Gap: Enterprise Security's 2026 Challenge

Organizations are better at identifying and governing risks than actually reducing them, according to a new report. This pattern holds true for both cyber and AI risk maturity. The lowest scores were found in the functions meant to put risk management into practice. Reuven Aronashvili, CEO of Cye, states that AI is inheriting cybersecurity's oldest problem: the gap between policy and action. The challenge isn't just understanding risks, but identifying which ones will disrupt business and determining specific actions. This gap between AI governance and operational control is becoming a major challenge for enterprise security in 2026. While "govern" was the highest-scoring AI RMF function, "manage" ranked lowest at 2.22. Shadow AI exposure is also high in many sectors, reaching 71% in transportation and 62% in energy. Financial services led overall maturity rankings, but "protect" remained its weakest function. The bottom line is that strong governance and regulations don't automatically mean effective risk reduction, and this impacts how businesses stay secure.