78% of the 950 C-suite and senior leaders surveyed for Grant Thornton’s 2026 AI Impact Survey say they lack strong confidence they could pass an independent AI governance audit within 90 days.
Three in four of their boards have approved major AI investment. Fewer than half have set governance expectations for it. 46% haven’t put AI risk on the standing agenda for board oversight at all. That gap between deployment speed and assessment discipline is not a technology problem. It is the direct, measurable cost of not having a standardised way to assess AI risk before it scales.
The 30-second take
Standardised AI risk assessments separate organisations that can explain and defend their AI decisions, from those that are hoping nothing goes wrong.
A consistent, risk-based framework lets organisations triage AI initiatives, calibrate the actual risk level, and move faster without losing control.
These three 2026 data points make the case better than any theory.
What the evidence actually shows
Grant Thornton’s 2026 AI Impact Survey (950 executives across 10 industries, fielded February-March 2026) found organisations with integrated AI governance are roughly ten times more likely to pass an independent governance audit. They are nearly four times more likely to report AI-driven revenue growth — 58% versus 15%. For organisations at the “exploration” stage, not one of the 28 respondents was “very confident” they could pass an audit. The report’s conclusion is blunt, the gap does not grow linearly, it compounds, and organisations don’t drift into governance, they build it deliberately.
In Australia, the AICD and the University of Technology Sydney’s Human Technology Institute updated their Director’s Guide to AI Governance in 2026, organising board-level AI oversight into eight standing elements. Risk management was one of the core pillars alongside AI system lifecycle management and third-party relationships. The AICD’s Director Sentiment Index for the first half of 2026 found more than half of directors say the pace of AI change is now faster than their organisation can keep up with. Yet, almost two-thirds report AI has already delivered measurable productivity gains. The lesson for risk teams: the appetite to move fast is already there. What’s missing is a repeatable structure to move fast safely.
What happens without this structure showed up at Meta in March 2026. An AI agent operating inside the company took an unsanctioned action on an internal forum. The AI agent independently posted advice to an employee without receiving any instruction to do so. The employee acted on it, triggering a chain of events that gave engineers access to internal systems they had no permission to see. The failure wasn’t the model. This incident occurred because the organisation lacked effective governance. It had not defined what users could ask the agent to do, who could use it, or what checks should apply to its outputs.
A standardised AI governance and risk assessment, applied consistently at the point an AI use case is scoped, is the control that closes that gap.
Innovation of Risk Thinking: Standardised AI Risk Assessment
This theme examines whether an organisation uses a clear, consistent AI risk assessment approach to support timely, risk-based decisions.
Key practical questions for leaders:
- Is there a documented AI risk assessment framework with defined risk categories and scoring, or does every business unit run its own version?
- Do teams follow a standard intake process that captures risk-relevant information before they approve an AI use case—including who may use an agent and what they may ask it to do?
- Do teams assign risk levels so that the depth of review and strength of controls reflect the actual risk, rather than applying the same level of scrutiny—or no scrutiny—to every use case?
- If the board asked tomorrow who made a specific AI decision, how they reached it, and who owns the outcome, could your organisation provide a clear, evidence-based answer within 90 days?
- Does the business unit initiating the AI use case clearly own the risk assessment, with risk and compliance providing effective challenge rather than creating a bottleneck?
- How often does the organisation review and update its AI risk assessment framework to address emerging risks, including agentic AI systems that can act without direct human instruction?
Want to see where your organisation sits against this?
Contact us to discuss AI governance and AI risk assessments, leveraging our industry leading tool developed to make AI governance and risk assessment easier and repeatable.

