GRC Insights

The official blog of the founder of The Fragile Seam.

How GRC Professionals Can Govern AI Use in 2026

The defining risk challenge for the remainder of this decade is control of AI use. The experimental phase of AI is over. It is no longer just a sandbox tool for developers; it is now an autonomous agent making decisions, generating content, and interacting with customers on behalf of the enterprise.

However, a dangerous visibility gap remains. According to Optro, while around 85% of organizations have integrated AI into core operations or business strategy, only around 25% of organizations have comprehensive visibility into how that AI behaves day-to-day.

Governance Can’t Wait

Functionally, every AI service is a third-party service with privileged access to sensitive assets and data. But unlike traditional software, AI is probabilistic, not deterministic. For example, without strict controls, anyone could “trick” a customer-facing chatbot to leak Personally Identifiable Information (PII) or proprietary trade secrets through a cleverly phrased question.

Organizations also need to take steps to govern AI as soon as possible, because the longer they wait, the harder it will be to close the gap in the future as their AI usage grows exponentially. Consequently, GRC professionals must govern AI with the same rigor as any critical vendor but with even tighter controls to account for its unpredictable behavior.

The Regulatory Wave

The “move fast and break things” era of AI is over. It has been replaced by dense frameworks of global compliance. Governing AI is no longer optional. It is now a legal requirement.

  • ISO/IEC 42001:2023, released in 2023, is the first international standard for AI Management Systems (AIMS). It is now linked with ISO/IEC 27001:2022 due to having a shared management system structure.
  • The EU AI Act, released in 2025, requires risk-based classification and strict prohibitions on high-risk AI.
  • U.S. State Laws, including those in California and Colorado, now cover the governance of AI. In particular, the Colorado AI Act (SB 24-205) becomes effective in June 2026, requiring the protection of consumers from algorithmic discrimination.

The message from these regulations is clear. AI is a security-sensitive system that must be documented, risk-classified, monitored, and auditable. Yet only about one-third of organizations have a formal AI governance maturity program in place.

For GRC teams, this means that they should demonstrate that AI is documented, that its risks are continuously assessed, and its outputs are controlled.

Realities of AI Usage in the Industry

To understand how to govern, we must first look at how AI is appearing in the workplace today. AI use cases GRC professionals should look out for include:

  • Shadow AI is the new Shadow IT. It occurs when employees use unauthorized AI tools, often those that store conversational data, to perform company tasks. For example, someone could input intellectual property into ChatGPT or Claude. This is where the mindset of treating AI tools like third-party tools is important. AI tools can assist with tasks but cannot be inherently trusted.
  • AI is being silently embedded into SaaS tools. Vendors are adding AI copilots and automation features into existing platforms. Unfortunately, in many cases, organizations do not realize this, so they could be using AI in systems they do not classify as AI.
  • AI is becoming a defensive necessity. This is mostly due to the fact that AI is now the primary defense against AI-enabled attacks. The most common way these attacks are being used is through phishing. For example, AI can generate perfectly phrased, context-aware social engineering emails in seconds. Because of this, the number of AI-assisted attacks is growing, requiring an automated defensive response to keep pace.
  • AI can now scan for vulnerabilities. In early 2026, a collaboration between Mozilla and Anthropic demonstrated this when Claude Opus 4.6 independently identified 22 vulnerabilities in the Firefox codebase. But while AI can find these flaws, attackers can use the same models to find zero-day vulnerabilities and automate exploits.

People vs. Systems: The Primary Risk Surface

A common phrase in GRC is “humans are the weakest link” in cybersecurity. In AI governance, the largest risk surface is not the model, but human behavior. Most AI‑related incidents stem from misuse, over-trust, lack of training, and the pressure to save time. Yet many organizations still design governance programs as if AI risk is purely technical. Key behavioral drivers include:

  • Risky behavior, such as pasting customer data into ChatGPT.
  • Insufficient training. Most companies have not updated their training material recently enough to cover AI usage.

What does this mean? GRC professionals must embed AI controls in the workflow and at the moment of use. It is not enough to just know who can access an AI system. Governance must track what they do with it. They should also update the organization’s cybersecurity training material to govern AI usage as soon as possible.

Governance Shouldn’t Be Split

In many organizations, AI governance is split across IT, risk, security, and dedicated AI teams. This means no one has end-to-end accountability, which creates gaps in authority and results in inconsistent controls and no unified view of AI risk. This fragmentation guarantees blind spots, and blind spots guarantee incidents.

To fix this, AI governance must be centralized under a single function with the authority to set policy, enforce controls, and maintain a complete inventory of AI systems and use cases.

The 5 Stages of AI Governance Maturity

Most GRC professionals know their organization needs stronger AI governance but don’t know where to begin. Without a baseline, improvement becomes guesswork. This is where the stages of AI governance maturity come into play, as distinct ordered operational states with clear steps on how to get to the next stage.

AI governance typically includes the following core capabilities:

  • AI inventory and classification
  • AI risk assessment
  • AI output monitoring and guardrails
  • Human-in-the-loop requirements
  • Model lifecycle management
  • Vendor/third-party AI evaluation

Stage 1: Ad-Hoc

Organizations in this stage have AI in use but governance is either nonexistent or only reactive.

To move to Stage 2, organizations should build the foundation by performing a Shadow AI Discovery audit and updating the Acceptable Use Policy that clearly defines what data cannot be used for public LLMs.

Stage 2: Managed

At this stage, policies exist but are inconsistently applied. AI inventory is incomplete.

To move to Stage 3, organizations should standardize the intake by integrating AI risk reviews into the procurement process and maintaining a central Model Registry (a comprehensive ledger documenting every sanctioned AI tool, its use case, and what data it touches).

Stage 3: Defined

At this stage, controls exist, workflows are documented, and governance is repeatable but not yet measured.

To move to Stage 4, organizations should monitor and control AI outputs by deploying automated guardrails that scan for unethical usage of AI in real-time, such as policy violations, PII leakage, or jailbreak attempts through prompt injection.

Stage 4: Quantitative

At this stage, metrics, dashboards, and monitoring exist. Governance is data‑driven but not automated.

To move to Stage 5, organizations should automate the assurance by connecting the GRC platform directly to AI models via API for continuous monitoring (allowing the system to automatically flag compliance violations in real-time without human intervention) and evidence collection.

Stage 5: Optimized

At this final stage, governance is connected, continuous, and visible to senior management.

To stay at Stage 5, organizations should focus on Adaptive Governance, where the system automatically adjusts to new global regulations as they are passed.

Conclusion

The organizations that succeed in the latter half of this decade when it comes to their cybersecurity posture will be those that treat AI governance as a continuous capability, not a one-time project. By closing the visibility gap and moving up the maturity scale, GRC professionals can turn AI from a looming risk into a managed asset.

Discover more from GRC Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading