SecurityBrief Ireland - Technology news for CISOs & cybersecurity decision-makers
Ireland
AI visibility gap hits compliance teams, Drata finds

AI visibility gap hits compliance teams, Drata finds

Thu, 16th Jul 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

Drata has published research on the use of artificial intelligence in governance, risk and compliance. The study found that only 13% of IT and security professionals have full visibility into the AI tools used in their organisations.

The survey highlights a sharp gap between the adoption of AI in compliance-related work and the systems used to monitor it. Among 300 IT and security professionals surveyed by Wakefield Research for Drata, 87% said they do not have complete visibility into the AI tools active across their business.

That lack of oversight appears to be contributing to operational and regulatory problems. The research found that 71% of organisations said an AI tool used for governance, risk and compliance had contributed at least once to a failed audit or a lapse in meeting a regulatory standard.

Many respondents also questioned whether the market has delivered tools that meet their needs. According to the findings, 86% of teams agreed that many AI products aimed at governance, risk and compliance are not ready for large organisations, while 83% said they were not fully prepared for the next wave of AI integration.

The figures suggest buyers are becoming less patient with products that do not work as expected. Three-quarters of organisations said they now stop using underperforming AI tools more quickly than before, and more than half said they return to manual processes when those tools fall short.

Buying shift

The report also points to a change in purchasing preferences. Some 64% of respondents said they would rather use targeted agentic AI systems than broad all-in-one platforms. That share rose to 70% among buyers focused on risk.

The term agentic AI is increasingly used in the software market to describe systems designed to carry out specific tasks with greater autonomy. In governance and compliance, that can include monitoring controls, collecting evidence or handling parts of review workflows.

Drata linked the preference for narrower tools to a broader reassessment of how companies buy AI for sensitive functions. The data suggests organisations are placing more weight on defined outputs and accountability than on breadth of features.

"The horizontal AI platform era in GRC is over, and the data confirms what we're already seeing from the field: buyers aren't waiting for the next generation of tools. They've moved their money toward agents that can prove specific, repeatable, and defensible outcomes. This shift is the most consequential procurement realignment in GRC since the shift to cloud-native compliance," said Matt Hillary, Chief Information Security Officer and SVP of Security, Drata.

Governance gap

The survey focused on governance, risk and compliance, often shortened to GRC, a category covering the internal controls, policies and oversight companies use to meet security and regulatory requirements. AI has been moving into that work through tools that help with risk analysis, evidence gathering, policy checks and vendor assessments.

But the findings suggest governance structures have not kept pace with adoption. The central issue raised by the research is not simply whether AI is being deployed, but whether organisations can identify who is responsible for the systems, how they are supervised and what happens when their outputs create compliance failures.

Another part of the study examined external trust centres, which companies use to present information about their security and compliance posture to customers and partners. Among organisations with an external trust centre, nearly half reported greater transparency into vendor security, and 44% said they had faster vendor reviews.

Those figures point to one area where clearer documentation and centralised information may be reducing friction in oversight processes. They also fit the report's broader theme that visibility is a basic condition for effective governance.

The research arrives as companies across sectors push AI into business-critical workflows while regulators pay closer attention to accountability, record-keeping and risk management. Security and compliance teams have often been expected to apply existing controls to new AI systems, even when use spreads informally across departments.

That dynamic may help explain another finding: 90% of respondents said at least some AI investments had fallen short of expectations. While the study did not break down those disappointments in detail, the broader results suggest that weak oversight, unclear ownership and limited readiness remain major barriers.

Hillary argued that the next stage of adoption will depend on tighter control over specific uses. "The next decade in GRC will belong to organizations that buy, build, deploy, fine-tune, and benefit from agents that own specific outcomes, hold vendors accountable when those outcomes fail, and are honest enough about the gap to close it deliberately," he said.