No different from other industries, AI dove headfirst into our governance, risk, and compliance arena faster than our existing governance and risk models could manage it. That is one of the underpinned and unsurprising findings from our new research, and it reframes almost every AI conversation happening in GRC, security, and business systems procurement right now.
This spring, Drata commissioned Wakefield Research to survey 300 U.S. IT and security professionals at companies with 1,000 to 20,000 employees, spanning fintech, retail, healthtech, and SaaS. The report, The State of GRC in the Age of AI, is available today.
The tl;dr? AI in GRC overpromised and underdelivered, and buyers are now wanting more narrowly tuned and targeted agents with owned outcomes over platform-wide solutions. Here are some of the highlights from the report I found interesting.
Nearly Half Say AI Made Their Jobs Harder
Like many of you, I had high expectations for AI being a serum of relief to my oversubscribed (albeit incredibly efficient and capable) GRC, security, and IT team members , but the responses expecting this same relief from heavy workloads indicate AI is doing the opposite for many practitioners. For instance, 43% of professionals agree that AI was expected to simplify their work, but the tools they are using have made their jobs more difficult.
That frustration is not spread evenly, and the pattern only looks contradictory until you separate the two things people tend to lump together as company size: how much money an organization makes, and how many people it employs.
Revenue seemed to be a differentiator here, where money colors the perception, somewhat. At companies under $250 million in revenue, 55% say AI has made their jobs harder, whereas at companies at $250 million or more that figure drops to 36%. Organizations with higher annual revenue may indicate a better-funded organization that has the associated budgets, tooling, enablement, and process maturity to absorb AI's rough edges, and it shows in the numbers.
Orthogonally, headcount cuts the other way. At organizations with 2,500+ employees, 51% report that same friction, versus 36% at those with 1,000 to 2,500. More people means more organizational change management and adoptions, more tools, more overlapping workflows, and more places for ungoverned AI to create work instead of removing it.
Put the two together and the story is clear: healthy allocation of capital into AI enables the AI ROI organizations are hoping for, while employee scale leads to more challenges . The teams feeling the most pain are the ones running the largest footprints with the least financial cushion to manage them. Responses indicate that company size alone was never the variable that mattered.
Modest Returns, Mounting Pressure
The financial picture reinforces what practitioners described about their day-to-day life. Ninety percent of organizations admit at least some of their AI investments in GRC fell short of expectations while only 26% call their AI returns very strong, leaving 74% at modest or lower ROI. Unsurprisingly, 67% report pressure to show a financial return on those AI investments—putting pressure on the exponential costs of AI usage to turn a commensurate benefit.
AI's promise was transformation. The delivery has been incremental. The distance between those two things is where the disappointment lives, and it is where boards, executives, and technology leaders are starting to ask harder questions.
The response from practitioners is telling. Seventy-five percent of organizations now discontinue underperforming AI tools faster than they used to. When AI-enabled tools expose shortcomings, the most common immediate action is the one the technology was supposed to eliminate: 52% increased their reliance on human review or manual oversight.
The irony is real, the deeper issue is that this oversight is also currently very reactive as we prove and build trust in the human judgement of our AI capabilities. Human judgment will still belong in the loop by design—the control plane that sets the boundaries—but should not be the ultimate “clean-up on aisle 6” safety net where teams need to scramble for after an AI tool caused an audit failure.
The Visibility Gap Comes First
A core security and GRC principle still applies: we cannot govern or secure what we cannot see, and most teams still don’t have the level of visibility into our organization’s use of AI today. Only 13% of IT and security professionals are fully confident they can see every AI tool their employees use. The other 87% are feeling blind, attempting to govern and secure something they cannot fully account for.
The risks created by that blind spot are the exact ones GRC functions exist to help prevent: data security risks (57%), privacy concerns (52%), and compliance or regulatory violations (51%). Visibility is a foundational control. Every vendor standard and procurement rule sits on top of that foundation, and none of these will be effective if we can't see what we’re attempting to govern or mitigate.
Audits Are Already Being Impacted
The consequences are not theoretical. Seventy-one percent of organizations say an AI tool used for GRC functions has led to a failed audit or a lapsed regulatory standard at least once. And 86% agree there are too many GRC-focused AI tools that are not enterprise-ready, citing gaps in scalability, foundational security, and audit defensibility. Ultimately, when the tool leads to an audit finding or failure, the buyer directly wears the consequence while the tool vendor moves forward, leading to an accountability gap that cannot exist if we want to be successful with our GRC platforms.
Why the Gap Opened
Like dominoes falling, three compounding failures created this gap. Vendors oversold their capabilities, buyers (with naturally high expectations) bought the breadth when they needed precision, and our governance and risk management practices weren’t updated to adapt to the technology-specific risks and speed of adoption.
I have experienced each of these. I’ve purchased tools that overpromised.We’ve built AI capabilities that don’t yet match our high expectations. My team has rallied to secure and apply governance and risk management of procurement of AI, but does not yet match the pace of adoption or cover the risks to a level I feel comfortable with. So, as a peer and practitioner, this bar applies to vendors like Drata, too.
Commensurately, the preparedness data shows how far behind that last failure runs: 83% of organizations say they are not fully prepared for the coming wave of AI integration.
Course-Correcting Toward Precision
The horizontal, single-pane-of-glass SaaS-based AI platform era in GRC is over. Buyers are re-selecting on defensible outcomes with repeatable agent accountability rather than abandoning AI completely. Sixty-four percent of GRC buyers say a targeted agentic system that does a few things well fits their needs better than a broad, all-in-one platform. Among buyers focused on minimizing risk as their primary goal, that figure rises to 70%.
The same divide shows up in workload. 63% of teams absorbed 10%+ more work with no new headcount. The ones who managed it were the ones who could see their AI: 68% vs. 55%. Same demand, different outcome."
Continuous Trust is Becoming the Baseline
As teams confront fragmented adoption and slow third-party reviews, they are building infrastructure to keep their security posture continuously visible rather than rebuilding it for every audit. Seventy-eight percent of organizations have implemented a trust center or are actively building one. Among teams that use one, 47% report greater transparency into vendor security and 44% report faster vendor reviews.
The procurement question has changed from "what can AI do?" to "what is this AI responsible for delivering?" The teams handling this well are doing three things: they buy agents that own specific outcomes, they hold vendors accountable when those outcomes fail, and they set expectations honestly enough to close the distance deliberately.
Within the next 12 to 18 months, the organizations that demanded outcome accountability from their AI vendors will continue to aggressively close this gap, turning governance into the thing that lets them move faster, not the thing that holds them back. The gap won't close on its own, and it won't close for everyone. It closes for the teams that stop asking what their AI can do and start asking what it's accountable for. That's the whole shift. Governance stops being the thing that slows you down and becomes the reason we can move faster.
Up Next: The Problems Behind the Gap
This report kicks off a multi-part series. Over the coming weeks we'll take the expectations gap apart one problem at a time, publishing a new post every few weeks with a deeper look at each fault line and what to do about it.
Download the Report
The State of GRC in the Age of AI covers the three failures behind the expectations gap, the four demands the leading teams are acting on, and the subgroup data behind every finding above. Read the report to see where your team stands.