Grant Thornton released its 2026 AI Impact Survey in April, drawing on responses from nearly one thousand senior business leaders surveyed earlier this year. Three in four boards approved major AI investments. The investment moved through governance with a confidence the rest of the survey does not support. Only 52% percent of boards set clear AI governance expectations. 54% integrated AI risks and opportunities into ongoing board or committee oversight. Grant Thornton's framing was direct: guardrails arrive after the incident, not before. The survey calls the resulting exposure the "AI proof gap." The gap is the Governance Gap I described in the Privacy Briefing's foundational paper. The survey gives it numbers. Governance Debt, Measured in Percentages The Governance Gap identified adoption without governance as the point at which liability accumulates quietly; the statistics speak for themselves. The April survey supplies the metric. The 23% spread between boards approving investments in AI and those failing to put in place governance is the adoption-accountability split. 78% cannot defend the deployment against an independent audit within 90 days, which is the "proof deficit" expressed in concrete terms. Forty-six percent of leaders report that AI underperforms because controls and compliance are not working, while only eleven percent believe risk and compliance should be the primary focus of the program. The organization recognizes the symptom and treats it as something other than governance. The picture that emerges is governance debt: obligations incurred at the point of adoption and unpaid since. Time and effort alone will not retire it. The Board Is Being Briefed by the Wrong Function The single most consequential finding in the survey for a board audience is the split between operating leaders and technology leaders on agentic AI risk. Fifty-four percent of chief operating officers are concerned about regulatory and compliance uncertainty related to agentic AI. Only twenty percent of chief information officers and chief technology officers share that concern. The implication reaches beyond agentic systems. The function closest to the operational consequences of AI deployment — the function that will answer for the discriminatory outcome or the regulator's inquiry — sees a different risk profile than the function that owns the technology and typically briefs the board on it. Directors approving AI investments on the basis of technology-function reporting are being informed by the function with the least exposure to the downstream consequences. That is a governance problem before it is a technology problem. Fiduciary oversight depends on receiving information from the people who carry the operational risk. The current reporting structure is not delivering that information. Centralized Review Bodies Cannot Scale Through an AI Rollout Grant Thornton's diagnosis of the governance-model problem pointed to a familiar pattern. Centralized AI review committees become bottlenecks that slow execution without reducing risk. The prescribed fix sets policy and risk criteria centrally and delegates assessment to trained reviewers at the division or regional level, calibrated to the risk profile of each deployment. The model transfers directly from the privacy impact assessment discipline that privacy programs have refined over the last two decades. An AI impact assessment asks the same governance questions a mature PIA (privacy impact assessment) asks — business purpose, accountability for decisions, training data provenance, explainability, human oversight — applied to a different system class. The discipline extends; it does not require reinvention. The regulatory direction reinforces the point. Automated decision disclosure obligations are in force or emerging across multiple jurisdictions, and accountability principles in general privacy law have already been interpreted by regulators as extending to algorithmic systems. Tiered risk-based AI regulation has become the dominant legislative model, which means boards inherit it through vendor contracts whether or not their own jurisdiction has enacted comparable legislation. Delegated assessment calibrated to risk is how accountability survives AI scale. A centralized body staffed to approve a dozen deployments cannot handle five hundred. Agentic AI Compounds What Organizations Cannot Already Explain Nearly three in four organizations have given agentic AI systems access to their data and their processes. Twenty percent have a tested incident response plan for when an agent fails. Five percent permit fully autonomous execution of high-stakes decisions, a figure that sounds reassuring until the next number is added: sixty percent permit agentic automation of moderate-risk tasks, which is where most operational harm accumulates day to day. Each unmonitored agent expands the surface area of decisions the organization cannot explain. The foundational Briefing paper argued that a well-constructed data subject access request functions as a penetration test of an AI-enabled organization's governance program. The right to know what data trained a model and to challenge or correct an automated decision already exists in law and is already being asserted. Agentic systems multiply the instances of decisions the organization will have to account for, without multiplying the infrastructure available to account for them. Agentic deployments will produce a regulatory inquiry or a claim that demands explanation. What the organization will be able to produce when one arrives is the only open question. What the Board Owes, and Owes Now The foundational paper sets out a thirty-, ninety-, and one-hundred-eighty-day sequence of governance actions. The survey data supports three additions specific to the board's own posture: Require the chief operating officer, not only the chief information officer or chief technology officer, to present to the board on AI risk. The fifty-four to twenty percent divergence in concern is itself the reason. Directors must hear from the function that will answer for the operational failure, alongside the function that selected the technology. Commission an independent AI governance readiness assessment against a published standard. NIST AI RMF and ISO/IEC 42001 offer credible baselines, as do tiered risk-based frameworks in force across multiple jurisdictions. The ninety-day audit-failure figure is the exposure metric the board should be measuring its program against, because a regulator, claimant, or insurer will eventually measure it against something comparable. Move AI from investment-committee approval to continuing board or committee oversight. The finding that only fifty-four percent of organizations have integrated AI risk and opportunity into ongoing oversight identifies the structural failure the survey measures. Approval of an investment is a discrete transaction. Oversight of the resulting risk is a continuing function, and nearly half of boards have not established one for AI. The Return Depends on What You Can Prove The strongest finding in the survey is the performance differential. Organizations with fully integrated AI are nearly four times more likely to report AI-driven revenue growth than those still piloting — 58% compared with 15%. The organizations pulling ahead built the governance that supports the deployment. Governance functions as the infrastructure that makes AI performance sustainable, and the organizations that skipped that layer are underperforming the ones that did not. Boards that approved the investment already own the outcome. Whether they can prove it when asked is what the survey actually measures.

Grant Thornton released its 2026 AI Impact Survey in April, drawing on responses from nearly one thousand senior business leaders surveyed earlier this year. Three in four boards approved major AI investments. The investment moved through governance with a confidence the rest of the survey does not support. Only 52% percent of boards set clear AI governance expectations. 54% integrated AI risks and opportunities into ongoing board or committee oversight. Grant Thornton's framing was direct: guardrails arrive after the incident, not before. The survey calls the resulting exposure the "AI proof gap." The gap is the Governance Gap I described in the Privacy Briefing's foundational paper. The survey gives it numbers. Governance Debt, Measured in Percentages The Governance Gap identified adoption without governance as the point at which liability accumulates quietly; the statistics speak for themselves. The April survey supplies the metric. The 23% spread between boards approving investments in AI and those failing to put in place governance is the adoption-accountability split. 78% cannot defend the deployment against an independent audit within 90 days, which is the "proof deficit" expressed in concrete terms. Forty-six percent of leaders report that AI underperforms because controls and compliance are not working, while only eleven percent believe risk and compliance should be the primary focus of the program. The organization recognizes the symptom and treats it as something other than governance. The picture that emerges is governance debt: obligations incurred at the point of adoption and unpaid since. Time and effort alone will not retire it. The Board Is Being Briefed by the Wrong Function The single most consequential finding in the survey for a board audience is the split between operating leaders and technology leaders on agentic AI risk. Fifty-four percent of chief operating officers are concerned about regulatory and compliance uncertainty related to agentic AI. Only twenty percent of chief information officers and chief technology officers share that concern. The implication reaches beyond agentic systems. The function closest to the operational consequences of AI deployment — the function that will answer for the discriminatory outcome or the regulator's inquiry — sees a different risk profile than the function that owns the technology and typically briefs the board on it. Directors approving AI investments on the basis of technology-function reporting are being informed by the function with the least exposure to the downstream consequences. That is a governance problem before it is a technology problem. Fiduciary oversight depends on receiving information from the people who carry the operational risk. The current reporting structure is not delivering that information. Centralized Review Bodies Cannot Scale Through an AI Rollout Grant Thornton's diagnosis of the governance-model problem pointed to a familiar pattern. Centralized AI review committees become bottlenecks that slow execution without reducing risk. The prescribed fix sets policy and risk criteria centrally and delegates assessment to trained reviewers at the division or regional level, calibrated to the risk profile of each deployment. The model transfers directly from the privacy impact assessment discipline that privacy programs have refined over the last two decades. An AI impact assessment asks the same governance questions a mature PIA (privacy impact assessment) asks — business purpose, accountability for decisions, training data provenance, explainability, human oversight — applied to a different system class. The discipline extends; it does not require reinvention. The regulatory direction reinforces the point. Automated decision disclosure obligations are in force or emerging across multiple jurisdictions, and accountability principles in general privacy law have already been interpreted by regulators as extending to algorithmic systems. Tiered risk-based AI regulation has become the dominant legislative model, which means boards inherit it through vendor contracts whether or not their own jurisdiction has enacted comparable legislation. Delegated assessment calibrated to risk is how accountability survives AI scale. A centralized body staffed to approve a dozen deployments cannot handle five hundred. Agentic AI Compounds What Organizations Cannot Already Explain Nearly three in four organizations have given agentic AI systems access to their data and their processes. Twenty percent have a tested incident response plan for when an agent fails. Five percent permit fully autonomous execution of high-stakes decisions, a figure that sounds reassuring until the next number is added: sixty percent permit agentic automation of moderate-risk tasks, which is where most operational harm accumulates day to day. Each unmonitored agent expands the surface area of decisions the organization cannot explain. The foundational Briefing paper argued that a well-constructed data subject access request functions as a penetration test of an AI-enabled organization's governance program. The right to know what data trained a model and to challenge or correct an automated decision already exists in law and is already being asserted. Agentic systems multiply the instances of decisions the organization will have to account for, without multiplying the infrastructure available to account for them. Agentic deployments will produce a regulatory inquiry or a claim that demands explanation. What the organization will be able to produce when one arrives is the only open question. What the Board Owes, and Owes Now The foundational paper sets out a thirty-, ninety-, and one-hundred-eighty-day sequence of governance actions. The survey data supports three additions specific to the board's own posture: Require the chief operating officer, not only the chief information officer or chief technology officer, to present to the board on AI risk. The fifty-four to twenty percent divergence in concern is itself the reason. Directors must hear from the function that will answer for the operational failure, alongside the function that selected the technology. Commission an independent AI governance readiness assessment against a published standard. NIST AI RMF and ISO/IEC 42001 offer credible baselines, as do tiered risk-based frameworks in force across multiple jurisdictions. The ninety-day audit-failure figure is the exposure metric the board should be measuring its program against, because a regulator, claimant, or insurer will eventually measure it against something comparable. Move AI from investment-committee approval to continuing board or committee oversight. The finding that only fifty-four percent of organizations have integrated AI risk and opportunity into ongoing oversight identifies the structural failure the survey measures. Approval of an investment is a discrete transaction. Oversight of the resulting risk is a continuing function, and nearly half of boards have not established one for AI. The Return Depends on What You Can Prove The strongest finding in the survey is the performance differential. Organizations with fully integrated AI are nearly four times more likely to report AI-driven revenue growth than those still piloting — 58% compared with 15%. The organizations pulling ahead built the governance that supports the deployment. Governance functions as the infrastructure that makes AI performance sustainable, and the organizations that skipped that layer are underperforming the ones that did not. Boards that approved the investment already own the outcome. Whether they can prove it when asked is what the survey actually measures.