- New research from Optro reveals that the greatest AI risks facing enterprises no longer stem primarily from catastrophic model failures
- Instead, from the accumulation of everyday employee interactions with increasingly invisible AI systems operating across the organisation
- More than half of organisations already use embedded AI capabilities within vendor tools
New research from Optro reveals that the greatest artificial intelligence (AI) risks facing enterprises no longer stem primarily from catastrophic model failures, but from the accumulation of everyday employee interactions with increasingly invisible AI systems operating across the organisation.
“At this early stage, AI risk is being driven as much by human behaviour, as it is from the technology itself,” said Guru Sethupathy, GM of AI Governance at Optro. “Lack of sufficient review of AI output, moving too quickly without sufficient guardrails and shadow AI are examples of human behaviours that increase the surface area of AI risks.”
While much of the AI governance conversation remains focused on generative AI tools, the research identifies embedded AI inside enterprise software platforms as an equally significant, and potentially more dangerous, source of exposure. More than half (56%) of organisations already use embedded AI capabilities within vendor tools, approaching the adoption levels of generative AI itself (63%).
Yet unlike standalone AI tools, employees often do not recognise embedded functionality as ‘AI usage,’ creating major governance blind spots.
44 per cent of respondents said they are concerned about employees’ lack of awareness regarding AI embedded inside enterprise tools.
At the same time, most governance, risk and compliance (GRC) structures appear fundamentally unprepared for this new reality.
Only 34per cent of organisations maintain a formal AI model inventory, while just 31per cent have implemented AI incident response procedures. Nearly two-thirds (64%) of audit, GRC and IT decision-makers said they feel only somewhat confident, or outright unconfident, in their organisation’s visibility into third-party cyber risk, including risks introduced through vendor AI capabilities.
The research also reveals growing concern among security leaders that current governance approaches are failing to keep pace with emerging AI-enabled threats. More than a third of respondents (35%) believe overly permissive AI governance policies will accelerate AI-enabled social engineering and impersonation attacks.
“Traditional GRC frameworks are static and slow to update, but that is insufficient to keep up with how quickly AI technology and risks are evolving. For instance, few standards or guardrails consider agentic AI and need to be quickly updated to stay relevant. At many companies, governance is a point-in-time exercise, meanwhile AI risks are evolving in real time,” said Sethupathy.
Among CISOs, 23 per cent said a lack of personnel with expertise in AI security and emerging risks represents their single biggest obstacle.
“AI sits on both sides of the risk coin—it will significantly increase the surface area of risk for all organisations, and at the same time, AI will be a critical component of the governance stack,” added Sethupathy. “We believe smart AI Governance will be a differentiator, enabling speed and trust.”