How are organizations addressing AI risks to reshape their governance?

With rapid AI adoption posing both opportunities and challenges, our latest EY survey addresses the urgent need for organizations to enhance their AI governance and risk management strategies.

• Many organizations lack a clear AI adoption strategy
• Governance models for AI are often ill-defined
• Comprehensive management controls are frequently missing
• Achieving full compliance with the EU AI Act remains challenging
• Data management responsibilities are often unclear
• Readiness to audit AI systems and promote ethical awareness is lacking
• Comprehensive training on AI governance is commonly not provided

The demand for Artificial Intelligence (AI) solutions is growing rapidly, positioning organizations at a pivotal moment to enhance their capabilities or risk falling behind. This urgency underscores the critical importance of effective AI governance and risk management as organizations navigate the complexities of AI integration. As they strive to leverage AI for competitive advantage, organizations must also remain aware of potential risks.

The EY Europe West Technology Risk - AI Governance, Risks and Compliance Survey 2025 offers valuable insights into how organizations are adopting and implementing AI, as well as their practices in AI risk management.

About the survey

Conducted from February to April 2025, the survey gathered responses from 57 participants across 55 different companies, representing a diverse range of sectors within the Europe West Region. The respondents included a variety of roles, such as IT managers, risk managers, legal directors, auditors and executives, providing a comprehensive view of the current landscape.

There are three main chapters considering the survey analysis:

1. Survey Methodology and Respondent Background

2. Artificial Intelligence Strategy

3. Risk Management and Responsible AI Implementation

Note: Percentages are rounded to the nearest whole number, which may result in totals not equaling 100% due to rounding errors.

Lack of Clear AI Adoption Strategies

Many organizations lack a defined strategy for AI adoption, which limits their ability to fully leverage AI technologies for competitive advantage.

Organizations are increasingly acknowledging the necessity of a clear strategy for AI adoption to drive growth and innovation. However, many are encountering challenges during the implementation phase, which suggests that they may be missing valuable opportunities to leverage AI for competitive advantage. This suggests that many organizations are missing opportunities to fully leverage AI technologies.

Almost one-third of respondents either have an AI adoption strategy without implementation or no strategy at all.

Stage of Maturity in terms of AI adoption

Many are still in the process of aligning their strategies, which indicates that they may not be fully capitalizing on the potential benefits of AI integration. As the landscape of business continues to evolve, organizations that fail to integrate AI into their strategies risk falling behind their competitors and missing out on valuable opportunities for growth.

A significant 28% have not considered incorporating AI into their strategic frameworks at all.

Updating the strategic plan to incorporate the impact of AI

Governance Models Are Underdeveloped

A significant number of organizations do not have well-defined governance models for AI, increasing the risk of inconsistent practices.

Organizations recognize the potential risks associated with AI, with most respondents identifying “Data & Privacy Risks” and “IT & Security Risks” as their top concerns. However, the low ranking of “Third Party Risks” suggests that organizations may be underestimating their significance, potentially creating vulnerabilities in an interconnected environment. 

Average rating of anticipated risks arising from the use of AI

The most effective way to address these perceived risks is through the development of a robust governance framework. However, the survey reveals that 70% of organizations lack well-defined AI governance models, highlighting a critical gap in the oversight and management of AI systems. Without these frameworks in place, organizations may struggle to effectively manage AI-related challenges and ensure successful implementation.

Fewer than one-third of respondents have a well-defined AI governance model.

AI governance model: defined roles, responsibilities, and processes?

Need for Enhanced Risk Management

While some organizations have formal AI policies, many still lack comprehensive management controls, highlighting the need for improved governance.

Establishing formal AI policies is crucial for organizations to effectively manage risks, ensure compliance with regulations and promote ethical use of AI technologies in an increasingly complex business landscape. While a majority of organizations have implemented formal AI policies, a significant still lack these essential frameworks, underscoring the need for improved governance in AI practices. https://www.ey.com/en_gl/services/technology-risk

Almost half of respondents do not have defined policies related to the use of AI.

Existence of formal AI policies

For these policies to be effective, organizations must follow a structured approach to ensure they manage all associated risks appropriately. This involves implementing comprehensive AI risk controls that not only address current vulnerabilities, but also adapt to evolving challenges in the AI landscape.

80% of respondents still need to develop their risk management controls.

Are there specific controls in place to manage AI risks?

Challenges in EU AI Act Compliance

Awareness of the EU AI Act is widespread, but many organizations face challenges in achieving full compliance.

For organizations to navigate the regulatory landscape effectively, awareness of the EU AI Act is crucial. The survey reveals that approximately 80% of organizations are aware of the EU AI Act, with many having completed or planning impact assessments to ensure compliance.

Is the Organization aware of the European AI Act?

Despite the widespread awareness of the EU AI Act, the number of companies that are fully compliant remains alarmingly low. This lack of compliance poses significant risks, as organizations may face regulatory penalties and miss opportunities to utilize AI responsibly. According to the survey, some companies lead the way in compliance with this regulation, such as the Energy and Retail sectors.

A concerning 72% are not fully compliant with the EU AI Act.

Does the organization comply with the European AI Regulation?

Undefined Data Management Policies

Many organizations lack clearly defined data management responsibilities that encompass all relevant aspects, highlighting the need for further development.

Establishing clear data management procedures is essential for organizations to effectively mitigate risks associated with data handling. The survey indicates that while organizations primarily focus on defining training policies for security measures, they fall short in several key areas, such as establishing continuous processes for data management. This contrast underscores that many aspects of security measures and governance remain underdeveloped.

Organizations are primarily focusing on training and awareness sessions on data management and protection.

Security measures for AI data

Effective management of data collection and model training processes contributes to a higher reliability of AI systems. However, the survey reveals that some organizations lack well-defined and systematic processes for data collection for AI training, updating AI models and lifecycle management of AI systems, with no plans to develop these critical frameworks.

Between 23% and 30% of organizations lack a defined process or plans to develop one for these three critical areas of data management.

Data collection and management for AI training

Definition of the AI lifecycle management process

AI model updating and training processes

Inadequate Audit Preparedness and Global Awareness relating to AI Systems

Many organizations lack readiness to audit their AI systems and to raise awareness in ethical practices, there is a critical need for improvement.

Effective audit readiness is crucial for organizations to ensure the integrity, compliance, and reliability of their AI systems. However, many organizations are not fully prepared to conduct audits, and a significant number lack plans to develop the necessary capabilities.

Only 10% of companies are fully prepared to audit AI systems.

Preparing the organization to audit AI systems

Promoting ethical awareness is essential for organizations to ensure responsible AI usage and build trust with stakeholders. However, many organizations conduct only occasional awareness activities on AI ethics, while others do not promote these principles at all, highlighting the need for more proactive efforts in this area.

A third of respondents do not promote AI ethical principles within the organization in any way.

How are ethical principles in AI promoted?

Insufficient Training on AI

A significant number of organizations fail to provide comprehensive training on AI governance, highlighting a critical gap in employee education.

Effective training programs are essential for equipping employees with the knowledge needed to navigate AI governance, risk and compliance. However, the survey reveals that only 33% of organizations provide comprehensive training in these areas, with many lacking such programs or still in development. This poses a threat to companies because insufficient training can lead to mismanagement of AI systems and increased compliance risks.

Almost one quarter of respondents do not provide training on AI and have no plans to develop one.

Does the organization provide AI GRC training to the employees involved?