Research · 2026
The Governance Gap: the state of AI governance in UK organisations
UK AI adoption has crossed into the mainstream. Oversight has not kept pace. This report measures the distance between how fast UK organisations are deploying AI and the board accountability, policy, risk registers and assurance needed to deploy it safely — the governance gap.
Last updated 10 July 2026 · compiled by Governance AI from 27 cited sources
At a glance
The governance gap in eight numbers
Adoption figures are climbing. The figures that describe oversight are not. Every number below links to its primary source.
Adoption versus governance maturity, by sector
The violet bar is each sector’s headline adoption rate; the muted bar is its best available governance or maturity signal. The underlying surveys differ between sectors, so read each pair on its own terms — the pattern, not the precise gap, is the point.
AdoptionGovernance / maturity signal
Foreword
For thirty years I have watched good boards come unstuck in the same way: not because they lacked ambition, but because the pace of a new technology outran the discipline they had built to govern it. AI is that story again, only faster. The organisations in this report are adopting AI at remarkable speed. Far fewer can tell you who on the board is accountable for it, what policy governs it, or how they would know if it went wrong.
Governance is not the enemy of adoption; it is what makes adoption survivable. A board that can name its risks, evidence its controls and answer for its decisions can move with confidence. The purpose of this report is not to slow anyone down. It is to show, with evidence, exactly where the gap sits — so that boards can close it before a regulator, an ombudsman or an incident closes it for them.
Dr Karl George MBE — founder of The Governance Forum; creator of the Governance Assessment Process and the RACE Equality Code
01
Where the UK stands on adoption
AI is no longer a pilot. As of December 2025, 25% of UK businesses were using AI, up 15 percentage points since September 2023, rising to 44% among large businesses of 250 or more staff; a further 15% plan to adopt within three months (ONS, Jan 2026). The government’s own study of 3,500 businesses found roughly one in six using AI, with 85% of adopters applying it to text and language tasks and 65% citing efficiency as the driver — though only 12% reported increased revenue, and 65% expect their AI budgets to rise, climbing to 82% among large firms (DSIT AI Adoption Research 2025).
Read those numbers with care. Published UK adoption rates range from 16% to 71% depending on how the question is asked and who is counted (Bennett School, Cambridge). The spread is itself a finding: there is no single agreed measure of “using AI”, which is precisely why boards should not rely on a headline percentage to reassure themselves. What is not in dispute is the direction. Adoption is broad, accelerating, and concentrated among exactly the large, regulated organisations that carry the most governance obligation.
02
The oversight deficit
Governance has not moved at the speed of adoption. Around a quarter of UK directors are concerned their organisation has no AI policy, strategy or data-governance framework — even as 62.5% use AI personally and 49.4% say their organisation uses it (IoD Policy Voice, March 2025). Board knowledge is improving but low: 66% of boards report limited-to-no knowledge or experience of AI, down from 79%, while 31% say AI is still not on the board agenda at all and a third of directors are dissatisfied with the time their board gives it (Deloitte, Governance of AI, global).
Ownership is the sharpest gap. Only 17% of organisations say the board owns AI-governance oversight, with 28% placing it with the chief executive (McKinsey, State of AI 2025, global); and while 93% of organisations use AI, just 7% have fully embedded AI governance (Trustmarque, 2025, vendor research). Formal assurance is rarer still: around 350 organisations worldwide held an ISO/IEC 42001 certificate by spring 2026, two years after the standard was published (Atoro), and BSI became the first UKAS-accredited certifier only in November 2025 (BSI, Nov 2025). There is movement — board-level AI-risk oversight at Fortune 100 firms tripled from 16% to 48% across 2025 (EY Center for Board Matters, global) — but from a very low base.
03
The regulatory horizon
The UK has taken a principles-based path with no statutory AI act and no single AI regulator, leaving existing bodies to apply existing powers (White & Case, UK tracker). That does not mean UK organisations are outside the reach of AI law. The EU AI Act is extraterritorial: it binds UK firms that place AI on the EU market or whose AI output is used in the EU (PwC UK, EU AI Act). And from accounting periods beginning in January 2026, UK boards are increasingly expected to declare the effectiveness of their material internal controls — a duty that reaches the AI systems sitting inside those controls.
2 August 2025
Obligations for general-purpose AI (GPAI) models began to apply under the EU AI Act. EC AI Act Service Desk
2 August 2026
The majority of the EU AI Act applies — high-risk systems (Annex III), transparency duties and enforcement. It binds UK firms that place AI on the EU market or whose AI output is used in the EU. EC AI Act Service Desk
United Kingdom — ongoing
No statutory AI act and no dedicated AI regulator; the ICO, FCA, Ofcom and CMA apply existing powers. In December 2025 the FCA confirmed it will not introduce AI-specific rules. FCA, Dec 2025
04
What goes wrong when governance lags
The consequences are already visible in the record. Documented AI incidents rose to 233 in 2024, up 56% year on year (Stanford HAI, 2025 AI Index, global), and again to 362 in 2025, a further 55% increase (Stanford HAI, 2026 AI Index, global). As deployment widens, the count of things going publicly wrong widens with it.
Beneath the reported incidents runs a quieter risk: shadow AI, the use of AI tools outside any policy or oversight. Vendor research suggests 77% of employees paste data into generative-AI prompts, and 82% of that activity happens through personal accounts beyond the organisation’s controls (eSecurity Planet / LayerX, vendor research); separate analysis found around 11% of the content pasted into ChatGPT is confidential (Cyberhaven, vendor research). These figures come from security vendors and should be read as indicative rather than definitive — but the direction is consistent, and it points at data leaving governed systems every day.
05
Sector scorecard
The governance gap is not evenly spread. Six priority sectors, each with its own adoption curve and its own oversight shortfall.
Charities
76%76% of charities now use AI, up from 61% a year earlier — but only 2% describe that use as strategic and 51% are still “exploring”. Policy development has tripled, from 16% to 48%, which means the majority of charities using AI still have no policy governing it.
AI governance for charitiesLocal authorities
95%95% of responding councils use or are exploring AI, up 10 points on the previous year, yet only 7% assess themselves as “leaders”. Near-universal experimentation sits on top of very thin claims to maturity.
AI governance for local authoritiesProfessional services
61%61% of UK lawyers now use generative AI, up from 46% in eight months, and top-100 firms expect roughly a 16% cut in chargeable hours. Among chartered accountants, 83% of 18–24-year-olds use AI weekly but only 47% of senior leaders are comfortable with it — the confidence gap runs up the hierarchy, not down.
AI governance for professional servicesEducation
76%76% of teachers now use AI, up from 53%, yet 76% report no training and 49% of schools have no AI policy. Only 44% of further-education and 37% of higher-education providers had delivered staff AI development — adoption is outrunning both policy and skills.
AI governance for educationFinancial services
75%75% of firms already use AI and a further 10% plan to within three years, but 46% report only a partial understanding of the AI they use — and 55% of use cases involve automated decision-making. The most heavily regulated sector is deploying decision-making AI faster than it understands it.
AI governance for financial servicesHousing associations
47%47% of housing associations use AI day-to-day and 23% plan to, yet 44% have no AI policy and only 13.5% of staff know their organisation has one. In a sector answerable to the Regulator of Social Housing and the Housing Ombudsman, that is a live accountability gap.
AI governance for housing associations06
The governance gap, quantified
Put the two halves of this report side by side and the gap is stark. On the adoption side: 44% of large UK businesses using AI, 95% of councils, 76% of charities and teachers, 75% of financial-services firms. On the oversight side: 17% of organisations where the board owns AI, 7% with fully embedded governance, and roughly 350 ISO 42001 certificates in the entire world. Organisations have adopted AI far faster than they have learned to govern it.
That distance — between deployment speed and the accountability, policy, risk management and assurance needed to deploy safely — is the governance gap. It is not an argument against AI. It is the work that turns AI from an exposure your board cannot answer for into a capability it can. The organisations that close it first will be the ones still standing when a regulator, an ombudsman or an incident asks them to show their working.
07
What boards should do now
Six moves that close the gap, in the order most boards should take them. None requires slowing adoption down.
Name who is accountable
Put one board member and one executive on the hook for AI oversight, with AI on the board agenda at least quarterly. Only 17% of organisations can say the board owns this today.
AI governance for boardsApprove a written AI policy
Set out plainly what staff may and may not do with AI — including personal accounts and organisational data in public tools. The majority of adopters in most sectors still have no policy.
What to put in a UK AI policyKeep a living AI risk register
Move beyond a one-off assessment to a register with named owners, controls and review dates that the board can actually challenge.
AI risk register templateBuild board literacy
Every director should be able to describe, in plain terms, the AI the organisation relies on. Start from the questions a board should be asking.
Questions every board should askSeek independent assurance
Hold material AI systems and their suppliers to evidenced standards rather than the vendor's word — ISO/IEC 42001 gives you a recognised framework to align to.
ISO 42001 readiness checklistMap your regulatory exposure
Know whether the EU AI Act reaches you and by which date, and whether you could evidence the duties UK regulators already apply. An independent diagnostic is the fastest way to find out.
AI governance diagnosticThe board's own test
The AI Governance Readiness Checklist
Twelve questions a board should be able to answer with evidence, not assertion. If more than a handful give you pause, the gap is yours to close.
- Accountability
Is a single named individual, at or reporting to the board, accountable for AI oversight?
- Accountability
Does AI reach the board agenda at least quarterly, with management information it can challenge?
- Policy
Has the board approved a written AI policy setting out what staff may and may not do with AI?
- Policy
Does that policy cover personal AI accounts and pasting organisational data into public tools?
- Risk
Is there a living AI risk register with named owners, controls and review dates — not a one-off assessment?
- Risk
Would the board learn within days if an AI system caused harm, and does it know who it must tell?
- Skills
Can every board member describe, in plain terms, the main AI systems the organisation relies on?
- Skills
Has the board had AI training in the last twelve months, proportionate to the risk it carries?
- Assurance
Is there independent assurance over material AI systems, rather than reliance on the vendor's word?
- Assurance
Are AI suppliers held to contractual standards for transparency, data use and security?
- Regulatory readiness
Does the organisation know whether the EU AI Act reaches it, and by which date?
- Regulatory readiness
Could the board evidence today how it meets the duties its regulators already apply to AI?
Want to score yourself properly? The free Board AI Scorecard turns these questions into a rated diagnostic across accountability, policy, risk, data and capability — about two minutes, no sign-up to see your result.
Take the Board AI ScorecardMethodology
How this report was compiled
This report is a desk synthesis of primary and reputable secondary sources published up to July 2026, compiled by Governance AI. We prioritised UK-specific evidence for the national picture and for each sector. Where the strongest available figure is global rather than UK — as with board-level surveys from Deloitte, McKinsey and EY — it is marked “global” at the point of use. Where a figure comes from a security or technology vendor’s own telemetry rather than independent research — as with the shadow-AI numbers — it is marked “vendor research” and should be read as indicative.
We have not commissioned new primary research or adjusted any published figure. Survey methods, sample sizes and dates differ between sources, so numbers should be compared within a source rather than across them — the value of this report is the pattern the sources form together, all of which are listed below for readers to check directly.
Sources
- 1.ONS, Business Insights and Conditions Survey (Wave 147), 8 January 2026
- 2.DSIT, AI Adoption Research (3,500 UK businesses, fieldwork February–May 2025)
- 3.Bennett School of Public Policy, University of Cambridge — AI adoption in the UK
- 4.Institute of Directors, Policy Voice survey (~700 UK directors, March 2025)
- 5.Deloitte, Governance of AI (2nd edition, 700 respondents across 56 countries) · global
- 6.McKinsey, The State of AI 2025 (reported via Knostic) · global
- 7.Trustmarque, AI governance research 2025 (UK; reported via Knostic) · vendor research
- 8.Atoro, How many companies are ISO 42001 certified?
- 9.BSI press release, November 2025 — first UKAS-accredited ISO/IEC 42001 certifier
- 10.EY Center for Board Matters (reported via Corporate Compliance Insights) · global
- 11.European Commission, AI Act Service Desk — implementation timeline
- 12.PwC UK — EU AI Act guidance
- 13.White & Case, AI Watch: Global regulatory tracker — United Kingdom
- 14.Financial Conduct Authority — AI approach (confirmed no AI-specific rules, December 2025)
- 15.Stanford HAI, 2025 AI Index — Responsible AI · global
- 16.Stanford HAI, 2026 AI Index — Responsible AI · global
- 17.eSecurity Planet / LayerX, shadow-AI reporting (October 2025) · vendor research
- 18.Cyberhaven — company data pasted into ChatGPT · vendor research
- 19.Charity Digital Skills Report 2025 (672 charities)
- 20.Local Government Association, State of the Sector: Artificial Intelligence (2025 update)
- 21.LexisNexis, 2025 — two-thirds of UK lawyers now use AI
- 22.PwC, Law Firms' Survey 2025
- 23.Ipsos for Chartered Accountants Worldwide / ICAEW
- 24.Teacher Tapp (reported via Third Space Learning)
- 25.Jisc, Staff perceptions of AI 2025
- 26.Bank of England & FCA, third AI survey (November 2024)
- 27.The State of AI in Housing 2025 (Phoenix Software / NHF reporting)
Citing this report
Journalists and researchers are welcome to cite this report with attribution to Governance AI (governanceai.io). For data queries, interviews with Dr Karl George MBE, or a comment on AI governance in a specific sector, contact hamada@governanceai.io.
Where does your board sit in the gap?
Start with the free Board AI Scorecard for a rated read on your oversight, or talk to us about an independent AI governance diagnostic for your organisation.
Free · no sign-up to see your score.