Skip to content

Research · 2026

The Governance Gap: the state of AI governance in UK organisations

UK AI adoption has crossed into the mainstream. Oversight has not kept pace. This report measures the distance between how fast UK organisations are deploying AI and the board accountability, policy, risk registers and assurance needed to deploy it safely — the governance gap.

Last updated 10 July 2026 · compiled by Governance AI from 27 cited sources

At a glance

The governance gap in eight numbers

Adoption figures are climbing. The figures that describe oversight are not. Every number below links to its primary source.

44%of large UK businesses (250+ staff) now use AIONS, Jan 2026
25%of all UK businesses use AI — up 15 points since 2023ONS, Jan 2026
17%of organisations say the board owns AI-governance oversightMcKinsey, State of AI 2025
7%have fully embedded AI governance — while 93% use AITrustmarque, 2025
66%of boards have limited-to-no knowledge of AIDeloitte, Governance of AI
362documented AI incidents in 2025 — up 55% year on yearStanford HAI, 2026 AI Index
~350organisations worldwide hold an ISO/IEC 42001 certificateAtoro
2 Aug 2026the majority of the EU AI Act begins to applyEC AI Act Service Desk

Adoption versus governance maturity, by sector

The violet bar is each sector’s headline adoption rate; the muted bar is its best available governance or maturity signal. The underlying surveys differ between sectors, so read each pair on its own terms — the pattern, not the precise gap, is the point.

Charities
Local authorities
Professional services
Education
Financial services
Housing associations

AdoptionGovernance / maturity signal

Foreword

For thirty years I have watched good boards come unstuck in the same way: not because they lacked ambition, but because the pace of a new technology outran the discipline they had built to govern it. AI is that story again, only faster. The organisations in this report are adopting AI at remarkable speed. Far fewer can tell you who on the board is accountable for it, what policy governs it, or how they would know if it went wrong.

Governance is not the enemy of adoption; it is what makes adoption survivable. A board that can name its risks, evidence its controls and answer for its decisions can move with confidence. The purpose of this report is not to slow anyone down. It is to show, with evidence, exactly where the gap sits — so that boards can close it before a regulator, an ombudsman or an incident closes it for them.

Dr Karl George MBE — founder of The Governance Forum; creator of the Governance Assessment Process and the RACE Equality Code

01

Where the UK stands on adoption

AI is no longer a pilot. As of December 2025, 25% of UK businesses were using AI, up 15 percentage points since September 2023, rising to 44% among large businesses of 250 or more staff; a further 15% plan to adopt within three months (ONS, Jan 2026). The government’s own study of 3,500 businesses found roughly one in six using AI, with 85% of adopters applying it to text and language tasks and 65% citing efficiency as the driver — though only 12% reported increased revenue, and 65% expect their AI budgets to rise, climbing to 82% among large firms (DSIT AI Adoption Research 2025).

Read those numbers with care. Published UK adoption rates range from 16% to 71% depending on how the question is asked and who is counted (Bennett School, Cambridge). The spread is itself a finding: there is no single agreed measure of “using AI”, which is precisely why boards should not rely on a headline percentage to reassure themselves. What is not in dispute is the direction. Adoption is broad, accelerating, and concentrated among exactly the large, regulated organisations that carry the most governance obligation.

02

The oversight deficit

Governance has not moved at the speed of adoption. Around a quarter of UK directors are concerned their organisation has no AI policy, strategy or data-governance framework — even as 62.5% use AI personally and 49.4% say their organisation uses it (IoD Policy Voice, March 2025). Board knowledge is improving but low: 66% of boards report limited-to-no knowledge or experience of AI, down from 79%, while 31% say AI is still not on the board agenda at all and a third of directors are dissatisfied with the time their board gives it (Deloitte, Governance of AI, global).

Ownership is the sharpest gap. Only 17% of organisations say the board owns AI-governance oversight, with 28% placing it with the chief executive (McKinsey, State of AI 2025, global); and while 93% of organisations use AI, just 7% have fully embedded AI governance (Trustmarque, 2025, vendor research). Formal assurance is rarer still: around 350 organisations worldwide held an ISO/IEC 42001 certificate by spring 2026, two years after the standard was published (Atoro), and BSI became the first UKAS-accredited certifier only in November 2025 (BSI, Nov 2025). There is movement — board-level AI-risk oversight at Fortune 100 firms tripled from 16% to 48% across 2025 (EY Center for Board Matters, global) — but from a very low base.

03

The regulatory horizon

The UK has taken a principles-based path with no statutory AI act and no single AI regulator, leaving existing bodies to apply existing powers (White & Case, UK tracker). That does not mean UK organisations are outside the reach of AI law. The EU AI Act is extraterritorial: it binds UK firms that place AI on the EU market or whose AI output is used in the EU (PwC UK, EU AI Act). And from accounting periods beginning in January 2026, UK boards are increasingly expected to declare the effectiveness of their material internal controls — a duty that reaches the AI systems sitting inside those controls.

  1. 2 August 2025

    Obligations for general-purpose AI (GPAI) models began to apply under the EU AI Act. EC AI Act Service Desk

  2. 2 August 2026

    The majority of the EU AI Act applies — high-risk systems (Annex III), transparency duties and enforcement. It binds UK firms that place AI on the EU market or whose AI output is used in the EU. EC AI Act Service Desk

  3. United Kingdom — ongoing

    No statutory AI act and no dedicated AI regulator; the ICO, FCA, Ofcom and CMA apply existing powers. In December 2025 the FCA confirmed it will not introduce AI-specific rules. FCA, Dec 2025

04

What goes wrong when governance lags

The consequences are already visible in the record. Documented AI incidents rose to 233 in 2024, up 56% year on year (Stanford HAI, 2025 AI Index, global), and again to 362 in 2025, a further 55% increase (Stanford HAI, 2026 AI Index, global). As deployment widens, the count of things going publicly wrong widens with it.

Beneath the reported incidents runs a quieter risk: shadow AI, the use of AI tools outside any policy or oversight. Vendor research suggests 77% of employees paste data into generative-AI prompts, and 82% of that activity happens through personal accounts beyond the organisation’s controls (eSecurity Planet / LayerX, vendor research); separate analysis found around 11% of the content pasted into ChatGPT is confidential (Cyberhaven, vendor research). These figures come from security vendors and should be read as indicative rather than definitive — but the direction is consistent, and it points at data leaving governed systems every day.

05

Sector scorecard

The governance gap is not evenly spread. Six priority sectors, each with its own adoption curve and its own oversight shortfall.

Charities

76%

76% of charities now use AI, up from 61% a year earlier — but only 2% describe that use as strategic and 51% are still “exploring”. Policy development has tripled, from 16% to 48%, which means the majority of charities using AI still have no policy governing it.

AI governance for charities

Local authorities

95%

95% of responding councils use or are exploring AI, up 10 points on the previous year, yet only 7% assess themselves as “leaders”. Near-universal experimentation sits on top of very thin claims to maturity.

AI governance for local authorities

Professional services

61%

61% of UK lawyers now use generative AI, up from 46% in eight months, and top-100 firms expect roughly a 16% cut in chargeable hours. Among chartered accountants, 83% of 18–24-year-olds use AI weekly but only 47% of senior leaders are comfortable with it — the confidence gap runs up the hierarchy, not down.

AI governance for professional services

Education

76%

76% of teachers now use AI, up from 53%, yet 76% report no training and 49% of schools have no AI policy. Only 44% of further-education and 37% of higher-education providers had delivered staff AI development — adoption is outrunning both policy and skills.

AI governance for education

Financial services

75%

75% of firms already use AI and a further 10% plan to within three years, but 46% report only a partial understanding of the AI they use — and 55% of use cases involve automated decision-making. The most heavily regulated sector is deploying decision-making AI faster than it understands it.

AI governance for financial services

Housing associations

47%

47% of housing associations use AI day-to-day and 23% plan to, yet 44% have no AI policy and only 13.5% of staff know their organisation has one. In a sector answerable to the Regulator of Social Housing and the Housing Ombudsman, that is a live accountability gap.

AI governance for housing associations

06

The governance gap, quantified

Put the two halves of this report side by side and the gap is stark. On the adoption side: 44% of large UK businesses using AI, 95% of councils, 76% of charities and teachers, 75% of financial-services firms. On the oversight side: 17% of organisations where the board owns AI, 7% with fully embedded governance, and roughly 350 ISO 42001 certificates in the entire world. Organisations have adopted AI far faster than they have learned to govern it.

That distance — between deployment speed and the accountability, policy, risk management and assurance needed to deploy safely — is the governance gap. It is not an argument against AI. It is the work that turns AI from an exposure your board cannot answer for into a capability it can. The organisations that close it first will be the ones still standing when a regulator, an ombudsman or an incident asks them to show their working.

07

What boards should do now

Six moves that close the gap, in the order most boards should take them. None requires slowing adoption down.

Name who is accountable

Put one board member and one executive on the hook for AI oversight, with AI on the board agenda at least quarterly. Only 17% of organisations can say the board owns this today.

AI governance for boards

Approve a written AI policy

Set out plainly what staff may and may not do with AI — including personal accounts and organisational data in public tools. The majority of adopters in most sectors still have no policy.

What to put in a UK AI policy

Keep a living AI risk register

Move beyond a one-off assessment to a register with named owners, controls and review dates that the board can actually challenge.

AI risk register template

Build board literacy

Every director should be able to describe, in plain terms, the AI the organisation relies on. Start from the questions a board should be asking.

Questions every board should ask

Seek independent assurance

Hold material AI systems and their suppliers to evidenced standards rather than the vendor's word — ISO/IEC 42001 gives you a recognised framework to align to.

ISO 42001 readiness checklist

Map your regulatory exposure

Know whether the EU AI Act reaches you and by which date, and whether you could evidence the duties UK regulators already apply. An independent diagnostic is the fastest way to find out.

AI governance diagnostic

The board's own test

The AI Governance Readiness Checklist

Twelve questions a board should be able to answer with evidence, not assertion. If more than a handful give you pause, the gap is yours to close.

  • Accountability

    Is a single named individual, at or reporting to the board, accountable for AI oversight?

  • Accountability

    Does AI reach the board agenda at least quarterly, with management information it can challenge?

  • Policy

    Has the board approved a written AI policy setting out what staff may and may not do with AI?

  • Policy

    Does that policy cover personal AI accounts and pasting organisational data into public tools?

  • Risk

    Is there a living AI risk register with named owners, controls and review dates — not a one-off assessment?

  • Risk

    Would the board learn within days if an AI system caused harm, and does it know who it must tell?

  • Skills

    Can every board member describe, in plain terms, the main AI systems the organisation relies on?

  • Skills

    Has the board had AI training in the last twelve months, proportionate to the risk it carries?

  • Assurance

    Is there independent assurance over material AI systems, rather than reliance on the vendor's word?

  • Assurance

    Are AI suppliers held to contractual standards for transparency, data use and security?

  • Regulatory readiness

    Does the organisation know whether the EU AI Act reaches it, and by which date?

  • Regulatory readiness

    Could the board evidence today how it meets the duties its regulators already apply to AI?

Want to score yourself properly? The free Board AI Scorecard turns these questions into a rated diagnostic across accountability, policy, risk, data and capability — about two minutes, no sign-up to see your result.

Take the Board AI Scorecard

Methodology

How this report was compiled

This report is a desk synthesis of primary and reputable secondary sources published up to July 2026, compiled by Governance AI. We prioritised UK-specific evidence for the national picture and for each sector. Where the strongest available figure is global rather than UK — as with board-level surveys from Deloitte, McKinsey and EY — it is marked “global” at the point of use. Where a figure comes from a security or technology vendor’s own telemetry rather than independent research — as with the shadow-AI numbers — it is marked “vendor research” and should be read as indicative.

We have not commissioned new primary research or adjusted any published figure. Survey methods, sample sizes and dates differ between sources, so numbers should be compared within a source rather than across them — the value of this report is the pattern the sources form together, all of which are listed below for readers to check directly.

Sources

  1. 1.ONS, Business Insights and Conditions Survey (Wave 147), 8 January 2026
  2. 2.DSIT, AI Adoption Research (3,500 UK businesses, fieldwork February–May 2025)
  3. 3.Bennett School of Public Policy, University of Cambridge — AI adoption in the UK
  4. 4.Institute of Directors, Policy Voice survey (~700 UK directors, March 2025)
  5. 5.Deloitte, Governance of AI (2nd edition, 700 respondents across 56 countries) · global
  6. 6.McKinsey, The State of AI 2025 (reported via Knostic) · global
  7. 7.Trustmarque, AI governance research 2025 (UK; reported via Knostic) · vendor research
  8. 8.Atoro, How many companies are ISO 42001 certified?
  9. 9.BSI press release, November 2025 — first UKAS-accredited ISO/IEC 42001 certifier
  10. 10.EY Center for Board Matters (reported via Corporate Compliance Insights) · global
  11. 11.European Commission, AI Act Service Desk — implementation timeline
  12. 12.PwC UK — EU AI Act guidance
  13. 13.White & Case, AI Watch: Global regulatory tracker — United Kingdom
  14. 14.Financial Conduct Authority — AI approach (confirmed no AI-specific rules, December 2025)
  15. 15.Stanford HAI, 2025 AI Index — Responsible AI · global
  16. 16.Stanford HAI, 2026 AI Index — Responsible AI · global
  17. 17.eSecurity Planet / LayerX, shadow-AI reporting (October 2025) · vendor research
  18. 18.Cyberhaven — company data pasted into ChatGPT · vendor research
  19. 19.Charity Digital Skills Report 2025 (672 charities)
  20. 20.Local Government Association, State of the Sector: Artificial Intelligence (2025 update)
  21. 21.LexisNexis, 2025 — two-thirds of UK lawyers now use AI
  22. 22.PwC, Law Firms' Survey 2025
  23. 23.Ipsos for Chartered Accountants Worldwide / ICAEW
  24. 24.Teacher Tapp (reported via Third Space Learning)
  25. 25.Jisc, Staff perceptions of AI 2025
  26. 26.Bank of England & FCA, third AI survey (November 2024)
  27. 27.The State of AI in Housing 2025 (Phoenix Software / NHF reporting)

Citing this report

Journalists and researchers are welcome to cite this report with attribution to Governance AI (governanceai.io). For data queries, interviews with Dr Karl George MBE, or a comment on AI governance in a specific sector, contact hamada@governanceai.io.

Where does your board sit in the gap?

Start with the free Board AI Scorecard for a rated read on your oversight, or talk to us about an independent AI governance diagnostic for your organisation.

Free · no sign-up to see your score.