AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News
Research2026-05-04

Only 13% of Nearly 3,000 Global Firms Follow a Formal AI Governance Framework, UNESCO Study Finds

What happened

UNESCO and the Thomson Reuters Foundation published research on November 1, 2025, analyzing 2,972 companies across 11 sectors globally, with findings available via UNESCO AI Governance Corporate Report. The study found that while 43.7% of surveyed companies communicated an AI strategy, only 13% publicly claimed adherence to a recognized AI governance framework. Operational controls were notably weak across the sample, with just 40% of companies reporting board-level oversight of AI. Only 12.4% of firms surveyed had policies in place to ensure human oversight of AI systems. The research concludes that possessing an AI strategy does not constitute governance readiness, and that accountability pathways, human oversight requirements, monitoring, and remediation processes represent the areas of greatest material exposure for most organizations.

Why it matters

  • ·The finding that only 13% of firms adhere to a formal AI governance framework signals significant regulatory exposure, as jurisdictions including the EU are increasingly mandating structured governance documentation and accountability mechanisms that most organizations are currently unprepared to demonstrate.
  • ·With only 12.4% of companies maintaining human oversight policies, organizations face substantial operational risk if regulators or auditors request evidence of meaningful human review processes, particularly for high-stakes or automated AI-driven decisions.
  • ·Board-level AI oversight reported by only 40% of firms indicates a widespread organizational governance gap, meaning accountability for AI-related failures or harms may lack a clear chain of responsibility, increasing liability risk for leadership and compliance functions alike.

Governance controls affected

What to do now

  • Conduct a gap assessment comparing your organization's current AI practices against a recognized AI governance framework such as ISO 42001 or the NIST AI RMF, and document the findings for board review.
  • Verify that board-level oversight of AI is formally established, with defined responsibilities, reporting cadences, and escalation paths for material AI risks documented in governance policies.
  • Review and update human oversight policies to ensure they explicitly cover which AI systems require human approval, what constitutes meaningful review under HOC-004, and how overrides are logged and tracked.
  • Map all deployed AI systems against HOC-001 risk classification criteria to identify which systems lack assigned accountability owners or escalation paths.
  • Prepare an internal compliance readiness report summarizing your organization's adherence to each element cited in the UNESCO findings, including oversight, monitoring, and remediation processes, to support proactive regulatory engagement.

What to watch next

Compliance teams should monitor whether the UNESCO and Thomson Reuters Foundation research prompts regulatory bodies in the EU, UK, or other active jurisdictions to reference the 13% adoption statistic as justification for accelerating mandatory governance framework requirements. Teams should also track whether industry bodies or stock exchange listing authorities respond to the board oversight findings by proposing or finalizing disclosure requirements tied to AI governance maturity. Any follow-up guidance from UNESCO or Thomson Reuters Foundation providing sector-specific benchmarks or recommended frameworks should be reviewed promptly as it may inform enforcement expectations.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Research2026-07-10

Fabricated Court Citations in Deloitte Australia AI Report Cost $290,000 and Expose QA Gap in Professional Services

An AI-generated consulting report produced by Deloitte Australia using an Azure OpenAI agent contained non-existent court citations and fabricated quotes, forcing the firm to return a portion of its $290,000 fee. The failure traced directly to absent two-person verification for legal references and no mandatory human review of numerical and citation claims in AI-assisted deliverables. The incident is documented in a Risk and Insurance analysis of AI governance failures in professional liability contexts.

Research2026-06-25

Deloitte Australia Forced to Repay $290,000 After AI Chatbot Fabricates Citations and Court Quotes in Client Report

Deloitte Australia produced a client report containing AI-generated misinformation, including fabricated citations and a court quotation that does not exist, resulting in the firm returning $290,000 in fees. The incident, documented in Good.Lab's analysis of major responsible AI failures, exposes two critical control gaps: the absence of hallucination detection checks and the lack of mandatory human verification for AI-generated outputs. The case has become a reference point for enterprise compliance teams building controls around AI-assisted professional deliverables.

Research2026-06-23

Municipal Algorithm Registers Offer Enterprise Compliance Teams a Practical Inventory Benchmark

A CIDOB research paper published in February 2025 documents how cities are implementing algorithm lifecycle governance through centralized registers that combine risk assessment, mandatory audits for high-risk systems, and public transparency mechanisms. The research presents a structured model covering the full lifecycle from intake through retirement. For enterprise compliance teams, the municipal register architecture provides a concrete operational template as regulators increasingly require auditable AI system inventories.