Three in four boards have approved major AI investments. Only half have set clear governance expectations for them.
That gap has a name now. Grant Thornton calls it the "AI proof gap" — the distance between deploying AI and being able to show how it makes decisions, who is accountable for the outcomes, and what happens when it gets something wrong.
Seventy-eight percent of senior business leaders lack confidence that their organisation could pass an independent AI governance audit within ninety days. Not because they haven't deployed AI. Because they cannot prove how it works.
Accountability without an address
The governance gap starts at the top. Three in four boards approved AI investments — but only half set governance expectations for them, and only 22% of organisations have a fully developed AI strategy at all. Responsibility for AI governance sits somewhere in the space between IT departments, risk committees, and the teams using the tools — which means, in practice, it sits nowhere. The people building the systems and the people accountable for governing them are not even worried about the same things: 54% of operations leaders flag regulatory uncertainty around AI as a concern, but only 20% of technology leaders share it.
This matters more than it sounds like it should. Organisations with fully integrated AI governance are nearly four times more likely to report revenue growth than those still piloting — 58% versus 15%. The proof gap is not just a compliance risk. It is a performance drag. The organisations that cannot explain how their AI works are also the ones getting less value from it.
Agents make it worse
Most organisations have moved AI beyond the pilot phase — 63% report operationalised AI deployments — and many of those now include agentic systems that plan, decide, and act with minimal human supervision. But fewer than half of those organisations have risk management frameworks in place to govern them.
The accountability question that was already hard with a chatbot becomes structurally different with an agent. A chatbot produces text that a human reviews. An agent takes actions that a human may never see. It schedules meetings. It routes tickets. It makes decisions about data access, customer responses, priority ordering. Each of those decisions has a consequence, and each consequence has an owner — or should.
When nobody can show who decided what, the question is not whether something will go wrong. It is whether anyone will notice when it does.
The audit is coming regardless
The EU AI Act's high-risk compliance deadline moved to December 2027. But the underlying requirement did not change: organisations deploying high-risk AI systems must be able to demonstrate how those systems work, how decisions are made, and how risks are managed. Other jurisdictions are moving in the same direction.
The organisations that will be ready are not the ones scrambling to build documentation in November 2027. They are the ones designing accountability into their workflows now — mapping which AI systems do what, who reviews the outputs, what the escalation path looks like when something breaks, and what "good" looks like for every workflow the AI touches.
The proof gap does not close with a policy document. It closes when someone sits down and designs how AI should work inside the actual workflow — with roles, rules, and a clear answer to the question: who is accountable for what this system just did?
That design work is available now. The deadline is irrelevant to whether you start it.
Sources: Grant Thornton 2026 AI Impact Survey Report; Grant Thornton, "A widening AI proof gap is emerging" (April 2026); Gallagher 2026 AI Adoption and Risk Survey.