Executives at large firms keep hearing the same pitch from vendors. Move fast on artificial intelligence or fall behind. Many listened. The results have not been kind.
A fresh survey of 406 IT decision makers conducted in April reveals the scale of the mismatch. Ninety-three percent of organizations have already suffered infrastructure incidents traced directly to AI use. Just 19 percent possessed governance structures equipped to handle them. The Register laid out the numbers in detail last week. The picture is sobering.
Paweł Hytry, co-founder and CEO of Spacelift, put it bluntly. “The findings are unambiguous: organizations are using AI to generate infrastructure code at a rate their governance frameworks were never designed to handle.” His company’s 2026 State of Infrastructure Automation report labels the phenomenon an AI readiness gap. Companies generate code faster than they can check it. Then they pay for the mistakes.
Eighty-two percent of respondents said between a quarter and three-quarters of their code now comes with AI assistance. The downstream effects hit infrastructure teams hard. Forty percent reported security vulnerabilities appearing more often. The same share said governance itself had grown more difficult. Change volume rose for 37 percent. Development pipelines strained for 35 percent. Infrastructure drift showed up at similar rates.
Spacelift breaks organizations into four groups. Twenty-four percent count as exposed. These outfits run AI without matching controls. What they do diverges sharply from how they manage other technology. Another 32 percent operate in fragmented fashion. They apply AI unevenly and lack a coherent plan. The remaining share splits between those outpacing their controls and true pioneers who maintain discipline. The exposed group reported incidents at a 97 percent clip. Pioneers saw none in 17 percent of cases.
The cognitive gap stands out. Eighty-six percent of leaders believe they can govern their AI efforts. Only 30 percent have a formal policy on the books. The Register called this self-delusion in gentler terms. The consequences show up in production. Thirty-seven percent of organizations rework AI-generated changes. Thirty-six percent deal with security misconfigurations that slipped into live environments. Compliance violations hit the same mark. Infrastructure drift and agent-driven incidents follow close behind.
But the problem runs wider than infrastructure as code. Recent analysis from Aon shows AI adoption climbed to 88 percent of organizations using the technology in at least one function by last year. Harmful incidents jumped 56 percent in 2024 according to the Stanford AI Index, reaching 233 cases. AI-powered phishing now achieves click-through rates near 54 percent. Traditional attacks manage about 12 percent. Shadow AI, while declining from 78 percent to 47 percent of employees, still creates major data exposure.
Aon warns that AI rewrites fraud, governance and operational risk at speed. Brent Rieth, Aon’s Head of Global Cyber Solutions, noted that the technology changes exposure faster than traditional frameworks adapt. Organizations investing early in transparent governance and scenario analysis stand to turn risk into advantage. Those that treat governance as an afterthought inherit the opposite.
WitnessAI outlined six persistent governance challenges enterprises face this year. No single owner exists for AI oversight. Responsibility fragments across the CISO for security, legal for contracts, compliance for regulations and human resources for policy. Policies exist on paper but rarely enforce in practice. Adoption races ahead of controls. Pilots launch easily. Production deployments stall when risk teams cannot verify audit trails fast enough.
Shadow AI remains the largest unmanaged surface. Seventy-eight percent of employees admit to using unsanctioned tools across browsers, native apps and IDEs. Legacy security tools cannot parse conversational intent or bidirectional traffic in large language model sessions. Third-party vendors add another blind spot. Ninety-eight percent of organizations connect to suppliers that suffered recent breaches. Few can confirm how those partners handle data in training runs.
Agentic systems introduce risks governance never anticipated. Fifteen percent of day-to-day decisions could become autonomous by 2028. A third of applications may include such agents. More than 40 percent of projects risk cancellation due to uncontrolled costs or exposure. Traditional identity and access management collapses when credentials multiply across non-human actors.
WitnessAI argues for intent-based classification, runtime guardrails and unified platforms that treat both humans and agents under one engine. Without them, visibility stays incomplete and response stays reactive.
Compliance experts see parallel shifts. Rebeca Vergara Goana wrote in Corporate Compliance Insights that AI has moved from an emerging fintech topic to a clear operational risk linked to cybersecurity and disclosures. The SEC’s priorities reflect that change. AI washing now draws more scrutiny than greenwashing. Companies claim capabilities they do not possess. They expose themselves to false statements, contractual liability, sanctions and reputational damage.
Vendor risk has become inherent risk. Small and midsize businesses face compliance layers once reserved for larger firms. Goana warns that AI gradually suppresses human intuition and investigation. Models fabricate details. Policies drafted by AI create legal obligations the organization never intended.
Recent discussions on X echo the tension. One analyst noted that many enterprise AI projects fail because teams underestimate the cost of reliability. Human oversight, workflow redesign and verification remain non-negotiable. Another post highlighted how UK physical AI efforts now focus on trust and measurable impact rather than novelty. Governance and integration have become the binding constraints.
Insurance markets show the pressure. More than 90 percent of decision makers view AI-driven incidents as material. Standalone policies remain narrow. Carriers respond with clarifications, selective exclusions and targeted endorsements rather than blanket denials. David Molony at Aon stressed that new insurance products must evolve deliberately with the pace of technology.
Adam Peckman, Aon’s Global Practice Leader of Cyber Risk Consulting, offered a direct prescription. Organizations that treat governance as a living discipline, one that evolves alongside the technology instead of trailing it, position themselves best. The alternative grows clearer each quarter. Incidents accumulate. Regulators tighten rules. Boards inherit systems too embedded to unwind easily.
Spacelift recommends tracking metrics few organizations monitor today. Measure the volume of AI-generated infrastructure code flowing through pipelines. Track error rates tied to those changes. Quantify drift caused by AI. Integrate generated code into governed IaC workflows. Plan controls for agents before they act independently. Automation without governance simply accelerates problems.
The pattern repeats across industries. Leaders approve AI initiatives at the departmental level. Shadow use spreads. Incidents surface months later. By then accountability blurs. The exposed category in Spacelift’s survey shows what happens when divergence becomes normal. The pioneers demonstrate that discipline pays. They combine heavy AI use with structural controls and see fewer failures.
Yet the majority sit somewhere in between. They sense the gap but hesitate to slow deployment. Vendors keep pushing. Boards ask for competitive advantage. Technology teams deliver code at unprecedented speed. The infrastructure underneath absorbs the strain until it does not.
Recent regulatory fragmentation adds complexity. The EU AI Act phases in requirements through 2027. U.S. approaches emphasize innovation with lighter touch in some areas. Compliance teams map use cases, document decisions and prepare for audits that grow stricter. Those who map early and test controls secure better insurance terms. Those who wait face higher premiums or coverage gaps.
Deepfake fraud offers one vivid example. A $25 million case made headlines. Click rates on synthetic media attacks dwarf traditional phishing. Training employees to spot synthetic content becomes table stakes. Out-of-band verification for payments and multi-person approval for unusual transactions gain new urgency.
Third-party diligence expands too. Contracts now demand transparency on training data and incident response. Runtime visibility supplements periodic audits. Models must be vetted before integration. Inputs and outputs filtered against prompt injection and leakage.
The data paints a consistent portrait. Adoption outruns preparation. Incidents rise. Governance lags. Leaders who close the gap treat oversight as continuous, not periodic. They build audit trails that keep pace with agentic behavior. They measure what matters in AI-generated pipelines. They accept that speed without structure creates fragility.
Spacelift’s report and the supporting coverage from the Register arrived at a moment when many organizations have already crossed the threshold. The incidents have begun. The question is no longer whether governance matters. It is whether leaders will build it before the next wave of automation arrives. The exposed group already knows the cost of waiting. The pioneers show the rewards of acting with eyes open.


WebProNews is an iEntry Publication