The AI Governance Gap: A Practical Guide for Compliance Teams Playing Catch-Up

Your team is using AI. Your compliance program probably isn't ready. Yep - it's true. According to the Thoropass 2026 State of Audit and Compliance Report, 69% of security leaders say AI adoption in their organization is outpacing their ability to maintain security and compliance controls. 

This stat confirms what I've been seeing firsthand in audit engagements all year: teams adopt and deploy AI tools in days, but the governance frameworks around those tools take months, and sometimes never materialize at all. The result of this is the "governance gap", which is a growing distance between how fast organizations deploy AI, and how slowly they establish the policies, controls, and oversight needed to manage the risks.

‍

What auditors are finding

I've had multiple clients ask me: "How do we even start with AI compliance?" They tell me that they're using AI-powered tools across their operations, in functions ranging from code generation to customer support to data analysis. However, when I ask about their governance framework, the answer is usually along the lines of: "We're working on it" (they haven't started), "Our acceptable use policy covers it" (it almost certainly doesn't), or "We didn't realize we needed one" (more common than you'd think).

While this may seem surprising, it reflects the fact that many infosec leaders still don’t fully understand the compliance impact of AI usage within their organizations. According to recent research from the Cloud Security Alliance (CSA), 82% of organizations discovered at least one AI agent or autonomous workflow in the past year that was created without the knowledge of security, IT, or governance teams.

‍

Why traditional frameworks don't cover AI (yet)

The most established frameworks, such as SOC 2, ISO 27001, and HIPAA, weren’t designed with AI workflows in mind. While SOC 2's Trust Services Criteria can be applied to AI systems, they don't specifically address the AI's unique risks like model bias, hallucination, training data governance, or autonomous decision-making. Similarly, ISO 27001's Annex A controls don't explicitly cover machine learning model lifecycle management, and HIPAA's rules weren't written for scenarios where an AI system might infer PHI from non-PHI data.

This doesn't mean these frameworks are useless for AI governance. What it does mean is that compliance teams need to intentionally extend their existing controls to cover these AI-specific risks, rather than assuming their current program has it handled.

‍

Read more: The Future of Audit is AI-Powered – But Must be Human-Led

‍

A practical framework for closing the gap

Based on what I've seen work across a number of engagements, successfully closing the gap can be distilled into five key points:

‍

Step 1: Know what AI tools and workflows you're actually using

You can't govern what you can't see. Most organizations are surprised by how many AI tools are already embedded in their workflows. Beyond the obvious ones like ChatGPT, Claude, Gemini and Copilot, AI workflows are built into a large number of business applications, from CRM platforms and code editors, to HR tools and analytics dashboards.

Document what's in use, who approved it, what data flows through it, and which tools were shadow adopted by individual teams.

Step 2: Extend your acceptable use policy

Most organizations have a general acceptable use policy. Very few have one that specifically addresses AI.

A good AI-era AUP should cover which AI tools are approved, what data can and cannot be entered, requirements for human review of AI outputs, prohibited use cases, and guidelines for disclosing AI use to customers when relevant. This isn't about banning AI, it's about implementing guardrails that let your team use it productively.

Step 3: Map AI risks to your existing controls

If you're already SOC 2-compliant, you have a control library. The question is whether those controls adequately address the AI specific risks:

• Security (CC6, CC7): Access controls extending to AI tools, checking who has access, how are API keys managed, are AI tools in your vulnerability management scope?
• Confidentiality (C1): Data classification covering AI prompts, AI generated outputs, and training data.
• Processing Integrity (PI1): Verification of AI output accuracy, especially where AI supports business decisions.
• Privacy (P1-P8): Consent, data minimization, and individual rights applied to AI contexts.

Step 4: Build AI into your evidence collection

Auditors will want to see your AI inventory and risk assessment, your AI acceptable use policy with evidence of training, access controls and logs for AI tools, data flow documentation, and incident response procedures that account for AI specific incidents. Create dedicated evidence streams for AI governance.

Step 5: Train your people

Policy without education is theater. Cover what AI tools are approved, what data should never be entered, how to report AI related incidents, and how AI governance connects to broader compliance obligations. This should be documented and recurring, not a one-time slide deck.

‍

What is considered reasonable AI governance

Infosec practitioners should also be aware of what’s expected of them in terms of AI governance. A guideline for this includes:

• Intentional governance, not reactive responses. Controls around AI that show you thought about AI risks proactively.
• Consistency between policy and practice. If your policy says "no customer data in AI tools" but your support team uses an AI chatbot that processes customer conversations, that's a clear non-compliance case.
• Risk-appropriate controls. A company using AI for internal code review has different risks than one using AI for lending decisions. Controls should be proportionate.

If a business leader says any of these statements, they should be viewed with a significant amount of skepticism, because this suggests a lack of internal oversight: "We don't use AI" (you almost certainly do), "Our existing controls cover it" (without documented analysis), or "We'll get to it next year" (the governance gap is a current risk).

‍

The opportunity ahead

The AI governance gap is real and growing, but for compliance teams that move now, it's an opportunity to differentiate. The companies that treated compliance as a checkbox are struggling most with AI governance. The companies that built genuine compliance cultures are extending their programs to cover AI most effectively.

At Thoropass, we're helping organizations close the governance gap by combining AI powered audit automation with experienced auditors who understand the evolving risk landscape. Because the answer to AI compliance risk isn't less technology, it's smarter governance.