Corporate AI Governance

State of play.

• Shadow AI is the dominant corporate governance failure mode. A 2025 Gartner survey found 69% of organizations suspect or have confirmed prohibited generative AI use; separate research puts the figure at 98% when accounting for all unsanctioned applications, with 68% of users actively concealing the practice from employers (→ Unintentional AI Adoption Is Already Inside Your Company. The Only Question Is Whether You Know It.).
• Enterprise AI pilots are failing at scale, creating a governance gap between claimed and actual deployment. MIT's NANDA initiative found 95% of enterprise generative AI pilots fail to reach production or deliver measurable results, with over $30 billion invested since late 2022 and minimal business transformation to show for it .
• ISO/IEC 42001 certification is emerging as a market-differentiating governance signal. Willkie Farr has achieved the standard—among the first global law firms to do so—following KPMG International's certification in December 2025, and clients may begin requesting it as an engagement condition .
• OpenAI's CEO conflict-of-interest posture is a live pre-IPO governance issue. Altman's requests that OpenAI invest in companies where he holds substantial personal stakes—including a proposed $500 million investment in Helion Energy—have sharpened board scrutiny of related-party transactions ahead of a planned 2026 IPO .
• For counsel advising corporate clients on AI governance, the practical baseline is that shadow AI exposure is not hypothetical—it is already inside the organization—and the gap between pilot claims and production reality means vendor contract representations and internal governance frameworks both warrant independent scrutiny.

Where things stand.

• Shadow AI is endemic and spans the organizational hierarchy. A 2025 Gartner survey found 69% of organizations suspect or have confirmed prohibited generative AI tool use; 93% of executives report using unauthorized AI, with C-suite and SVP-level employees largely unconcerned about the practice (→ Unintentional AI Adoption Is Already Inside Your Company. The Only Question Is Whether You Know It.). One-third of employees admit sharing enterprise research or datasets through unsanctioned tools, 27% have exposed employee data, and 23% have input company financial information into these platforms (→ Unintentional AI Adoption Is Already Inside Your Company. The Only Question Is Whether You Know It.).
• Enterprise pilot failure is structural, not incidental. MIT's NANDA initiative documented that LLMs lack the persistent memory, workflow integration, and adaptive capacity that organizational operations require—explaining why 95% of pilots fail to reach production . This creates a specific advisory angle: AI-driven process claims in vendor contracts warrant skepticism, and governance frameworks built around pilot-stage assumptions may not survive production scrutiny.
• ISO/IEC 42001 is becoming the reference standard for AI management systems. Released in 2023 as the first formal AI management system standard, it covers third-party risk evaluation, internal policies, staff training, and lifecycle oversight. KPMG International and Willkie Farr are among early adopters; whether it becomes a client-facing requirement is the open question .
• AI-native business model transformation is generating new governance architecture. ServiceNow's pivot to an AI-centered business model—including an "AI Control Tower" for agentic AI oversight—signals that enterprise software vendors are building governance tooling into their platforms, which will affect how clients structure AI oversight obligations in procurement contracts .
• Compliance program design is shifting from rule-following to judgment-based frameworks. Practitioner commentary argues that future-ready compliance programs must emphasize adaptive judgment over predictive rule sets, with boards playing a more active role in ethics and compliance oversight .
• Governance-as-competitive-advantage framing is gaining traction in practitioner literature. DLA Piper's published guide positions proactive governance frameworks as tools for risk management, resource allocation, and stakeholder trust—a framing that aligns with how boards and investors are beginning to evaluate organizational resilience .
• AI developer conflict-of-interest governance is a pre-IPO pressure point. OpenAI's board has flagged CEO transparency concerns before; the Altman-Helion situation repeats the pattern with higher stakes as the company approaches public markets .

Latest developments.

• MIT NANDA initiative documents 95% enterprise generative AI pilot failure rate across 150 executive interviews and 300 public deployments, identifying structural LLM limitations as the root cause
• Shadow AI prevalence documented at scale: 69% of organizations confirm or suspect prohibited tool use; 68% of users actively conceal it; one-third have shared enterprise datasets through unsanctioned platforms (→ Unintentional AI Adoption Is Already Inside Your Company. The Only Question Is Whether You Know It.)
• Willkie Farr achieves ISO/IEC 42001 certification, joining KPMG International as an early adopter of the first formal AI management system standard
• Altman conflict-of-interest disclosures surface ahead of OpenAI's planned 2026 IPO, including a proposed $500 million OpenAI investment in Helion Energy where Altman holds a $375 million personal stake
• ServiceNow CEO publicly builds AI-centered business model with "AI Control Tower" governance architecture for agentic AI oversight
• Practitioner commentary argues compliance programs must shift from predictive rule-following to judgment-based frameworks with expanded board engagement
• DLA Piper publishes governance-as-competitive-advantage guide positioning compliance infrastructure as a strategic differentiator

Active questions and open splits.

• What does adequate shadow AI governance look like, and when does the absence of it become a regulatory violation? The data breach, HIPAA, and financial services exposure from unsanctioned tool use is documented—but no regulator has yet defined a minimum visibility or monitoring standard that satisfies duty of care (→ Unintentional AI Adoption Is Already Inside Your Company. The Only Question Is Whether You Know It.).
• How should vendor AI performance representations be drafted and enforced given a 95% pilot failure rate? The MIT NANDA findings create a specific due-diligence obligation: representations about AI-driven process transformation in vendor contracts and investment materials may not survive scrutiny if the underlying deployment never reaches production .
• Will ISO/IEC 42001 become a client-facing requirement or remain a voluntary differentiator? The certification trajectory—KPMG, then Willkie—suggests professional services firms are moving toward it proactively, but whether clients begin conditioning engagements on it, or regulators reference it as a safe harbor, is unresolved .
• How should boards structure related-party transaction oversight for AI developer CEOs whose personal investment portfolios overlap with company infrastructure needs? The Altman-Helion pattern—where personal investments align with corporate procurement decisions—is not unique to OpenAI and will recur as AI infrastructure spending scales .
• Does the shift to agentic AI and embedded AI systems require a new governance architecture, or can existing compliance frameworks be adapted? ServiceNow's "AI Control Tower" model suggests vendors are building governance tooling into platforms—but whether that satisfies board-level oversight obligations or merely shifts accountability downstream is an open question .
• What evidentiary weight will regulators and courts give to ISO/IEC 42001 certification in enforcement actions? The standard is new enough that no enforcement body has formally referenced it as a compliance benchmark, leaving its legal significance undefined .

What to watch.

• Whether any regulator—SEC, FTC, state AG, or sector-specific agency—references ISO/IEC 42001 as a benchmark or safe harbor in an enforcement action or guidance document.
• OpenAI's IPO-related disclosures on related-party transactions and conflict-of-interest policies, which will set a market reference point for AI developer governance.
• Whether shadow AI enforcement actions materialize in regulated industries—healthcare or financial services are the most exposed sectors given documented data-sharing behavior.
• Vendor contract disputes arising from AI pilot failures, which would test whether "AI-driven transformation" representations constitute actionable misrepresentation.
• Whether agentic AI deployments generate the first board-level governance failures—situations where autonomous AI actions create liability that existing oversight structures did not anticipate.