Based on 249 in-depth interviews with business and IT leaders, the research points to a clear shift: organizations have largely moved beyond debating whether AI matters and are now working out how to deploy it under control.
Organizations are not hesitating on AI because they doubt its value; they are advancing through a managed experimentation phase shaped by control. Nearly all respondents see AI through an opportunity lens, with 50% taking a balanced opportunity-with-risk stance and 44% leaning clearly opportunity-first. But that ambition meets immediate constraint: 94% described strict sensitive-data boundaries, making the first question not whether to use AI, but where it can be used safely.
This leads to a governance drag pattern. AI approval is formalized, with 50% using committee-led or moderately centralized models, and adoption often slows under bureaucracy and proof demands, as 37% reported approval-driven delays. In response, organizations rely on human accountability as the operating answer: 46% require mandatory human review with a named owner. The implication is clear: the next step is not weaker governance, but repeatable controls and lighter approval paths that let proven use cases scale faster.
They are overwhelmingly optimistic, but cautious. 50% take a balanced opportunity-with-risk stance, 44% are clearly opportunity-first, and only 6% approach AI from a primarily risk-first posture.
Formal process friction is the most common barrier. 37% said adoption is slowed by bureaucratic approvals, and another 35% said progress stalls while teams prove business value, train users, or educate stakeholders.
The most established controls are data boundaries and human oversight. 94% discussed sensitive-data restrictions, and 46% said AI outputs require mandatory human review with a named accountable owner.
Approval is usually formal and centralized. 50% described committee-led or moderately centralized approval, while another 40% reported a centralized multi-step process ending in executive or CIO sign-off. Only 6% have lightweight or manager-led pathways.
The findings suggest many organizations are in a managed experimentation stage rather than broad, free-form adoption. Leaders see clear value in AI, but use is typically permitted only within strict data boundaries, formal approval models, and human accountability structures.
Because the data shows enterprise buyers now treat AI features as governance decisions, not just product decisions. Vendors selling AI-powered SaaS face longer, committee-led procurement, strict sensitive-data controls (94%), and customer expectations of named human-review owners (46%). Winning vendors will package governance evidence — data-handling guarantees, audit logs, human-in-the-loop options, and clear accountability documentation — alongside product capability.
Sensitive-data protections are the most consistently established part of the current AI operating model. Organizations are largely deciding where AI is permissible by drawing hard lines around public model use.
Half of respondents frame AI as both an opportunity and a risk to be managed, signaling that adoption is being pursued deliberately rather than avoided.
More than one-third described AI adoption as slow because of bureaucratic approvals, showing that governance design is now a major determinant of deployment speed.
Mandatory human review with a named owner is the clearest mechanism organizations use to make AI acceptable within existing risk constraints.
Enterprise buyers have stopped evaluating AI features in isolation. They evaluate them against a governance bar. For SaaS vendors, that changes how AI capability gets bought, deployed, and renewed.
94% of buyers enforce strict prohibitions on sensitive data in public LLMs, and AI features are now evaluated against a governance bar, not in isolation. Vendors who cannot clearly answer where customer data goes, how it is isolated from public models, and which controls are technically enforced get filtered out before the demo.
Lead with data-isolation guarantees — surface tenancy architecture, SOC attestations, and enforcement controls as self-serve evidence, not as artifacts requested late in procurement.
50% of organizations approve AI tools through review committees and another 40% require centralized multi-step sign-off ending with a CIO or executive. That means 90% of deals run through security, legal, risk, and procurement reviewers — not the product champion alone.
Package security questionnaires, compliance attestations, and risk artifacts as standard sales collateral that equips the champion to win internal approval without needing a vendor call.
46% of organizations cite mandatory human review with a named accountable owner as their top risk control. Buyers want AI that fits inside existing accountability structures, not autonomous systems that bypass them.
Surface review queues, audit trails, and named-owner workflows as first-class product features — accountability is a buying criterion, not a compliance afterthought.
37% of buyers cite bureaucratic approvals as their primary adoption bottleneck and another 35% stall on proving value. The market is past pilots — the blocker is approval velocity, not skepticism about AI.
Pre-package ROI evidence, reference deployments, and lightweight pilot-to-scale playbooks so customers move from approved to actually used without another internal sales cycle.
Organizations overwhelmingly frame AI through a value lens, with roughly half, 50%, taking a balanced opportunity-with-risk stance and another 44% leaning clearly opportunity-first. Just 6% adopt a risk-first posture, indicating that most leaders see AI as strategically important even when they remain cautious about deployment.
The split suggests AI is moving from experimentation into governed adoption. Opportunity-first respondents emphasize productivity, efficiency, and new products, while the balanced majority pairs those gains with guardrails around governance, privacy, and sensitive data use. In practice, organizations are not rejecting AI, they are trying to scale it responsibly and embed it into company strategy.
AI is overwhelmingly seen as opportunity: 87% take an opportunity-first posture overall, including 28% with a strong opportunity-first stance and 59% with a pragmatic opportunity-first view
Risk tempers optimism for many organizations: 50% describe their stance as balancing opportunity with risk, even as 81% say they are opportunity-first but risk-aware
Purely risk-led views remain a small minority: just 6% take a risk-first posture, matched by another 6% with an evenly balanced opportunity-and-risk view, while only 5% show a limited or early opportunity posture
Lead with value-led, risk-governed go-to-market execution: package AI offerings around measurable business outcomes, while embedding governance, security, and compliance into the core proposition rather than treating them as add-ons. Segment messaging for the 87% who are opportunity-first by emphasizing speed, productivity, and competitive advantage, and equip sales with proof points, pilots, and ROI models. Reserve more assurance-heavy pricing, controls, and implementation support for the smaller risk-first segment.
“So generative AI is viewed I would say, both as an opportunity and a risk. I believe that must be actively managed, but the stronger emphasis on responsible acceleration rather than avoidance. So our company encourages our teams to move quickly where we think the generative AI can bring productivity in insights, decision support.”
“Both. So it is an opportunity to move faster and encourage employees to leverage AI to the best of their ability to make their roles more efficient given that they understand the requirements. However, this also presents a risk given that you really shouldn't be training a large language model with sensitive customer information.”
Sensitive data boundaries are a near-universal control point, cited by 94% of respondents. Roughly half described an outright ban on entering proprietary code, customer data, or employee PII into public LLMs, while 35% said use is limited to internal or approved tools with monitoring and access controls. Only 15% allow conditional use through policy and redaction.
Organizations are drawing the hardest line around public models, but they vary in how they enable AI safely. About one-third rely on approved environments, blocking, and identity-based permissions, while a smaller group permits limited use if identifiable information is removed. In practice, this creates a tiered model: public tools are restricted, internal tools are governed, and redaction acts as the exception path.
Sensitive data rules dominate public LLM use: 94% discussed sensitive data boundaries and protection controls, showing that data protection is the defining constraint on public AI adoption
Most organizations draw a hard line: 64% report strict prohibition on putting sensitive data into public or unapproved AI, while only 18% allow use with redaction or narrow exceptions
Enforcement is mainly technical, not just advisory: 70% rely on technical blocking and IT-enforced controls, far exceeding the 23% that depend primarily on policy, training, and redaction and the 4% using internal-only safe environments
Lead with security-first deployment: package offerings around enterprise controls, redaction workflows, and approved internal environments rather than open public LLM access. Prioritize integrations with DLP, identity, logging, and admin policy enforcement, and position public-model use only for low-risk, non-sensitive tasks. Price and message by governance tier—technical blocking, auditability, and compliance readiness as core value—because advisory guidance alone will not meet buyer requirements.
“It is prohibited according to our policy to put any proprietary code or personal data in the public LLMs.”
“However, because my organization and the industry itself deals with protected health information and medical decision making and clinical decisions and documentation. The adoption of AI is a little bit slower to ensure privacy and protection of that data. And patient safety.”
“Then there's the legal and compliance review, which looks at things like IP ownership, liability, audit rights, and contractual risk.”
Committee-led governance is the dominant AI approval model, cited by 50% of respondents, while another 40% describe a centralized, multi-step process that still culminates in executive or CIO sign-off. Together, this shows that formal oversight is the norm, with only 6% reporting lightweight or manager-led approval pathways.
These structures typically combine cross-functional review with concentrated final authority. In practice, committees and stakeholder forums handle legal, security, procurement, and responsible AI checks, while senior executives retain veto power in many organizations. The result is broad risk screening up front, but with final decisions often centralized at the top.
Committees lead most AI approvals: 55% describe a multi-stage, multi-stakeholder review chain and another 27% say approvals are led by a committee or central AI or technology team
CIOs still hold the final call: despite committee-led processes dominating, 15% report a single central approver or veto, reinforcing that final sign-off often stays centralized with top technology leadership
Formal governance outweighs informal intake: 64% use a structured intake with limited escalation, compared with 14% using lightweight ticket or manager or procurement routes and just 2% relying on informal, ad hoc discovery-led paths
Design AI sales and rollout motions for committee-based buying, then equip CIOs with a concise final-approval case. Package offerings with security, legal, procurement, and ROI documentation upfront; map messaging to each reviewer while reserving executive briefs for CIO sign-off. Price with phased pilots, governance add-ons, and enterprise controls that fit structured intake processes. Prioritize repeatable approval kits over ad hoc demos, since informal pathways are rare and most decisions move through formal multi-stage review.
“And then as a network and identity layer, access through AI services is controlled through SSO, CASB, secure web gateways. And then at the endpoints and application layer, we use DLP and endpoint controls.”
“We educate to only use those that have been approved. We have an AI usage policy, which everyone has had to adhere to. So we don't have any auditing or technical ability to block, but we do it all through policy and education.”
“Well, essentially, they're blocked. So, as the AI policy speaks to what is allowed, everything is explicitly denied at that point. So if it's not on the approved list, they don't have access to it, and it simply gets blocked.”
Adoption is most often slowed by formal approvals, with 37% describing a bureaucratic, approval-driven path. Another 35% said progress stalls while teams prove business value, train users, or educate stakeholders. By comparison, only 28% reported relatively fast adoption with moderate governance, making friction the more common experience.
The biggest bottlenecks combine governance rigor with organizational confidence gaps. In practice, some teams wait six to eight months just for approvals, while others face ten to eleven months or even up to two years to go live. Faster adoption tends to be limited to lower-risk tools, whereas higher-risk use cases trigger broader stakeholder reviews and stronger demands for value justification.
Approvals are the core adoption bottleneck: 37% say adoption is slow and driven by bureaucratic approvals, and 43% face approval cycles stretching from several months to a year versus just 19% seeing decisions in days to weeks
Validation demands persist after approval: 88% still encounter testing, privacy, and evidence-validation friction once tools are approved, while only 3% report low-friction experimentation
Most organizations sit in governed middle ground: 35% move through a moderated 1 to 3 month approval cycle, showing that even outside the longest delays, structured oversight remains the norm
Build the go-to-market around enterprise proof, not product discovery: package pre-approved security, privacy, and compliance artifacts; offer pilot-to-production plans with clear success metrics and ROI benchmarks; and price with low-risk entry options tied to staged expansion. Equip sales to navigate 1–12 month approval paths with procurement-ready documentation, while customer success leads structured validation, training, and stakeholder education to convert approval into rollout and shorten time to value.
“We have a change initiation forum which is made up of multiple stakeholders that all have to review and sign off on a new tool. Those stakeholders include our responsible AI group, legal, procurement, compliance, IT security, information security, and architecture.”
“So it starts with use case sponsorship. Which is essentially a business owner defines the problem, the expected impact, and the success metrics. Then we have a data and security review, which is usually led by infosec or data governance.”
“Obviously, there's the business that identifies the need and the potential solutions for that. That initial assessment then gets brought to architecture. Architecture does a preliminary review around risk and compliance.”
Mandatory human review is the dominant accountability model, with 46% of respondents saying AI outputs require review by a person and a named owner. By contrast, 25% described accountability structures that remain unclear or rely on ad hoc enforcement, while 15% pointed to shared accountability with some enforcement mechanisms.
This pattern suggests organizations are prioritizing human sign-off over fully automated control, but governance maturity still varies widely. The clearest approaches assign responsibility to a specific executive or business owner; weaker models depend on reacting to problems after they surface, creating uneven oversight and greater implementation risk.
Mandatory human review is the default anchor: 46% describe a model with mandatory human review and a named accountable owner, while 68% report structured human review and formal pre-deployment gating overall
Oversight is stronger than ownership clarity: 68% have structured human review and formal gating, but only 35% pair that with a clear accountable owner and active enforcement
Accountability is often shared, not singular: 45% rely on shared or distributed accountability with some enforcement, compared with 35% that have clear single-owner accountability and 20% with weak or untested accountability and enforcement
Package governance around mandatory human review, but operationalize accountability as a progression rather than an assumption. Lead with approval workflows, pre-deployment gates, audit trails, and role-based controls, then add clear owner designation, escalation paths, and misuse enforcement mechanisms for customers with distributed governance. Price and position higher-tier offerings around policy orchestration, decision logging, and accountability reporting, since many organizations have oversight in place but still lack singular, enforceable ownership.
“Finally, we do the human accountability test. So there must be a named owner who's willing to stand behind the system. Essentially.”
“So, ultimately, accountability stays with the business owner of the process, not the AI model or the vendor. AI is treated as a tool internally so ownership remains with the function that approved it.”
“So the governance steering committee has got very strict kind of responsibility matrix, and they are responsible ultimately for how the tools are being used. Also about the outcome. Or the risks.”
Explore more insights from our research library.
G2 Research study of 249 enterprise interviews on AI governance: 94% enforce sensitive-data boundaries, 50% use committee-led approval, 37% report bureaucratic delays, and 46% require mandatory human review.
How sales and marketing leaders are adopting AI across their workflows, revealing patterns in maturity, automation boundaries, and human-AI collaboration.
How 110 software organizations are navigating AI pricing, packaging, and cost recovery — revealing a market where AI is strategically non-negotiable but commercial maturity still lags, 48% of teams are investing without profitability, and hybrid packaging has become the default as value shifts toward embedded workflows and outcomes.
