Policy Is Not Control: The 18% Gap in Enterprise AI Governance

Most boards have been told their company has AI governance. What they actually have is a document.

The stat that should keep boards awake

In August 2025, EY published the result it buried on page two: only 18% of CEOs say their organization has strong controls for AI fairness and bias, against a broader C-suite average of 33%. The survey ran across 21 countries, 975 senior executives, every firm above one billion dollars in revenue. It is the cleanest read we have on what the people with signing authority actually believe about their own controls. (One scoping note: this article is calibrated for $1B+ enterprises and any firm scoped under the EU AI Act, UAE PDPL, or sectoral AI rules. A 200-person SaaS startup has different exposure and a lighter prescription.)

Read that gap again. The CEO — the person who carries the legal and reputational weight of every system the company ships — sees nearly half the control coverage that their direct reports describe. The CIO is confident. The Chief Risk Officer is confident. The CEO is not. The senior view is the one closer to the legal and reputational consequence — closer to the regulator, closer to the journalist, closer to the lawsuit. They are pricing the risk the rest of the C-suite has not yet been forced to.

This is happening while the EU AI Act's Article 4 obligation on AI literacy has been enforceable since February 2, 2025. The regulatory floor has already moved. The 18% number is not a forecast. It is a measurement of where most large enterprises are standing today, fifteen months into a binding regime.

Why "we have a policy" is the wrong answer

When a board hears about AI risk, the reflex question is: do we have a policy? The answer is almost always yes. The 2025 Pacific AI Governance Survey of 351 organizations found that 75% have written AI policies, 59% have a designated AI governance role, and only 54% have an incident response playbook for an AI failure. The cascade is the story. Each step down the funnel loses people, and the steps that matter operationally are at the bottom.

A policy is a sentence. A role is a person. A playbook is a rehearsal. Regulators, plaintiffs, and journalists do not read your policy. They watch what happens in the forty-eight hours after a model misbehaves in production. The right board question is not whether a policy exists. The right board question is: when something goes wrong with one of our AI systems, who has the authority to stop it, and have they ever practised doing so?

If the room cannot name that person inside ten seconds, the policy is decorative.

“Policy is the floor. Control is the ceiling. Most firms have built neither.”

The Governance Gap Stack

I have started calling the pattern the Governance Gap Stack (a framework I use with clients) — four rows, each narrower than the one above. It is the picture I now draw on every board deck.

Two surveys with different instruments and different samples — EY's CEO-reported fairness controls at 18%, IBM's operationalized-ethics measure under 25% — converge on the same bottom-row reading. The four-row stack above is an illustrative pattern, not a single-instrument funnel; the load-bearing claim is the convergence at Row 4 from two independent methodologies. Roughly four in five enterprises live in the top three rows of the stack and have not built the bottom one.

The bottom row is where regulators look. Everything above it is preamble.

This is also where the cost lives. Building Row 1 is a comms exercise. Building Row 2 is a legal exercise. Building Row 3 is an org-design decision. Building Row 4 is engineering, training, drills, on-call rotation, change management, and budget — every quarter, forever. The reason 75% of firms stop at Row 2 is not ignorance. It is that Row 4 is the only row that costs real money.

Why the gap is widening, not closing

Two independent reads, same direction. McKinsey's State of AI 2025 puts the average enterprise responsible-AI maturity at 2.0 on a 4-point scale — the midpoint, where most firms have written intent but not embedded practice. Stanford HAI's 2025 AI Index records a sharp year-over-year rise in publicly logged AI incidents.

Deployment is sprinting. Governance is walking. The scissor-cut compounds every quarter that gap stays open, because every new model deployed without a controls layer adds to the inventory of systems that would fail an audit tomorrow. A firm that stays at Row 2 for another year does not stand still — its exposure grows in proportion to how many AI systems it has shipped in the meantime.

The EU AI Act forcing function

The reason this has stopped being theoretical: the calendar has moved.

Article 4 of the EU AI Act — the AI literacy obligation on providers and deployers — has been enforceable since February 2, 2025. Article 5, the prohibited-practices regime, took effect the same day. These are live. Any enterprise operating in or selling into the EU is already inside the enforcement window for these provisions.

The next milestone still belongs on the board calendar. The high-risk system obligations under Article 6 and onward take effect on December 2, 2027 (deferred from August 2, 2026 under the Digital Omnibus; provisional pending formal adoption in the EU Official Journal). For any system that scores high-risk under Annex III — credit decisioning, hiring, biometric ID, critical infrastructure, education access, and several more — the obligations cover risk management, data governance, technical documentation, logging, human oversight, accuracy, robustness, and cybersecurity.

The penalty curve is no longer hypothetical. Article 99 of the AI Act caps fines at €35M or 7% of global annual turnover for prohibited-practice violations, and €15M or 3% for most other obligations — whichever is higher. For comparison, GDPR's enforcement curve produced over €5.88 billion in cumulative fines from a similar starting position. This is the number boards need to put against the cost of staying at Row 2.

This is a date that belongs in board minutes, not in a horizon scan. A firm at Row 2 of the Gap Stack on December 2, 2027 is not non-compliant by accident. It is non-compliant by choice.

Closing the gap in 90 days

The good news, and the reason I keep writing this article in different forms: the bottom row is not expensive to start. It is expensive to finish. The first ninety days of operational control work cost less than most enterprises spend on a single quarter of AI tooling licenses. The framework I use with clients is what I call Minimum Viable Governance — the smallest set of controls that move a firm from Row 2 to a credible Row 4 on its highest-risk systems.

Three concrete moves a board can authorize this quarter:

1. Inventory by system, not by policy. Stop asking "do we have an AI policy?" Start asking "list every AI system in production, who owns it, what decision it influences, and which row of the Gap Stack it actually sits at." Most firms discover the inventory itself does not exist. That is the first finding.

2. Designate one accountable executive per high-risk system, and document the escalation chain to them. Name, role, scope of authority. In a regulated firm, the executive will not act alone — they will trigger an existing change-control or model-risk-management process. The point is that the chain is documented, named, and known to the board, not improvised at the moment of incident. This single act moves a system from Row 2 to Row 3.

3. Run a 30-minute tabletop drill on one production AI system. Pick the highest-stakes one. Walk a simulated failure on paper, with the named executive, legal, comms, and the technical owner in the room. Measure three numbers: time to stop the system (in principle), time to escalate to a named executive (in practice), time to a holding statement that legal and comms can both sign. A first drill usually exposes that one of those three numbers is "we don't know." Tabletop, not production — no operational risk; the same insight surfaces.

Each move costs under one hundred thousand dirhams (about USD 27,000) and under two weeks. None of them require buying software. All three are reportable to the audit committee at the next meeting.

The board's three questions

If you are a board chair or audit committee member, you should be able to answer these three in one sentence each. If you cannot, the gap in your firm is bigger than the 82% headline.

1. Which AI systems in this company would trigger Article 18 of the UAE PDPL or Article 6 of the EU AI Act if challenged tomorrow?
2. Who is the named human accountable for the highest-stakes one, and have they ever stopped it?
3. If our 18% gap closed by half this year, what would change in our risk posture, and what would it cost?

“79% of executives say AI ethics matters. Fewer than 25% have made it operational. The gap is the story.”

Eighteen per cent is not a number to argue with. It is a mirror. The CEOs in the EY sample are not pessimists. They are the only people in the room who have read the indemnity clauses, sat through the regulator briefing, and watched a competitor's incident move a share price. They are telling us, in the most diplomatic language a survey instrument allows, that the controls are not there yet.

Policy is not control. The next twelve months will sort the firms that learned the difference from the firms that did not.

Sources: EY Responsible AI Pulse Survey (Aug 2025, n=975 C-suite, 21 countries, $1B+ revenue); IBM Institute for Business Value AI ethics research; Pacific AI 2025 Governance Survey (n=351); McKinsey State of AI 2025; Stanford HAI 2025 AI Index; EU AI Act (Regulation 2024/1689) primary text. Every statistic in this article is linked to its primary source.

Ajay Pundhir is the founder of AI Exponent LLC and writes at AskAjay.ai. He advises boards and C-suite teams on making AI governance operational rather than ornamental.