The real AI governance gap isn’t missing regulation. It’s missing literacy.
Originally published in CIO, October 2025.
A recurring talking point in enterprise AI conversations is that regulation is holding back adoption. The framing is appealing and almost entirely wrong. Regulated industries already sit inside frameworks (HIPAA, GDPR, SOX, the EU AI Act, CCPA) that govern how AI can be deployed against existing data. The slower half of organizations aren’t stuck on a missing rule. They’re stuck on AI literacy: the ability of legal, compliance, and business leaders to reason about how AI systems actually work, what they’re allowed to do under existing law, and what risks genuinely apply. That’s a gap new regulations cannot close.
What “waiting for regulation” really means
Two things get collapsed together when people say AI adoption is blocked by the regulatory environment.
The first is genuine legal uncertainty in specific areas: training data rights, liability allocation when an autonomous agent causes harm, whether a given AI output counts as a medical device under FDA software-as-a-medical-device rules. These are real and unresolved questions. Legal and policy work will resolve them, and organizations operating in those areas have to make risk-weighted calls in the meantime.
The second is organizations hesitating to deploy AI against use cases where the legal framework is, in fact, clear. A health system debating whether a clinical NLP pipeline can extract diagnoses from progress notes is not blocked by regulatory uncertainty. HIPAA’s framework for using PHI in operations and treatment covers it. A financial services firm using an LLM to summarize internal policy documents is not waiting on a new law. A pharma RWE team using de-identified clinical narratives for cohort selection is operating inside a 25-year-old compliance framework that is well understood.
The second category is where the literacy gap sits. It looks like regulatory caution. It is usually something else.
Where the literacy gap actually shows up
Gradient Flow’s 2025 AI Governance Survey, presented in a webinar John Snow Labs co-hosted with Ben Lorica last year, put specific numbers on where organizations actually stand. About 59% of participating organizations reported having a formal AI governance role or office. Roughly 65% conducted annual AI safety or literacy training (79% in mid-sized firms, 59% in large organizations, and 41% in smaller ones). The gap between organizations with written AI usage policies (75%) and those with actual incident response playbooks or dedicated governance roles (under 60%) is where the operational risk concentrates.
The CIO survey findings I wrote about earlier in 2025 were consistent: 45% of respondents cited speed-to-market pressure as the primary obstacle to better governance, rising to 56% among technical leaders. Small firms remain the most exposed: only 14% report familiarity with the NIST AI Risk Management Framework, even as the same firms build and deploy systems that could create enterprise-wide liability for their partners and customers.
None of these gaps are addressed by new regulation. They’re addressed by training, role clarity, and governance infrastructure.
What “AI literacy” means in a governance context
AI literacy at the executive and compliance level is not about knowing how a transformer works. It is about four practical competencies.
First, understanding which existing frameworks apply. A clinical NLP pipeline at a US health system is governed by HIPAA, the 21st Century Cures Act information-blocking rules, and, if the organization operates in California, CMIA and the newer California AI laws that took effect in early 2026. A pharma AI model used for signal detection in pharmacovigilance is governed by FDA and EMA guidance on real-world data, the International Council for Harmonisation’s E2B standards, and 21 CFR Part 11 for electronic records. Literacy is knowing which of these apply before a project starts, not after.
Second, understanding where model behavior creates novel risk versus where it doesn’t. A retrieval-augmented generation system that summarizes policy documents creates different risk than an autonomous agent making account changes. The first is primarily a hallucination and attribution problem. The second is a transaction-authority problem. Treating them identically, either as “AI” in the abstract or with the same governance controls, wastes time in both directions.
Third, understanding what the audit trail needs to look like. Under HIPAA, an accounting of disclosures is already required. Under the EU AI Act’s high-risk category, logging, human oversight, and post-market monitoring requirements are specified. Under SOX, any AI involved in financial reporting controls has documentation and testing requirements inherited from existing IT general controls. Organizations that treat AI audit logs as a novel greenfield problem often build too much; organizations that skip them build too little.
Fourth, knowing when the answer is “don’t use AI here.” Not every process benefits from an LLM. Regulated documentation that requires deterministic reproducibility (certain clinical coding, certain regulatory submissions, certain financial disclosures) is often better served by rule-based systems with AI assistance on the margins. Literacy is knowing the difference.
What informed governance looks like in practice
Organizations that have closed the literacy gap tend to do four things.
They embed compliance into the engineering pipeline rather than layering it on top. Red-teaming, bias testing, documentation, and risk evaluation happen in the same CI/CD flow that code goes through, not in a separate quarterly review. When a new model version ships, the governance artifacts ship with it.
They keep humans in the loop where it matters. Human-in-the-loop is not a talking point; it is an architectural pattern. In clinical AI, that means a coder reviews HCC code suggestions before they are submitted to CMS. In regulatory AI, that means a compliance officer reviews summarization output before it ships to an auditor. In autonomous agent systems, that means transaction thresholds, not blanket authority.
They train every role that touches AI, not only engineering. Legal, compliance, HR, and business-unit leaders who will make or approve AI deployment decisions need literacy proportional to their authority. A CISO who signs off on an AI procurement without understanding what training data the vendor used, where the model runs, or how data flows through the system cannot ask the questions that a responsible sign-off requires.
They use existing regulatory frameworks as a floor, not a ceiling. HIPAA does not mention AI explicitly, but any AI system handling PHI has to clear HIPAA’s privacy, security, and breach-notification rules. The EU AI Act’s high-risk category overlaps with, but does not replace, sector-specific rules in medical devices, financial services, and employment. Organizations that treat these as overlapping rather than stacked, and train their teams accordingly, move faster with less risk.
What the regulatory environment is actually doing
The regulatory environment is not standing still. California’s late-2025 AI liability and disclosure laws created new obligations for AI systems that cause harm and tightened requirements around automated decision-making. The EU AI Act’s high-risk provisions are now enforceable, with penalties up to 7% of global annual revenue for the most serious violations. The NIST AI Risk Management Framework continues to evolve, and federal agency guidance, from the FDA’s Predetermined Change Control Plan to HHS’s reporting requirements for EHR-integrated decision support, is becoming more specific. In Q1 2026 alone, AI regulation accelerated rather than slowed: federal policy began to override certain state AI laws, Asia rolled out new governance frameworks, and the EU AI Act enforcement deadline moved from abstract to operational.
None of this waits for organizations to catch up. The ones that treat literacy as the primary investment, rather than lobbying for new rules or delaying deployment, are the ones that will navigate the next two years without hitting enforcement actions.
The honest framing
Regulation does not slow AI adoption in regulated industries. Lack of literacy does. When a project stalls because legal can’t evaluate the risk, compliance can’t write the control, or the board can’t ask the right question, no new law fixes that. Training does. Governance infrastructure does. Engineering discipline that embeds compliance into the pipeline does.
For CIOs, CTOs, and chief AI officers, the highest-return investment is in the same place it’s always been in enterprise IT: the people who have to approve, audit, and operate the systems. Waiting for Washington, Brussels, or Sacramento to clarify the rules, when the rules that already exist cover 80% of what enterprises are trying to do, is a slower and more expensive path.
Frequently asked questions
Isn’t regulatory uncertainty a real issue for AI adoption?
Yes, in specific areas: training data rights, autonomous agent liability, cross-border data transfer under evolving EU guidance. In most enterprise AI use cases, particularly in regulated industries, the applicable framework is known. The slower variable is usually organizational literacy about what that framework requires.
What is the NIST AI Risk Management Framework and why does it matter?
NIST AI RMF is a voluntary framework from the US National Institute of Standards and Technology for managing risks in AI systems. It’s widely referenced in procurement, audit, and vendor evaluation contexts even though it isn’t legally binding. Only 14% of small firms report familiarity with it, per recent survey data, which creates downstream risk for larger organizations that work with those firms.
How is the EU AI Act different from existing regulations?
It applies horizontally across sectors and classifies AI systems into four risk categories (unacceptable, high-risk, limited-risk, minimal-risk), with obligations that scale accordingly. High-risk systems (including many healthcare, employment, and critical infrastructure applications) require documentation, logging, human oversight, and post-market monitoring. Penalties reach 7% of global annual revenue for the most serious violations.
What practical AI literacy training should organizations implement?
Role-based training that maps to authority. Board-level literacy covers risk categories, regulatory exposure, and vendor evaluation. Compliance and legal literacy covers the specific frameworks that apply to the organization’s sector and geography, plus how they stack with AI-specific rules. Engineering literacy covers responsible AI testing, red-teaming, and documentation patterns. Business-unit literacy covers the use cases the unit is allowed to pursue and the approval paths required.
How should organizations think about AI governance versus existing IT governance?
As an extension, not a replacement. IT general controls, change management, access management, and audit logging all still apply. AI adds requirements around model testing, bias evaluation, hallucination monitoring, and data lineage for training data. Organizations that graft AI governance onto existing IT governance frameworks, rather than building a parallel track, move faster and produce more defensible documentation.
What’s the biggest mistake organizations make on AI governance today?
Treating “we have an AI policy” as the goal. A policy without role clarity, without incident response playbooks, without engineering integration, and without literacy training across the people who make deployment decisions is a document, not a governance program. The survey data shows the gap clearly: 75% of organizations have AI usage policies, fewer than 60% have dedicated governance roles or incident response playbooks. That gap is where the operational risk lives.



