Drata finds most firms lack visibility into AI tools
Wed, 15th Jul 2026 (Today)
Drata has published research showing that only 13% of IT and security professionals are fully confident they can see all the AI tools running in their organisations. The survey also found that 71% said an AI tool used for governance, risk and compliance had contributed to a failed audit or a lapse in regulatory standards.
The findings come from a study of 300 IT and security professionals conducted by Wakefield Research on Drata's behalf. It examined AI adoption in governance, risk and compliance, or GRC, and the operational problems that have emerged as organisations apply AI to oversight work.
According to the research, 87% of respondents said they do not have full visibility into the AI tools active across their organisations. That lack of visibility coincides with broader dissatisfaction: 90% said their AI investments had fallen short of expectations.
Many respondents also said AI had added strain rather than easing workloads. Some 43% of GRC professionals said AI had made their jobs harder, while 86% agreed that many GRC-focused AI tools are not ready for use at scale in large organisations.
The report identifies audit and compliance exposure as one of the clearest consequences. More than seven in 10 organisations said an AI tool used for GRC had led at least once to a failed audit or a lapse against a regulatory standard.
The finding suggests a gap between adoption and control. Security and compliance teams are deploying tools intended to support oversight functions while still lacking a clear picture of where those tools are being used and how their outputs are governed.
Tool fatigue
The study also found signs of faster turnover in AI software. Three-quarters of organisations said they are now discontinuing underperforming AI tools more quickly than before, and more than half revert to manual processes when those tools expose shortcomings.
The pattern suggests some businesses are treating AI tools as replaceable experiments rather than established parts of the compliance stack. It also shows that manual reviews and traditional controls remain a fallback when automated systems fail to meet internal or regulatory demands.
Respondents expressed a preference for narrower systems over broad platforms. Drata found that 64% favour targeted agentic AI systems over all-in-one products, rising to 70% among risk-focused buyers.
The data points to a more selective approach to procurement in a market that has often promoted AI platforms as broad solutions for compliance, risk management and assurance. Buyers appear to be shifting towards systems designed for specific tasks, where outcomes can be measured more directly.
Governance gap
The research also found that 83% of respondents do not feel fully prepared for the next wave of AI integration. That suggests concern is not limited to existing deployments but extends to the pace at which more AI tools are expected to enter security, compliance and audit processes.
Visibility remains central to that concern. If teams cannot identify all active tools, they are less able to assess risk, verify outputs, track accountability and demonstrate control to auditors and regulators.
The study also examined whether supporting systems can improve oversight. Nearly half of organisations with an external trust centre reported greater transparency into vendor security, while 44% said they had achieved faster vendor reviews.
The findings suggest that, alongside AI-specific governance measures, companies are looking for broader ways to document and communicate risk controls across their supplier base. Vendor scrutiny has become more important as businesses increasingly depend on third-party AI tools in compliance workflows.
Matt Hillary, Chief Information Security Officer and Senior Vice President of Security at Drata, said the market was moving away from broad AI offerings in this area.
"The horizontal AI platform era in GRC is over, and the data confirms what we're already seeing from the field: buyers aren't waiting for the next generation of tools. They've moved their money toward agents that can prove specific, repeatable, and defensible outcomes. This shift is the most consequential procurement realignment in GRC since the shift to cloud-native compliance," said Matt Hillary, Chief Information Security Officer and Senior Vice President of Security at Drata.
His comments reflect a wider debate across enterprise software about whether large general-purpose AI platforms can meet sector-specific governance demands. In regulated functions such as compliance and audit, the ability to explain outputs and assign responsibility has become more pressing than the breadth of features a platform offers.
Drata's survey suggests many organisations are still in the early stages of resolving that tension. Companies have adopted AI tools in GRC, but the research indicates that control frameworks, procurement choices and operational visibility have not kept pace with deployment.
"The next decade in GRC will belong to organizations that buy, build, deploy, fine-tune, and benefit from agents that own specific outcomes, hold vendors accountable when those outcomes fail, and are honest enough about the gap to close it deliberately," Hillary said.