78% of executives can't pass an AI governance audit — here's what's actually missing
Grant Thornton's 2026 AI Impact Survey has a number worth sitting with: 78% of business executives lack strong confidence that they could pass an independent AI governance audit within 90 days.
that's not a survey of laggards. Grant Thornton's client base skews toward mid-market and enterprise companies that are actively investing in AI. the 78% number is a description of where serious enterprise AI programs actually stand on governance readiness — not where companies that haven't started stand.
the gap is real and it's specific. here's what it actually consists of.
what the 78% are missing
the confidence gap isn't about whether companies have AI systems. they do. it's about whether the documentation around those systems would survive examination. there's a meaningful difference between having AI infrastructure and having governance-documented AI infrastructure.
from the Grant Thornton framing, the 78% pattern tends to cluster around three specific gaps:
no authorization chain documentation — the AI system takes actions (calls APIs, makes decisions, triggers workflows) but there's no recorded chain from those actions back to the human-authorized scope. the system worked within intended parameters — probably. but there's no artifact that proves it.
point-in-time assessments instead of continuous evidence — many teams did a governance assessment at some point: a vendor review, a risk classification exercise, maybe a third-party audit. but the assessment is a snapshot of the system at one moment. governance audits ask about the current state and about whether the governance has kept pace with the system's evolution. a 12-month-old assessment isn't evidence of current compliance.
logging that doesn't support reconstruction — application logs tell you what the system output. governance audits need logs that support reconstruction: given only the log, can an examiner determine what instruction triggered what action, in what sequence, with what authorization? most enterprise logging was built for debugging, not for forensic reconstruction. those are different requirements.
why the 90-day horizon matters
the 90-day horizon in the survey question isn't arbitrary. it's roughly the timeline between "we decided to get audit-ready" and "we can produce documentation for an examiner." most governance remediation efforts take 60-90 days to close the documentation gaps, assuming someone is actively driving it.
the EU AI Act August 2 enforcement deadline for high-risk systems is 66 days from now. that's inside the 90-day window. the companies in the 78% who have EU exposure are already past the comfortable remediation timeline.
the US side doesn't have an equivalent federal enforcement deadline yet, but enterprise procurement has filled the gap. RFPs for AI vendors now routinely include governance attestation requirements. the 78% who can't pass an independent audit also can't pass the procurement gate for enterprise buyers who've added governance questions to their vendor assessment process.
what closing the gap looks like in practice
the Grant Thornton number implies a lot of companies running governance programs that are real but not audit-ready. the gap between "we have governance" and "we can pass an audit" is mostly a documentation and artifact gap, not a practice gap. the practices exist. the structured evidence doesn't.
BizSuite's AI Audit is the 48-hour version of closing that artifact gap. we map the current agent deployment against the standard governance audit criteria: authorization chain, action-level logging, continuous monitoring evidence, EU AI Act conformity posture. the output is a structured report, not a consulting engagement — $997 flat, 48-hour delivery.
for the 78% sitting on the wrong side of the Grant Thornton number, the path from "can't pass" to "can pass" is shorter than a full governance overhaul. it's mostly about generating the right artifacts from the infrastructure you already have, and documenting the gaps that need longer-term remediation.
Top comments (0)