G2Research Hub
Skip to content
Executive Summary

What We Found

94%

Sensitive Data Boundaries Define AI Use

Sensitive-data protections are the most consistently established part of the current AI operating model. Organizations are largely deciding where AI is permissible by drawing hard lines around public model use.

50%

Balanced Optimism Shapes AI Strategy

Half of respondents frame AI as both an opportunity and a risk to be managed, signaling that adoption is being pursued deliberately rather than avoided.

37%

Process Drag Slows Real Adoption

More than one-third described AI adoption as slow because of bureaucratic approvals, showing that governance design is now a major determinant of deployment speed.

46%

Human Review Is the Accountability Backbone

Mandatory human review with a named owner is the clearest mechanism organizations use to make AI acceptable within existing risk constraints.

Why this matters · For SaaS vendors

Why This Study Matters If You Sell AI-Powered SaaS

OPPORTUNITY 01

Win on Data Boundaries Before the Demo

Vendor Implication
OPPORTUNITY 02

Sell to the Committee, Not Just the Champion

Vendor Implication
OPPORTUNITY 03

Build Review Checkpoints Into the Product

Vendor Implication
OPPORTUNITY 04

Remove Drag, Don't Argue the Value

Vendor Implication
Chapter 01

Most Organizations See AI as Opportunity, Tempered by Risk

Finding 1.1

Organizational AI Posture and Perceived Value

50%
of respondents took a balanced opportunity-with-risk stance on AI
Key Takeaways
01
02
03
Strategic Implication
Organizational AI Posture and Perceived Value - Label Distribution
Balanced opportunity-with-risk
50%
Opportunity-first and enablement-oriented
44%
Risk-first and cautiously defensive
6%
Listen

So generative AI is viewed I would say, both as a opportunity and a risk. I I believe that must be actively managed, but the stronger emphasis on responsible acceleration rather than, you know, avoidance. So, you know, our company encourages our teams to move quickly where you know, where we think the generative AI can bring productivity in insights, decision support.

Manager in Operations Engineering, None
when asked about Organizational Posture on AI Value vs. Risk
Listen

Both. So it is an opportunity to move faster and encourage employees to leverage AI to the best of their ability to make their roles more efficient given that they understand the requirements. However, this also presents a risk given that you really shouldn't be training a large language model with sensitive customer information.

Sales Execution Manager, Autodesk
when asked about Organizational Posture on AI Value vs. Risk
Chapter 02

Strict Data Controls Sharply Limit Public LLM Use

It is prohibited according to our policy to put any proprietary code or personal data in the public LLMs.

Head of Group Compliance, International Financial Holding

Listen
Finding 2.1

Sensitive Data Boundaries and Protection Controls

Key Takeaways
01
02
03
Strategic Implication
Sensitive Data Boundaries and Protection Controls - Label Distribution
Strict prohibition on sensitive data in public LLMs50%
Internal-only or approved-tool use with blocking and access controls35%
Policy/redaction-based use with conditional allowances15%
Listen

However, because my organization and the industry itself deals with protected health information and medical decision making and clinical decisions and documentation. The adoption of AI is a little bit slower to ensure privacy and protection of that data. And patient safety.

Senior Counsel, None
when asked about Primary AI Risk Focus and Safety Thresholds
Listen

Then there's the legal and compliance review, which looks at things like IP ownership, liability, audit rights, and contractual risk.

AI Enablement and Operations Lead, Google
when asked about Primary AI Risk Focus and Safety Thresholds
Chapter 03

Committees Steer AI Approvals, With CIOs Holding Final Sign-Off

And then as a network and identity layer, access through AI services is controlled through SSO, CASB, secure web gateways. And then at the endpoints and application layer, we use DLP and endpoint controls.

AI Enablement and Operations Lead, Google

Listen
Finding 3.1

AI Tool Approval Pathways and Governance Structure

50%
described AI tool approval as committee-led or moderately centralized
Key Takeaways
01
02
03
Strategic Implication
AI Tool Approval Pathways and Governance Structure - Label Distribution
50%
Committee-led or moderately centralized governance
Committee-led or moderately centralized governance
50%
Centralized multi-step approval with executive/CIO veto
40%
Lightweight or manager-led approval
6%
Multi-stage multi-stakeholder review chain
1%
Single central approver/veto
1%
Committee or central AI/technology team-led
<1%
Listen

We educate, to only use those that have been approved we have an AI usage policy, which everyone has had to adhere to. So we don't have any auditing or technical ability to block, but we'd we'll do it all through policy. And education.

Head of Engineering, None
when asked about Data Protection Boundaries and Control Mechanisms
Listen

Well, essentially, they're blocked. So, as the AI policy speaks to what is allowed, everything is explicitly denied at that point. So if it's not on the approved list, they don't have access to it, and it simply gets blocked.

Chief Information Officer, Enoch Cree Nation
when asked about Data Protection Boundaries and Control Mechanisms
Chapter 04

Approvals and Proof Demands Stall Adoption for Over a Third

We have a, change initiation forum which is made up of multiple stakeholders that all have to review and sign off on a new tool. Those stakeholders include our responsible AI group, legal, procurement, compliance, IT security, information security, and architecture.

IT Operations and Engineering Lead, global finance company

Listen
Finding 4.1

Adoption Pace and Primary Sources of Friction

37%
described adoption as slow and driven by bureaucratic approvals
Key Takeaways
01
02
03
Strategic Implication
Adoption Pace and Primary Sources of Friction - Label Distribution
Slow, bureaucratic approval-driven adoption
37%
Adoption held back by proving value, training, or stakeholder education
35%
Relatively fast or moderately governed adoption
28%
Listen

So it starts with use case sponsorship. Which is essentially a business owner defines the problem the expected impact, and the success metrics. Then we have a data and security review. Which is usually led by infosec or data governance.

AI Enablement and Operations Lead, Google
when asked about AI Tool Approval and Governance Structure
Listen

Obviously, there's the business that identifies the need and the potential solutions for that. That initial assessment then gets brought to architecture. Architecture does a preliminary review around risk and compliance.

Process Improvement Lead, Empire Life Insurance
when asked about AI Tool Approval and Governance Structure
Chapter 05

Mandatory Human Review Anchors Accountability, but Ownership Remains Mixed

finally, we do the, I guess, a human accountability test. So there must be a named owner who's willing to stand behind the system. Essentially.

AI Enablement and Operations Lead, Google

Listen
Finding 5.1

Risk Mitigation Approach, Oversight, and Accountability

46%
of respondents described mandatory human review with a named accountable owner
Key Takeaways
01
02
03
Strategic Implication
Risk Mitigation Approach, Oversight, and Accountability - Label Distribution
46%
Mandatory human review and accountable owner
Mandatory human review and accountable owner
46%
Unclear or enforcement-led accountability structure
25%
Shared or distributed accountability with some enforcement
15%
Pilot/testing-based risk control before deployment
10%
Clear accountable owner and active enforcement
3%
Listen

So, ultimately, accountability says with the business owner of the process, not the AI model or the vendor. AI is treated as a tool internally so ownership remains with the function that approved it.

Governance and Risk and Compliance Manager, CDP Consulting
when asked about Human Oversight and Accountability for AI Outcomes
Listen

So the governance steering committee has got very strict kind of responsibility matrix, and they are responsible ultimately for how the for for how the tools is being used. Also about the outcome. Or the risks.

Head of Advanced Analytics, Imperial Brands
when asked about Human Oversight and Accountability for AI Outcomes
Quick Answers

Common Questions

Question 01

Are Organizations Mostly Optimistic or Skeptical About AI?

Strategic Recommendations

What This Means for You

01
Critical

Reduce Governance Drag for Low-Risk Use Cases

Create lighter-weight approval lanes for common, low-risk AI use cases so every request does not face the same committee burden. This directly addresses the friction seen where 50% use committee-led governance and 37% report bureaucratic delays.

02
Critical

Codify Repeatable Value Criteria up Front

Standardize what counts as sufficient business value, risk evidence, and success metrics before teams enter the approval process. Doing so can reduce the stall caused by value-proof demands and move organizations from case-by-case approvals toward scalable governance.

03
High

Design AI Around Existing Data Boundaries

Leverage the fact that sensitive-data controls are already well established by prioritizing internal, monitored, or pre-approved environments for expansion. With 94% discussing data boundaries, scale is more likely to succeed when tools are designed to fit those controls rather than challenge them.

04
High

Embed Named Human Accountability in Workflows

Formalize review checkpoints and assign explicit owners for AI outputs, especially in higher-risk processes. This builds on the strongest existing accountability pattern, where 46% already require mandatory human review with a named owner.

05
Moderate

Shift From Managed Experimentation to Scaled Patterns

Identify the use cases that have already proven safe and valuable, then turn them into reusable governance templates, approved tool lists, and standard operating practices. This helps convert widespread strategic interest into faster organizational adoption without weakening oversight.

Key Takeaways

Conclusion

The research points to a clear shift: organizations have largely moved beyond debating whether AI matters and are now working out how to deploy it under control. This is a transition from strategic interest to managed experimentation. Most respondents already see AI as an opportunity, with 50% balancing opportunity and risk and another 44% leaning opportunity-first, but that positive posture is being translated into use only through structured safeguards.

Challenges

The main challenge is that the same controls enabling safe adoption are also creating drag. Committee-led or moderately centralized approval models account for 50% of governance approaches, and 37% say bureaucratic approvals are actively slowing adoption. At the same time, 94% report strict sensitive-data boundaries, and 46% rely on mandatory human review with a named owner. Together, these findings reflect two defining patterns: governance is protecting the organization, but it is also slowing deployment; and control is being established first, with broader adoption allowed only after accountability is clear.

Looking Ahead

The opportunity now is not to dismantle governance, but to operationalize it more effectively. Organizations already have the raw ingredients for scaled adoption: clear data boundaries, formal oversight, and identifiable accountability mechanisms. The next maturity step is to turn those controls into repeatable patterns—lighter approval paths for low-risk use cases, standardized value criteria, approved environments for safe experimentation, and embedded human review where it matters most. Done well, this allows organizations to preserve trust while reducing the process drag that keeps AI from moving beyond isolated experiments.

The organizations that win with AI will not be the ones that govern least—they will be the ones that make governance scalable.

Methodology

This research draws on 249 in-depth interviews with business professionals representing a wide mix of roles, industries, and company sizes.

Interviews ran up to 30 minutes and covered organizational AI posture and perceived value, AI tool approval pathways and governance structure, adoption pace and primary sources of friction, and sensitive data boundaries and protection controls. The conversational format allowed respondents to discuss their actual practices rather than select from preset options, surfacing nuance that closed-ended surveys typically miss.

Respondents included business professionals across technology, financial services, healthcare, manufacturing, and retail. All participants were selected for their direct experience with organizational AI adoption, governance, and data protection practices. Company sizes ranged from small businesses to large enterprises.

The analysis of 249 interview transcripts was conducted using AI for semantic understanding, with multi-iteration validation and cross-verification to ensure analysis quality. Each transcript was independently reviewed by G2's AI Custom Research team to inform narrative, context, and clarity.

G2 Research, May 2026

G2 is the world's largest and most trusted software marketplace.