AI Governance Is An Opportunity: Key Takeaways From The PwC Global Risk Services Analyst Forum

During the PwC global risk services analyst forum in June 2026, one of the main messages was that organizations are under mounting pressure to scale AI quickly, but the governance architecture required to do so responsibly remains either immature, fragmented or misaligned with the pace of deployment. Without governance, AI use cases become a source of reputational and financial risks. The three key points that Verdantix took away from the day's discussions were that:

• Bias in AI models is increasingly a regulatory and reputational liability.
  A central point of exploration was how bias in AI outputs is no longer discussed primarily as an ethical concern to be addressed through design, but rather as a source of regulatory exposure and reputational damage. This is particularly relevant because under the incoming EU AI Act, chatbots will only fall into a limited risk tier, sitting outside the Act's mandatory bias-testing and audit requirements. This asymmetry between regulatory obligation and actual exposure creates a governance gap that organizations are only beginning to grapple with. In practice, enterprise chatbots are increasingly embedded in workflows that touch consequential decisions, meaning the absence of a mandatory audit requirement does not equate to the absence of bias risk.
• The geopolitical context for AI governance is deteriorating.
  Firms operating across diverse jurisdictions face conflicting AI governance frameworks and differing export control risks on AI components. These two diverging forces are a source of risk and opportunity cost. For example, within days of taking office in January 2026, US President Donald Trump revoked his predecessor's AI safety Executive Order, repositioning federal policy around deregulation and industry-led innovation. America’s AI Action Plan, which directs agencies to dismantle what it characterizes as barriers to AI development, followed this in July 2025. Multinationals face practical compliance friction, requiring region-specific governance frameworks and continuous regulatory monitoring instead of a single, overarching framework.
  
• Shadow AI across the supply chain is emerging as a critical GRC blind spot.
  As AI adoption accelerates, organizations face a growing challenge not just in governing the tools they have sanctioned, but in discovering the ones they have not. The distinct compliance, data privacy and operational risk exposures that shadow AI introduces are becoming materially harder to contain, precisely because they cannot be managed by controls that have no visibility of the underlying tools. From a GRC perspective, this accelerated demand for AI discovery and classification tooling has moved from a nice-to-have to a foundational layer of the enterprise GRC stack. Verdantix expects that solutions that scan for unsanctioned model usage across endpoints are set to become a core component of the enterprise AI governance toolkit over the next 12 to 18 months.

The forum reflected what Verdantix has observed across our own research: enterprise AI governance is past the awareness phase, but still short of operational maturity for most firms. This gap in AI governance, data foundation maturity and accountability ownership will not close without deliberate investment and planning.

For GRC software vendors, the maturity gap represents a demand opportunity. To capture this, providers must move beyond framework documentation and into operational workflows, clearly defining accountability. For enterprise risk functions, the message is loud and clear: the firms pulling ahead are those that treat AI governance as an operational discipline from the start, rather than a compliance deliverable produced at the end.

For more risk management insights and research, head over to Vantage or find out more here: Enterprise Risk & Resilience – GRC Tech & Operational Resilience.