The State of Play

AI-driven risk register maintenance and horizon scanning has crossed from experimental to deployed — but only at forward-leaning organisations. The practice applies AI to continuously identify emerging threats across regulatory, operational, and market domains, going beyond compliance gap analysis by scanning for novel risks rather than measuring against known requirements. Vendor platforms now offer production-grade tooling across the market: Origami Risk, SAI360, LogicGate, and Holistic AI all compete on AI-powered risk identification and continuous monitoring. Board-level attention has surged: 48% of S&P 500 companies cite AI risk oversight, triple the 2024 rate. Market adoption continues accelerating through Q2 2026: 75% of enterprises plan GRC budget increases with AI governance as the top priority (43%); the market for AI governance software is growing at 32.8% CAGR. Regulated insurance markets show even steeper adoption curves: Lloyd's Market Association survey of 39 CROs (60%+ of stamp capacity) finds 93% have AI governance frameworks in place or development, up from 25% a year prior. The defining tension remains an execution gap. Despite high awareness and adoption intent, critical gaps persist: 30% of organisations have experienced AI security incidents despite claiming governance frameworks; only 22% have automated risk monitoring in place; two-thirds require weeks to implement policy changes. Regulatory deadlines and escalating AI-related liabilities are compressing the timeline, but governance maturity has not kept pace with vendor capability or stated organisational intent. The shadow AI blind spot persists: 86% of security leaders claim complete AI inventory visibility, yet 59% admit ungoverned shadow AI operates within their organisations.

Adoption demand is accelerating sharply at board level, but organizational execution lags vendor capability. Moody's January 2026 survey of 600 risk and compliance professionals puts active usage or trialling at 53%, up from 30% in 2023. Yet 46% report only moderate impact, constrained by insufficient expertise (41%), regulatory uncertainty (33%), and legacy system integration (30%). May 2026 updates amplify this pattern: AICPA & CIMA's global survey of 1,735 executives shows that among AI-Transformed entities, 69% classify AI as a Top 10 risk (vs. 46% overall), 60% report AI risks changing extensively, and 65% have board-level focus on AI risk (vs. 30% overall)—signaling demand escalation across leadership. Yet governance readiness remains constrained: only 24-27% of organizations report adequate AI-skilled talent, IT system readiness, or regulatory preparedness (rising to 48-51% among AI-Transformed entities).

Market momentum is unmistakable in Q2 2026. Optro's Q2 governance investment survey shows 75% of enterprises planning GRC budget increases, with AI governance solutions as the top investment priority (43%). The enterprise AI governance software market itself is growing at 32.8% CAGR, indicating mainstream infrastructure investment. Vendor tooling has matured rapidly: SAI360 launched GRC Elevate 6.0 in May 2026 with Regulatory Change Management monitoring 100+ jurisdictions and 2,000 publishers, plus Enhanced Risk Detection surfacing emerging risks and correlations—capabilities that compress manual work from months to days. Oracle, AppStream, and other platforms now incorporate risk register as a standard, GA module. Origami Risk's Spring 2026 AI Risk and Control Explorer further compresses risk register population. These are production deployments, not proofs-of-concept, but they remain concentrated among early movers and regulated firms.

In regulated insurance markets, adoption has become mainstream. Lloyd's Market Association survey of 39 chief risk officers (representing 60%+ of market stamp capacity) finds 93% have AI governance frameworks in place or in active development—a dramatic shift from 25% adoption one year prior. This market-wide deployment signals that boards and regulators are no longer treating AI risk register maintenance as optional. Regulatory convergence is formalizing: FDIC, FRB, OCC, NCUA, and the Treasury Department formally adopted the Financial Services AI Risk Management Framework in February 2026, documenting regulatory alignment on AI governance requirements. MOL Group's unified ERM platform deployment across 30 countries, integrating risk, security, and compliance with predictive analytics and real-time monitoring, demonstrates that multi-national enterprises are operationalising the practice at scale.

Yet critical execution gaps persist. VDF AI synthesis of 17 governance and compliance problems identifies missing central AI inventories, inconsistent risk-tiering, fragmented data lineage, weak post-deployment monitoring, and unclear second-line ownership—barriers that prevent most organizations from operationalizing risk registers effectively. A meta-analysis of 7 major reports (KPMG, Deloitte, McKinsey, Accenture, Stanford HAI, EY) finds convergence: "Technology is no longer the bottleneck; organization and governance are." Only 5% of enterprises successfully move AI from pilot to sustained production. Stanford's AI Index 2026 survey identifies security/risk concerns as the #1 blocker (62% of respondents) to scaling agentic AI—a 24-point margin over the next factor—with governance and data-layer control gaps cited as critical adoption barriers. Critically, 30% of organisations have experienced AI security incidents despite claiming governance awareness; only 22% have automated risk monitoring; two-thirds require weeks to implement policy changes. This execution gap persists even as boards demand oversight and regulators tighten deadlines: EU AI Act classification guidelines (August 2026 enforcement), Data Act (September 2026), Product Liability Directive (December 2026), and California AI risk assessment requirement (December 2027) all compress the timeline for governance maturity. Organisations recognise that AI risk belongs on their registers, but most have not yet built the operational muscle to maintain them continuously, hampered by data sovereignty concerns, inadequate third-party risk oversight, and the endemic problem of static, ownership-less spreadsheet registers.

• 2023-H1: Risk management automation gaining practitioner advocacy; Origami Risk and similar platforms demonstrating sustained enterprise adoption; horizon scanning identified as priority automation target but implementation barriers remain.
• 2023-H2: Enterprise risk platforms continue scaling (1,000+ accounts); industry research identifies lack of standardized AI risk assessment methodologies and governance integration frameworks as key adoption barriers; practitioner focus remains on implementation challenges rather than deployment success stories.
• 2024-Q1: GenAI governance concerns drive risk management interest; law firms like DWF deploy AI-powered horizon scanning for regulatory monitoring at scale; organizational preparedness gap widens, with only 25% of leaders feeling prepared for GenAI risk governance.
• 2024-Q2: Origami Risk launches AI Risk Identifier and Audit Accelerator tools; regulatory horizon scanning accelerates (EU AI Act passage, US roadmap, Seoul summit); ORX and Immuta surveys document emerging AI and cybersecurity risks; deployment remains concentrated among early movers, but one-third of risk professionals actively planning GenAI implementation.
• 2024-Q3: Regulatory bodies formalizing horizon scanning (EU EMA AI Observatory report documents first annual horizon scan); IEEE-SA standards work identifies AI safeguards through systematic risk horizon scanning; however, surveys show persistent adoption barriers—Deloitte finds data and risk management remain key constraints to scaling GenAI across 2,770 executives globally; Gartner forecasts 30% GenAI project abandonment by 2025 due to inadequate risk controls, signaling significant execution gaps in risk governance implementation.
• 2024-Q4: Analyst validation accelerates—Gartner Magic Quadrant recognizes Origami Risk with 50 carrier go-lives and 100+ new customers since 2022; regulatory adoption formalizes as Canadian OSFI reports AI use in financial institutions grew to 50% (from 30% in 2019); large enterprises adopt risk registers for AI—S&P 500 analysis finds 60%+ cite material AI risks; IEEE-SA p3395 standards work advances to Part III on technology horizon scanning. However, critical gaps persist: ISACA survey finds 70% of CISOs report existing tooling cannot detect security breaches effectively, indicating implementation challenges despite growing adoption momentum.
• 2025-Q1: Market maturation accelerates with ecosystem consolidation—comparative analyses identify 10+ leading automated risk assessment platforms; SANS Institute publishes risk-based AI security framework with six control categories, signaling standardization efforts; academic research (AGENTICS 2025) validates LLM-based risk scenario generation with human-in-the-loop methodology. Negative signals on implementation: 25% of AI spending in 2024 resulted in 'regrettable investments' with deployment failures, and standardized methodologies for ROI measurement remain nascent barriers to mainstream adoption.
• 2025-Q2: Adoption-governance gap widens as priority issue—EY survey finds 72% of executives have integrated/scaled AI but only 33% have proper governance controls; IDC data shows governance/risk management remains top AI adoption barrier. Vendor innovation accelerates: 4CRisk.ai announces horizon scanning tools with 20-40x speed claims, and academic research demonstrates 62% manual effort reduction in healthcare horizon scans. However, real-world risk penalties escalate (Air Canada chatbot liability, GDPR/NIS2 fines reaching $1-10M), and 90% of healthcare organizations report cyberattacks with 70% disrupting operations, highlighting hidden evaluation and maintenance burdens in automated systems. Shift in perception: AI increasingly viewed as risk multiplier requiring sophisticated governance, not pure productivity enabler.
• 2025-Q3: Enterprise risk governance frameworks mature—AWS publishes enterprise risk management guidance integrating GenAI risks; White & Case survey of 265 compliance professionals documents actual AI deployment patterns across compliance functions. Vendor momentum continues: Origami Risk launches new AI tools for rapid risk register creation and assessment. Horizon scanning automation gains traction: EU foresight project (FUTURINNOV) formalizes AI-enhanced horizon scanning methodology at scale. However, critical assessment remains: practitioners highlight persistent AI weaknesses in horizon scanning (hallucinations, source validation, need for human oversight) and widespread risk register failures in organizations (vague risks, lack of ownership, static processes). Evidence base reinforces: governance, standardization, and human-in-the-loop validation remain prerequisites for mature adoption.
• 2025-Q4: Board-level escalation and analyst validation converge—Gartner 2025 Magic Quadrant recognizes Origami Risk with new AI Risk and Control Explorer tool; 48% of S&P 500 companies now cite board oversight of AI risk (triple 2024 rate). Governance teams report escalating workload: OneTrust survey shows 37% increased time on AI risk, 75% find legacy governance insufficient. Verdantix confirms vendor maturity. Yet organizational maturity remains stubbornly lagged: practitioner analyses document endemic risk register failures (vague ownership, static processes, spreadsheet-reliance), with minority of ERM teams leveraging AI. The critical tension: rising board demand and analyst-validated vendor capabilities meet persistent organizational execution gaps, where risk registers fail operationally as strategic governance tools despite architectural recognition of the need.
• 2026-Jan: Risk management adoption accelerates—Moody's survey shows 53% of compliance professionals actively using or trialing AI (up from 30% in 2023), yet moderate impact and expertise barriers persist. Allianz Risk Barometer elevates AI to #2 business risk globally, signaling widespread organizational recognition of need for horizon scanning. Regulatory drivers intensify with California December 2027 deadline for AI risk assessments and NIST AI RMF adoption, shifting risk management from operational tool to compliance imperative. Execution gaps widen: organizational awareness and adoption intent rising, but majority lack governance processes and systematic approaches to operationalize risk registers.
• 2026-Feb: Vendor innovation accelerates with Origami Risk launching AI Risk and Control Explorer (Spring 2026), enabling rapid risk register population and continuous validation. Lloyd's Market survey confirms AI risk at #2 on corporate registers across insurance sector. Horizon platform demonstrates operational deployment: 1,300 employee interviews for Mercado Libre in 4 days (90x faster than traditional consulting). Industry surveys document AI as permanent fixture on risk registers but highlight persistent governance challenges: data sovereignty, third-party oversight gaps, and most registers remain static artifacts despite vendor platform maturity.
• 2026-Apr: GRC investment momentum is confirmed: Optro survey shows 75% of enterprises planning budget increases with AI governance solutions as the top priority (43%), while ORX documents horizon scanning methodology adoption across 47 leading financial institutions. A critical governance blind spot surfaces from ArmorCode's survey of 650+ security leaders: 86% claim complete AI inventory visibility yet 59% admit ungoverned shadow AI within their organisations — directly contradicting the premise of effective risk register maintenance. KPMG's global survey of 2,500 executives finds 74% confirm AI business value but only 24% achieve ROI, pointing to inadequate risk identification frameworks; McKinsey research confirms that mature governance is directly linked to business outcomes, with agentic AI triggering a redesign of oversight models toward continuous dynamic risk identification. Lloyd's Market Association survey of 39 CROs (60%+ of stamp capacity) finds 93% have AI governance frameworks in place or in active development — up from 25% a year prior — signalling that regulated insurance markets have moved to mainstream adoption. SAI360's AI-Connected Risk Register with KRI trend surfacing and incident pattern analysis demonstrates operational platform maturity. Execution gaps persist across the wider market: 30% of organisations have experienced AI security incidents despite claiming governance awareness, only 22% have automated risk monitoring, and Stanford's AI Index 2026 finds security/risk concerns are the #1 blocker (62%, 24-point margin) to scaling agentic AI. The enterprise AI governance software market's 32.8% CAGR reflects accelerating investment to close this gap.
• 2026-May: Governance demand escalates while execution readiness remains constrained. Horizon Search Institute (Georgetown/Northwestern/NYU) publishes a purpose-built horizon scan identifying the critical gap: agentic AI deployment outpacing governance maturity with only 33% of organisations at level 3+ controls. AICPA & CIMA survey of 1,735 executives (8 regions, 8 industries) documents sharp increase in board-level AI risk focus among AI-Transformed entities: 69% classify AI as a Top 10 risk (vs. 46% overall), 65% have board-level oversight (vs. 30% overall), yet only 24-27% report adequate talent, IT readiness, or regulatory preparedness. VDF AI synthesises 17 recurring governance implementation gaps: missing central inventories, inconsistent risk-tiering, fragmented data lineage, weak post-deployment monitoring, and unclear second-line ownership. Meta-analysis of 7 major reports (KPMG, Deloitte, McKinsey, Accenture, Stanford HAI, EY) confirms convergence: governance (not technology) is the bottleneck; only 5% of enterprises sustain AI from pilot to production. Vendor innovation accelerates: SAI360 launches GRC Elevate 6.0 with Regulatory Change Management (100+ jurisdictions, 2,000 publishers) and Enhanced Risk Detection for emerging risk correlation surfacing; Oracle confirms risk register as a GA module across enterprise platforms. KPMG's global survey of 2,110 C-suite leaders across 20 countries documents the shift from isolated AI use cases to coordinated enterprise capability, with governance and trust confirmed as prerequisites for scaling—directly framing risk register maintenance as foundational infrastructure rather than optional tooling.
• 2026-Jun: Horizon scanning automation demonstrates production-grade deployment at scale: UK Defence Science and Technology Laboratory's ML/LLM pipeline processes 300k+ articles monthly and improved analyst signal hit rate from 1% to 40%, winning a 2025 government innovation award. Stanford AI Index 2026 reports 74% of companies now cite AI inaccuracy as their top emerging risk—overtaking cybersecurity—sharpening the organizational urgency for continuous AI risk monitoring. LogicGate was named a Leader in the Forrester Wave Q2 2026 Governance Platforms with perfect scores on Technology Risk Management, with its agentic AI reducing GRC implementations from 30-150 days to days via natural language configuration. A Check Point survey of 1,042 professionals found 54% have confirmed AI-related security incidents but only 26% have enforcement architecture in place, quantifying the execution gap that risk register automation must close.