AI Use Is Outpacing Policy and Governance, ISACA Finds

LONDON--(BUSINESS WIRE)--Nearly three out of four European IT and cybersecurity professionals say staff are already using generative AI at work – up ten points in a year – but just under a third of organisations have put formal policies in place, according to new ISACA research.

AI use is outpacing policy and governance, ISACA finds.

Share

The use of AI is becoming more prevalent within the workplace, and so regulating its use is best practice. Yet not even a third (31%) of organisations have a formal, comprehensive AI policy in place, highlighting a disparity between how often AI is used versus how closely it’s regulated in workplaces.

Policies work twofold to enhance activity and protect businesses

AI is already making a positive impact– for example, over half (56%) of respondents say it has boosted organisational productivity, and 71% report efficiency gains and time savings. Looking ahead, 62% are optimistic that AI will positively impact their organisation in the next year.

Yet that same speed and scale make the technology a magnet for bad actors. Almost two-thirds (63%) are extremely or very concerned that generative AI could be turned against them, while 71% expect deepfakes to grow sharper and more widespread in the year ahead. Despite that, only 18% of organisations are putting money into deepfake-detection tools—a significant security gap. This disconnect leaves businesses exposed at a time when AI-powered threats are evolving fast.

AI has significant promise, but without clear policies and training to mitigate risks, it becomes a potential liability. Robust, role-specific guidelines are needed to help businesses safely harness AI’s potential.

“With the EU AI Act setting new standards for risk management and transparency, organisations need to move quickly from awareness to action,” says Chris Dimitriadis, ISACA’s Chief Global Strategy Officer. “AI threats, from misinformation to deepfakes, are advancing rapidly, yet most organisations have not invested in the tools or training to counter them. Closing this risk-action gap isn’t just about compliance – it’s critical to safeguarding innovation and maintaining trust in the digital economy.”

Education is the way to get the best from AI

But policies are only as effective as the people who understand - and can confidently put them into practice.

As AI continues to evolve, there is a need to upskill and gain new qualifications - 42% believe that they will need to increase their skills and knowledge in AI within the next six months in order to retain their job or advance their career - an increase of 8% from just last year. Most (89%) recognise that this will be needed within the next two years.

For more on the 2025 AI pulse poll, visit www.isaca.org/ai-pulse-poll. For ISACA resources on AI, including free content guides as well as training courses and certifications on AI audit and AI security management, visit www.isaca.org/ai.

Notes to Editors

All figures are based on fieldwork conducted by ISACA between 28 March and 14 April 2025, amongst a total of 561 business and IT professionals in Europe. In total, ISACA surveyed more than 3,200 business and IT professionals worldwide.

About ISACA

ISACA^® (www.isaca.org) has empowered its community of 185,000+ members with the knowledge, credentials, training and network they need to thrive in fields like information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and with nearly 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers.