Governance Maturity Is Strongest Predictor of AI Readiness and Responsible Innovation, According to Study from Cloud Security Alliance and Google Cloud

Organizations are continuing to move from experimentation to meaningful operational use

SEATTLE – Dec. 18, 2025 –The State of AI Security and Governance Survey Report, a new study from the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, and Google Cloud, revealed a clear link between mature governance and improved performance across multiple dimensions of AI adoption and security. Results show that while the pace of AI adoption is accelerating quickly, the structure and talent pipelines needed to secure this adoption are lagging. The difference between those enterprises closing the gap between AI adoption and security and those still struggling is the presence of mature governance. 

The survey shows that organizations with comprehensive policies are nearly twice as likely to report early adoption of agentic AI (46%) compared to those with only partial guidelines (25%) or policies still in development (12%). They are also far more likely to have tested AI capabilities for security, with 70% reporting experimentation compared to 43% of those with partial governance and just 39% among those still developing their policies.

Interestingly, governance maturity is also tied to leadership awareness and organizational confidence. Among organizations whose boards are fully aware of AI’s security implications, 55% have comprehensive governance policies — a connection that extends to workforce readiness, as well, where 65% of organizations with comprehensive governance policies are already training staff on AI tools.

“This year’s survey confirms that organizations are shifting from experimentation to meaningful operational use. What’s most notable throughout this process is the heightened awareness that now accompanies the pace of deployment. Even as organizations continue to grapple with foundational challenges in risk understanding, data protection, staffing, and policy, there are encouraging signs in the progress they’re making,” said Hillary Baron, Senior Technical Research Director, Cloud Security Alliance.

“As organizations shift from experimentation to full operational deployment, strong security practices and mature governance are emerging as the critical differentiators for successful AI adoption,” said [Dr. Anton Chuvakin, Security Advisor at Office of the CISO], Google Cloud.

Survey’s other key findings:

• Breaking from tradition, security teams are leading the pack when it comes to AI adoption. More than 90% are exploring how AI can improve detection, investigation, or response processes: Nearly half (48%) report that they have already tested AI capabilities in security, and another 44% plan to do so within the next year. 
• While organizations are implementing multi-model use strategies, the “Big Four” — GPT (70%), Gemini (48%), Claude (29%), and LLaMa (20%) — dominate the landscape, indicating an ecosystem defined by a few top players. While indicative of growing operational maturity, this consolidation also raises concerns surrounding resilience, interoperability, and vendor lock-in.
• Executive enthusiasm in AI adoption outpaces their confidence in their organization’s ability to implement it securely. While 70% of those surveyed reported that their leadership is moderately to fully aware of the security implications of AI, a sizable majority (73%) reported their being either neutral or lacking confidence in their organization’s ability to execute a security strategy.
• Security teams are taking the lead in AI protection in the majority (53%) of organizations, indicating that security is now an integral part of responsible AI implementation.
• Many organizations are treating AI security as an extension of existing privacy and governance frameworks, failing to take into account new, AI-specific threats. Whereas 52% of respondents cite data exposure as their top security concern, risks introduced by AI, such as regulatory compliance (16%), model integrity compromise (12%) and data poisoning (10%), fell far below, revealing a gap between data protection and safety governance.

Google commissioned CSA to develop a survey and report to better understand the industry’s knowledge, attitudes, and opinions regarding AI security and governance. Google financed the project and co-developed the questionnaire with CSA research analysts. The survey was conducted online by CSA in Summer 2025 and received 300 responses from IT and security professionals from organizations of various sizes and locations. CSA’s research analysts performed the data analysis and interpretation for this report.

Download the State of AI Security and Governance Survey Report; for additional context, read The State of AI and Security Survey Report (2024).

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading not-for-profit organization committed to awareness, practical implementation, and credentialing of forward-looking cybersecurity topics, including AI, cloud, and Zero Trust. In an era where digital transformation drives business success, CSA stands as the global authority ensuring organizations can operate securely while harnessing cutting-edge technology. Through volunteer-driven research, globally-accepted standards, and award-winning vendor-neutral education programs that unite technical experts, industry practitioners, and varied associations, governments, chapters, and corporate members, CSA bridges the gap between innovation and pragmatic security execution. Visit CSA’s website to learn more.

Media Contact
Kristina Rundquist
ZAG Communications for the CSA
[email protected]