Skip to Content
Back to blog

AI & MCP

2026 is the year of enterprise AI governance

Cameron McClellan

Cameron McClellan

May 30, 2026 - 8 min read

2026 is the year of enterprise AI governance

As AI agents are deployed into enterprise systems, the controls to govern them can struggle to keep pace. The risk is an expanding attack surface, a growing compliance exposure, and an incident record that is starting to show up in board-level disclosures. In 2026, AI governance moved from a deferred concern to an active infrastructure problem.

The scale of what needs to be governed is significant:

AI governance is the technical infrastructure and policy layer that determines what AI agents can access and whether those actions are auditable. It covers agent identity, tool-call policy enforcement, and data handling at the infrastructure level.

What is the cost of the AI governance gap?

Approximately $1 is spent on AI security for every $750 spent on AI capability , a three-order-of-magnitude imbalance.

IBM’s 2025 Cost of a Data Breach Report , based on 600 organizations globally, put a number on what that imbalance costs. 13% of organizations had already experienced confirmed breaches of AI models or applications. Of those, 97% lacked proper AI access controls at the time. Organizations with high levels of shadow AI experienced an average of $670,000 in additional breach costs compared to those with low or no shadow AI.

The incidents behind IBM’s numbers include cases at well-known enterprises:

Despite all of this, most organizations are only beginning to implement AI-specific security controls. A Cloud Security Alliance and Token Security study  found that by April 2026, 65% of enterprises with deployed AI agents had experienced a confirmed security incident. A separate Kiteworks study  found that 63% cannot enforce purpose limitations on their AI agents, and 60% cannot terminate a misbehaving agent once it is running.

Stanford’s 2026 AI Index  found that security and risk is now the primary barrier to scaling agentic AI, cited by 62% of organizations. It outranked technical limitations and regulatory uncertainty by 24 percentage points. The bottleneck to enterprise AI is governance.

The numbers behind the governance gap show a spend imbalance that the incident record is now making visible.

The AI governance gap: spend imbalance and incident data

How are enterprises responding to the AI governance gap?

The organizational response in 2026 has been concrete and measurable.

Forrester predicts  that 60% of Fortune 100 companies will appoint a dedicated head of AI governance in 2026. Sony, Bank of America, and UBS have already done so. Board oversight of AI has increased 84%  in public company disclosures. Morgan Stanley and BlackRock are factoring AI governance maturity into company valuations. 

JPMorgan Chase and Goldman Sachs followed the same pattern, each treating governance as a precondition for deployment rather than a follow-on:

  • JPMorgan Chase runs 450+ AI use cases daily  across an in-house platform deployed to more than 200,000 employees, built governance-first with compliance embedded from the start.
  • Goldman Sachs runs every model through its Model Risk Management framework, an AI risk management layer with bias detection, data lineage tracking, and human-in-the-loop controls across all regulated operations.

The platform vendors reached the same conclusion:

  • ServiceNow made AI governance the centerpiece of Knowledge 2026 in May , launching AI Control Tower and an Autonomous Security and Risk product governing agent identities, permissions, and connected assets.
  • Google made governance the central message of Cloud Next 2026 , framing identity and security as core infrastructure and models as a commodity. Bain’s analysis  described it as “The agentic enterprise control plane comes into view.”
  • Microsoft introduced Entra Agent ID  (Preview), extending its identity and access management platform to cover AI agent identities.

Gartner projects  the AI governance platform market will reach $492 million in 2026 and exceed $1 billion by 2030. Organizations that deploy dedicated AI governance platforms are 3.4x more likely to effectively manage AI risk than those that do not.

How did Uber build enterprise AI governance at scale?

Scaling AI deployment to enterprise level requires governance infrastructure that has to be built before the scaling happens. Uber is the clearest public example of what that looks like in practice. By early 2026:

  • 84% of Uber’s developers  were using agentic coding tools daily.
  • AI was generating between 65% and 72% of all code written inside the company’s IDEs.
  • A background coding agent called Minions was producing 1,800 code changes per week  across 95% of the engineering organization.

That scale was only achievable because Uber built three governance layers first, each addressing a gap that traditional enterprise security controls cannot see:

  • LLM gateway. Sits between every application and every model provider. Traditional network controls see a TLS connection to an external API. The LLM gateway sees the prompt, the model, and the data flowing through each call. At that layer it enforces PII redaction, access control, and audit logging across every model interaction.
  • MCP gateway and registry. Governs every agent-to-tool connection across Uber’s 10,000+ internal services. Without it, there is no enforcement point between an agent and the internal service it is calling.
  • Agent identity system . Extends Uber’s existing Zero Trust infrastructure to multi-agent workflows. Traditional identity systems see the final service call. This system sees the full chain: which human initiated the workflow, which agents were in the middle, and whether each hop was authorized. Every tool call carries cryptographically attested lineage.

Uber’s governance stack took years to build, required a dedicated platform engineering team, and was assembled on top of service infrastructure that took a decade of operating at scale to develop. Enterprises without that foundation are facing the same governance problem with less time and fewer resources to solve it.

The three governance layers Uber assembled — and what each one sees that traditional controls cannot — are shown below.

Uber's three-layer AI governance architecture

What AI governance compliance deadlines do enterprises face?

The regulatory pressure compounds the urgency. The EU AI Act’s high-risk provisions were originally scheduled for August 2, 2026 . Under the EU’s Digital Omnibus, the Council and Parliament provisionally agreed  to defer that deadline to December 2, 2027 for standalone high-risk systems. Fines reach €15 million or 3% of global annual turnover.

ISO 42001, the international standard for AI management systems, and the NIST AI RMF are the frameworks enterprises are mapping their programs to as they prepare. The NSA’s MCP security guidance extends that pressure to federal contexts, covering organizations that may not be subject to EU law but are operating under US security requirements.

How Speakeasy delivers an AI governance platform for 2026

The Speakeasy AI control plane covers the same four layers Uber and JPMorgan assembled over several years:

  • MCP gateway. Policy enforcement at the tool-call boundary, with authorization, PII redaction, and security scanning on every agent-to-tool connection.
  • Agent identity and access management. Extends enterprise SSO to AI agents, so every agent action is traceable to an authenticated identity.
  • PII redaction and prompt inspection. Enforced at the infrastructure level, before requests reach external model providers.
  • Audit logging and observability. Generates the evidence record that AI compliance requires.

Uber took years to build that governance infrastructure, with a dedicated platform engineering team and a decade of underlying service foundations. Speakeasy delivers the same architecture as a product. Enterprises get there in weeks rather than years.

Further reading

Frequently asked questions

What is AI governance? AI governance is the combination of policies, controls, and technical infrastructure that determines what AI agents can access, what actions they can take, and whether those actions are logged and auditable. It covers identity and access management for AI agents, tool-call policy enforcement, audit trails, and PII handling at the infrastructure level.

What does the EU AI Act require of enterprises? The EU AI Act’s high-risk provisions were originally scheduled for August 2, 2026. Under the EU’s Digital Omnibus, the Council and Parliament provisionally agreed to defer that deadline to December 2, 2027 for standalone high-risk systems. Fines reach €15 million or 3% of global annual turnover.

How long does it take to implement AI governance? Enterprise programs built from scratch, like Uber’s, took years and required dedicated platform engineering teams. The Speakeasy AI control plane delivers the MCP gateway, agent identity, audit logging, and policy enforcement as a single product, compressing that build to weeks.

What is an AI control plane? An AI control plane is the infrastructure layer that sits between AI agents and the systems they operate on. It enforces which agents are authorized, what they can access, what actions they can take, and creates a complete audit trail of every interaction.

Last updated on

AI everywhere.

Control here.

Talk to usLearn more