For the 99.98% of you who haven’t been trapped down a well for the past 4 years, you’ve certainly heard of AI. And so have business leaders, which is why so many companies use various suites of AI tools. But how do organizations use AI, and do they have a structured approach to their AI usage? At Brafton, we don’t just ask the big questions; we set out to find the answers.
The 2026 “AI Governance Gap”
Brafton conducts surveys, collecting information on various subjects related to marketing and AI. You can read last year’s version of this blog to compare the results, if you’d like. And the results are intriguing, to say the least.
In our latest survey, 132 respondents said they were using AI in their marketing operations. We asked each of the 132 if their organization had an AI policy. Only 56 said yes.
That means over half — 57.6% — use AI but have no governing policy in place. This may ring some alarm bells, but first, some context: This same stat last year was 74.3%. This clearly indicates movement toward more responsible and purposeful AI use. At the same time, there’s still a clear trend of professionals using AI tools and then organizations trying to catch up on the management and governance side.
Ultimately, learning how best to use AI in marketing is a work in progress, and the more you delve into the numbers, the more evident this becomes. For example, even among those who checked “yes” for having a policy revealed varying levels of maturity. Survey responses such as these tell the tale:
- “It is still being developed.”
- “Leadership has not yet shared the policy with us.”
- “Will be creating a more robust AI policy in 2026.”
Our survey data comports with many (though not all) of the findings from other reports. For example, the PEX Report 2025/26 found that almost half of all businesses surveyed plan to increase AI investment over the next 12 months, but fewer than half of them have an AI governance policy. This suggests a prevailing attitude of “AI now — policy later.”
Distributed Workforces Are Driving Governance
While there are many reasons an organization might implement a hybrid or remote work model, doing so suggests a willingness to deviate from traditional work paradigms. Given this, it’s not surprising that businesses with flexible work set-ups are significantly quicker to implement AI policies than traditional brick-and-mortar operations.
Policy Presence by Work Format
Here’s what we found regarding work arrangement and AI policy adoption:
- Remote: 42.86%
- Hybrid: 33.93%
- In-Person: 23.21%
So why are organizations with distributed workforces leading AI policy implementation? One reason may be that such organizations have to be more vigilant about cybersecurity. In a remote or hybrid environment, data perimeter security is much harder to maintain. When employees work from home, there’s no physical oversight for something like pasting proprietary data or client information into a public AI model. Remote-first organizations often recognize that an AI policy is a vital extension of their cybersecurity strategy.
Does Business Size Matter for AI Policy Adoption?
Who owns the AI policy? Who’s responsible for drawing up, implementing and overseeing it?
The answer is “it depends,” and it appears to depend on one variable in particular: size. An organization’s IT department, legal team or executives are likeliest to own the policy. We also noted company size in our survey. We categorize them as such:
- Small: 1–20 employees.
- Medium: 21–50 employees.
- Large: 51–500 employees.
- Enterprise: 501+ employees.
| Respondents by Org. Size | |||||
| Policy Owner | Small | Medium | Large | Enterprise | Total |
| IT & Technology | 3 | 1 | 6 | 5 | 15 |
| Legal | 3 | 1 | 1 | 6 | 11 |
| C-Suite | 3 | 2 | 6 | 0 | 11 |
So, what does this mean? Well, legal teams most often own AI policies in enterprises. This makes sense, as very large organizations often focus on risk mitigation, copyright liability and compliance. But enterprises rely on their IT teams to handle AI policies almost as often.
IT departments appear to be the most popular arbiters of AI policies, especially for large and enterprise companies. IT can handle technical integration, security protocols and managing tool sprawl.
The C-suite seems to be more hands-off in enterprises. This may reflect an effort to keep AI use and governance agile and quickly establish rules without bureaucratic lag.
Do Policies Liberate or Restrict AI Use?
Smaller companies often market themselves as agile and quicker to respond to changes. This correlates with the perception that corporate policies strangle innovation. It’s possible that some organizations are deliberately delaying implementing an AI policy to allow their staff more freedom to experiment with these relatively new tools.
But if you dig into our data a little deeper, this notion of regulation hurting efficiency or creativity looks a lot less defensible. For example, a plurality of respondents (13) reported that their policy actually accelerated AI adoption, while only 9 said it restricted or slowed it down. There isn’t a huge difference here, but perhaps this picture will become clearer in subsequent years when the 7 who responded “Unclear or Too Early to Measure Impact” might have a more definitive answer.
Restrictions That Help?
If this margin holds or even expands, how can we explain it? Why might having a formal AI use policy actually increase AI use? The answer may relate to regulation providing focus. Imagine I ask you to write 1,500 words about AI. Where do you start? What perspective should you take? There’s a good chance you’ll stare at a blank screen for half an hour, wondering what to write.
But if I tell you to write 1,500 words about AI use in marketing and suggest different sections and subtopics, you’ll probably be able to get stuck in right away and finish it sooner. The reason is that parameters, while seeming like limitations, can actually foster creativity and efficacy, guiding labor and thoughtfulness.
So when employees don’t know the rules, they may hesitate out of fear of leaking data or being reprimanded. A clear policy provides the psychological safety required to experiment safely. And some responses we received reinforce this idea. One said that their organization’s AI policy has “legitimized usage and taken it mainstream.” Another said their policy gave people “clarity and confidence around AI usage.”
Sometimes Restrictions Are Just Restrictive
But this isn’t to say that AI policies always foster adoption. That’s clearly not true either, given the 9 respondents who said policies slowed things down. This includes extreme cases, such as the respondent whose medical journal policy allows for “zero AI usage.” This reminds us that certain AI tools just aren’t appropriate or accepted in all sectors or for all tasks.
For others, restrictions that only allow enterprise versions of AI products or that prohibit tools connected to public sources have meant slower adoption. Ultimately, we found no strong correlation between implementing an AI governance framework and faster or slower AI adoption.
Who’s Driving AI Adoption?
The last question we’ll examine is which industries are most quickly embracing AI. The following results look at sectors with at least 10 responses each.
High-Adoption Industries
At least 85% of respondents in the following industries said they were using AI regularly:
- Marketing, media and creative: 91.67%
- Technology and IT: 91.67%
- Professional and business services: 87.50%
- Manufacturing and industrial: 85.71%
It’s certainly no surprise that those in tech are using AI at high rates. Indeed, McKinsey also found IT and media to be leaders in AI adoption. Beyond that, perhaps what’s surprising is how seemingly different these sectors are. Marketing and manufacturing don’t have a lot in common, but widespread AI adoption is, apparently, one thing they share.
Low-Adoption Industries
While all sectors had at least half of their respondents say they were using AI, two stand out for being comparatively low:
- Software and SaaS: 60.00%
- Nonprofit & social services: 54.55%
If “Tech and IT” use AI a lot, why doesn’t “Software and SaaS”? We can’t say for sure. Perhaps this low adoption rate reflects internal caution or strict proprietary code protections. As for nonprofits and social service providers, relatively low AI use may result from human-centric work. Such organizations may also have budgets that don’t allow for enterprise-grade AI tools, but sensitive information that isn’t suitable for the free versions of these platforms.
What Does It All Mean?
So, should your organization use AI? Well, you should probably at least be experimenting with AI tools. And if you are, should your organization create a formal AI policy? The answer is also “probably.”
While some respondents indicated that a new policy got in the way of AI use, it seems like this was often with good reason. Protecting potentially sensitive information and proprietary data is paramount, and rushing ahead with AI use without having guardrails in place can be dangerous. And given that even more respondents said an AI policy actually accelerated adoption, the case for drafting one is quite strong.
