CIOs are being held accountable for AI they don’t fully control, IBM study finds

As enterprises race to deploy AI across business functions, many CIOs and CTOs are finding themselves responsible for systems they may not fully oversee, creating a new governance challenge for technology leaders.

A new IBM Institute for Business Value survey of 2,000 technology executives found that two-thirds of CIOs and CTOs are being held accountable for AI systems they do not fully control. The survey also found that 70% of respondents said technology is being deployed across the business faster than IT can track it, while 77% said AI adoption is already outpacing governance capabilities.

Surveyed executives expect the number of AI agents deployed within their organizations to increase by 38% by 2027, yet only 11% said they are fully prepared for the scale of AI-agent deployment they expect over the next year. According to IBM, 80% of respondents also reported CEO-driven mandates to accelerate AI transformation efforts.

“For CIOs and CTOs, the challenge now is scaling AI systems that operate continuously and autonomously, often within governance models and architectures designed for a far slower, more predictable environment,” Matt Lyteson, CIO at IBM, said in a statement accompanying the report.

Accountability does not move with control

The findings resonated with analysts who said the accountability gap highlighted by IBM is becoming increasingly common as AI adoption expands across business functions.

“AI capability is now embedded in SaaS, cloud, and business-led projects, so adoption happens at the edges of the organization while accountability stays at the top,” said Deepika Giri, AVP for Big Data and AI Research Lead at IDC Asia/Pacific. IDC research shows that only about 16% of organizations have a unified AI governance model, so the CIO owns risk for systems they don’t directly operate.

“Enterprises have decentralised experimentation far faster than they have decentralised accountability,” said Sanchit Vir Gogia, chief analyst at Greyhound Research. “Control becomes shared the moment AI touches several platforms at once. Accountability does not move with it.”

According to analysts, AI is increasingly being embedded into enterprise applications, SaaS platforms, cloud services, developer tools, and business workflows that sit outside traditional IT governance structures.

“AI adoption is business-led, embedded in SaaS, cloud platforms, and developer tools, bypassing central IT with growing shadow AI,” said Charlie Dai, principal analyst at Forrester. “CIOs retain accountability for risk and cost but lack control due to federated models and hyperscaler-led abstraction.”

The result is that technology leaders often remain responsible for risk, compliance, and business outcomes even when critical aspects of deployment sit outside their direct control.

Rajesh Ranjan, managing partner at Everest Group, said many organizations now expect CIOs to deliver AI-driven business outcomes even though success frequently depends on process redesign, workforce changes, and operating model shifts that extend beyond IT’s direct remit.

Ranjan said AI adoption is advancing faster than enterprises’ ability to establish governance and accountability frameworks, creating “a growing disconnect between responsibility and control.”

Shadow AI raises the stakes

The analysts said the accountability challenge becomes more acute as AI adoption spreads through tools and services that business teams can access without significant IT involvement.

“Traditional shadow IT introduced unmanaged software. Shadow AI introduces unmanaged judgment,” Gogia said.

Businesses can now access AI capabilities through embedded SaaS functionality, external tools, APIs, copilots, and agent frameworks with little IT involvement, analysts said, expanding the challenge beyond traditional technology governance.

Dai said the risks extend beyond security and compliance to include unmanaged costs, regulatory exposure, prompt injection attacks, and vulnerabilities at the agent layer.

The challenge grows further as organizations move from AI assistants toward AI agents capable of making decisions, invoking tools, interacting with enterprise systems, and carrying out multistep tasks with limited human intervention.

“Agentic AI introduces dynamic, non-deterministic behavior and external interactions, breaking traditional governance models,” Dai said. “Enterprises lack real-time traceability into decisions, creating misalignment between accountability and actual system behavior.”

AI agents bring new operational risks

The survey suggests those governance challenges are already translating into operational consequences.

“By 2027, enterprises expect to deploy an average of 1,661 AI agents—a 38% increase from today,” the report said. “At that rate, tech leaders are tasked with managing hundreds of thousands of autonomous decisions daily. And manual governance can’t keep up with that math.”

Surveyed organizations reported an average of 54 AI-agent incidents during the past year that required human intervention or correction. Seventeen percent of those incidents were classified as high severity.

Among high-severity incidents, 37% resulted in data exposure or security breaches, 33% caused cascading system failures, and 17% triggered compliance issues, according to IBM.

The study also found that 59% of respondents view security and compliance concerns as among the biggest barriers to scaling AI agents. Organizations that embed governance directly into AI systems reported 25% fewer AI-related incidents than those relying primarily on manual oversight.

“This is why visibility now matters more than authority,” Gogia said. “Technology leaders do not need to approve every deployment. They need to know what is running, what it can reach, and how to stop it.”

Building governance into AI operations

The analysts said enterprises will need to move beyond governance models designed for periodic reviews and traditional software deployments.

“As AI becomes embedded in core business processes, governance can no longer be a periodic review exercise; it must become an operational capability,” Ranjan said.

Dai said enterprises should also prioritize centralized observability, policy controls, governed decentralization, and stronger data and context governance as AI adoption scales.